-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Lambda does not support active directory #822
Comments
That is a good clue. In order to marshal objects in and out of the lambda engine we essentially serialize an object to JSON using Jackson, and then use We then do the reverse on the way out for any object that can be mutated by the lambda using It looks like However, in theory Nashorn supports ECMAScript-262, and claims 100% support of ECMAScript 5.1. But perhaps a clue, perhaps we can take values you provided of |
Using this code example for the Java side of things ( https://gist.github.com/davidmc24/0588900f3200eba3ea80 ) I get Can you confirm the actual Guid from Microsoft AD? And does the object Guid actuall show up in the |
Apologies, I was trying something new with the LAMBDA code so it wasn't converting correctly. An actual objectGUID in binary format is as follows: Octal: Hex: UUID (Same as hex, but corrected byte order). Is it possible to simply encode any binary data into a hex string before it gets serialised into JSON for the javascript engine to process? That way there wont be any UTF-16 encoding issues, and the Javascript LAMBDA can just flip the various bytes around to produce a valid UUID string. This solution will allow any kind of binary data to be processed, not just UUID's. RegardsBrad. |
Do you know how the Guid is represented in the SAML response? Assuming a string form? |
This is from an LDAP lambda. We want to use FusionAuth as a SAML IDP for our applications, with LDAP being the source of the users. In other words, it doesnt get as far as issuing the SAML response to our applications. -- |
Correct, but the Guid is coming from AD, and is passed into the lambda using the |
Have a look at the end of this post: Its a messed up (due to "invalid" UTF-16) string:
|
That is after it has gone through the |
It comes directly from an LDAP connector - not from a SAML request. Under "Settings" => "Connectors" we have created an LDAP connector, and then we are using this connector in the Tenant (under "Tenants" => "Connectors"). |
Ha, yes, thank you. I have SAML on the brain. If you enable If the Lambda is mangling it somehow, this will give us a before value. |
Its the same:
|
This might be of use: https://help.mulesoft.com/s/article/Ldap-ObjectGUID-field-retrieval |
OK I've made some progress. Based on the table here: https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/attrs.html#BYTES I have figured out that I can retrieve the attribute by appending a ";binary" on the end, so the LDAP connector now looks like this: This then creates a base-64-encoded version of the attribute which looks like this:
I can then base-64 decode the "objectGUID;binary" field to get the actual binary version, and then convert that into hex (with the corrections for byte-order). This gives me the following output:
|
For reference, this LAMBDA now works as expected, creating FusionAuth users based on the user within Active Directory. Its messy, and requires many layers of decoding, but at least I now have a working solution. Hopefully this can help you get to a better, more permanent solution - ideally decoding functions should not be required within the LAMBDA itself.
|
Thanks for the update @bradleykite this is helpful. I suppose it would be possible for us to decode on our end, but we won't know which attribute or what format the attribute is in either I don't think. Maybe the best way to handle this would be just provide some utility methods available in the lambda to decode or convert common Id types to a UUID. For example, we could expose |
Anyone have an opinion on the syntax for FusionAuth utils exposed in the Lambda? We could namespace them or just dump a bunch of things in the context. Examples:
Or something else? |
If it matters, I guess doing it under the FusionAuth namespace seems better. Would it be possible to create custom plugins which can extend the functionality of LAMBDA's? Each plugin can then have its own namespace. |
That would be a cool feature, @bradleykite , but might be deferred until this issue is resolved: #571 Doesn't make sense to invest a bunch of time in Nashorn unless the work is definitely going to be portable to other runtimes. But would love if you'd add a feature request fleshing out the lambda plugin functionality more. |
FYI, I finally got to the bottom of this issue. TL;DR @bradleykite is right, by default this doesn't work with AD. Longer version The Sun LDAP provider can only represent attributes as strings, or byte arrays. By default it will use a string. The From what I can tell, the only way to make this work is to use @bradleykite 's work around which is to request the attribute in our configuration by appending the suffix See more here: https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/attrs.html The way for FusionAuth to handle this is to register non-string values in the bind environment. For example: env.put("java.naming.ldap.attributes.binary", "objectGUID objectSid"); The above environment value will indicate we know that If we think there is a good possibility that these two values do not represent the exhaustive list of Ids that could be returned by LDAP that are non-string values, we should probably make this configurable. Or, we could just cover the two cases, and document that I haven't quite nailed down how the value in the lambda is a Base64 encoded string, perhaps Nashorn is doing that on our behalf or something. Re: Utility Helpers Planning to ship this utility method, heavily name spaced so it is clear this is a Microsoft conversion utility. Example usage: user.id = FusionAuth.ActiveDirectory.b64GuidToString(userAttributes.objectGUID) |
Delivered in 1.19.7. For now just adding |
Hi,
We are trying to authenticate directly to Active Directory with an LDAP lambda.
Please see here for reference:
https://fusionauth.io/community/forum/topic/256/ldap-lambda
To reproduce, under Customizations => Lambdas, create an "LDAP connector reconcile"
Then, under Settings => Connectors, create an LDAP connector which pulls out the following AD attributes, and assign the reconcile lambda created above.
In my case, my test user has an objectGUID in AD of "3437335c-325c-3034-5c32-37305c333137" - or in binary: "\374\240\270\317\260\260\213\104\206\233\357\330\240\225\130\207"
Decoding this binary string within the LAMDA works correctly, so the decode function can be proven to work, however decoding the actual object GUID which comes from AD looks like it has already been interpreted as a UTF-16 string, and since its actually binary, it replaces invalid UTF-16 characters with the replacement character 65533
This makes it impossible to reconcile AD users while maintaining their original GUID.
The actual output I get from the LAMBDA is:
The text was updated successfully, but these errors were encountered: