Skip to content
This repository has been archived by the owner on May 14, 2024. It is now read-only.

Add/Delete group member not working on Windows Active Directory if groupname includes non ascii #939

Closed
jimmyengman opened this issue Aug 24, 2023 · 3 comments
Closed

Add/Delete group member not working on Windows Active Directory if groupname includes non ascii #939

jimmyengman opened this issue Aug 24, 2023 · 3 comments

Comments

@jimmyengman
Copy link

jimmyengman commented Aug 24, 2023
edited
Loading

If I start test ldap in docker as described in https://github.com/ldapjs/docker-test-openldap and create a group with non ascii characters cn=möte,ou=people,dc=planetexpress,dc=com, I can add and delete users with this code.

const mod: ldap.Attribute = { type: 'member', values: ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }
const change = new ldap.Change({
  operation: 'add',
  modification: mod
});

// const mod: ldap.Attribute = { type: 'member', values: ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }
// const change = new ldap.Change({
//   operation: 'delete',
//   modification: mod
// });

client.modify('cn=möte,ou=people,dc=planetexpress,dc=com', change, (err) => {
  console.log("Finnished", err)
});

If I try the same code against Microsoft Active Directory (Server 2019, objectversion 88) it works fine if the group name has only non ascii characters.

If the group name has ascii characters like "ö" in "möte" (cn=möte,ou=people,dc=planetexpress,dc=com) I get error message below:

[err: module.exports.<computed> {lde_message: 'No Such Object', lde_dn: 'OU=people,DC=planetexpress,DC=com', stack: 'NoSuchObjectError: No Such Object
    at mess…ad (node:internal/stream_base_commons:190:23)'}](url)
@jsumners
Copy link
Member

You stated in your report that the modify request works with a standard LDAP server implementation, but fails to work with a non-standard LDAP server implementation. Please consult with the maintainers of the non-standard LDAP server implementation about why their server does not follow the specifications.

@jsumners jsumners closed this as not planned Won't fix, can't repro, duplicate, stale Aug 24, 2023
@jimmyengman
Copy link
Author

jimmyengman commented Aug 24, 2023
edited
Loading

But it is strange, if I use ldapjs 2.3.3 with this code it works great with Microsoft Active Directory (Server 2019 objectversion 88) to add and delete members even if the groupname includes non ascii characters.

const mod: ldap.Attribute = { 'member', ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }
const change = new ldap.Change({
  operation: 'add',
  modification: mod
});

// const mod: ldap.Attribute = {'member', ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }
// const change = new ldap.Change({
//   operation: 'delete',
//   modification: mod
// });

client.modify('cn=möte,ou=people,dc=planetexpress,dc=com', change, (err) => {
  console.log("Finnished", err)
});

If I try to run the same code with ldapjs 3.0.5 it fails with error "modification must be an Attribute".

If I change the code to

const mod: ldap.Attribute = { type : 'member', values : ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }

const mod: ldap.Attribute = { type : 'member', values : ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }
const change = new ldap.Change({
  operation: 'add',
  modification: mod
});

// const mod: ldap.Attribute = { type : 'member', values : ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }
// const change = new ldap.Change({
//   operation: 'delete',
//   modification: mod
// });

client.modify('cn=möte,ou=people,dc=planetexpress,dc=com', change, (err) => {
  console.log("Finnished", err)
});

I am back to the error that the object is not found if the groupname includes an non ascii character (but it works fine if the groupname contains only ascii characters).

@jsumners
Copy link
Member

if I use ldapjs 2.3.3 with this code it works great with Microsoft Active Directory (Server 2019 objectversion 88) to add and delete members even if the groupname includes non ascii characters

It's likely that 2.3.3 is sending UTF-8 characters unencoded. I would start by inspecting the messages sent "across the wire" with Wireshark to verify that this is true. If it is true, I point you to #860 (comment):

DN strings are defined by rfc-editor.org/rfc/rfc4514. Specifically rfc-editor.org/rfc/rfc4514#section-2.3 links to rfc-editor.org/rfc/rfc4512 to explain how AttributeType and AttributeValue strings can be represented. The relevant section is rfc-editor.org/rfc/rfc4512#section-2.5. Specifically, this section defines the components as being oids, which are defined in rfc-editor.org/rfc/rfc4512#section-1.4 as:

oid = descr / numericoid
descr = keystring
keystring = leadkeychar *keychar
leadkeychar = ALPHA
keychar = ALPHA / DIGIT / HYPHEN
ALPHA = %x41-5A / %x61-7A ; "A"-"Z" / "a"-"z"
DIGIT = %x30 / LDIGIT ; "0"-"9"
HYPHEN = %x2D ; hyphen ("-")

In short: the LDAP spec only allows for ASCII characters in DN strings. You may need to use a numericoid.

Further, https://www.rfc-editor.org/rfc/rfc4514#section-3 denotes the set of character code sequences that must be escaped via the SUTF1 definition.

const mod: ldap.Attribute = { 'member', ['cn=Turanga Leela,ou=people,dc=planetexpress,dc=com'] }

This is not valid JavaScript. You are missing the property names in the object. Your change "works" because you have added those property names, thus fixing the syntax error.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jsumners @jimmyengman