Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

New filter type to allow searching of binary data #33

Merged
merged 3 commits into from Aug 28, 2012

Conversation

Projects
None yet
6 participants

Not sure if this is the best way to implement this. Another option would be to not throw an exception if a string can't be converted into UTF-8 and silently pass it along. I think creating a specific filter type when searching for non-standard data is the safer option.

I added a test to make sure binary data is represented properly.

This resolves issue #30, although would require application code to be re-written to use the new filter.

It's very important that Microsoft Active Directory can be searched for binary data, as this is the only way to search for GUIDs.

DavidJLee added some commits Feb 24, 2012

Added a new filter type bineq that will create an equality filter and…
… NOT force

convert data to UTF-8. This is required for proper binary data filters in Microsoft
Active Directory.

I ran into another issue with Active Directory when doing searches...
The rfc2696_cookie for doing paged searches will sometimes have binary data in it. This will break when to_ber is called on it.
I worked around this by providing a configuration option to bypass paged searches.
Given the problem with GUID searching and this, maybe it would be better to just make to_ber fall back to skip encoding non-utf-8 data on an encoding error?

THANK YOU!

took me forever to find anything that allowed me to query on objectguid. The only thing that was working before this was ruby 1.8.7 and ruby-net-ldap 0.0.4 :)

thanks.

yairgo commented Apr 26, 2012

any reason why this hasn't been merged in yet?

Will this be merged?

RoryO pushed a commit that referenced this pull request Aug 28, 2012

Merge pull request #33 from DavidJLee/master
New filter type to allow searching of binary data

@RoryO RoryO merged commit b6d9fbe into ruby-ldap:master Aug 28, 2012

Searching by objectguid is working well for me, but adding a user or group with a known objectguid is failing. I'm running a mock ldap server as part of my tests. I clone users & groups from an actual AD server that I can then safely alter. The clone code for a user is (currently) this:

  def clone_user(ldap, u)
    dn = "cn=#{u.cn},ou=users,dc=example,dc=com"

    attr = {
      :cn => dn,
      :distinguishedName => dn,
      :sn => u.sn,
      :givenName => u.givenname,
      :objectClass => 'user',
      :objectGuid => u.objectguid.to_ber_bin,  # just added the .to_ber_bin. 
      :displayName => u.displayname,
      :whenCreated => u.whencreated,
      :whenChanged => u.whenchanged,
      :name => u.name,
      :mail => u.mail,
      :samAccountName => u.samaccountname.downcase
    }

    ldap.add :dn => dn, :attributes => attr

    return dn
  end

Stepping through the 'add', I see the attributes are all getting .to_ber called on them (Net::LDAP::Connection, line 1531 of ldap.rb) :

  add_attrs << [ k.to_s.to_ber, Array(v).map { |m| m.to_ber}.to_ber_set ].to_ber_sequence

This causes our favorite UTF-8 encoding error.

How are you intending for binary data such as objectguid to be applied during an add? I suppose I can do the add w/o the objectguid, search for what I just added by dn and modify the objectguid, but that seems rather an indirect route.

Owner

DavidJLee replied Aug 30, 2012

I've never added a specific GUID in AD, I've always let AD create it's own GUID for the object.

I'm not sure if AD will even let you modify a GUID on an object, since it's never supposed to change.

This code was to enable proper searching of binary data. Additional modifications would be needed to properly add binary data.

astratto pushed a commit to astratto/ruby-net-ldap that referenced this pull request Dec 18, 2015

Merge pull request #33 from DavidJLee/master
New filter type to allow searching of binary data
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment