Filtering LDAP returned attributes

0
votes

So we have this LDAP query (against OpenLdap)

(&(objectClass=groupOfNames)(member=cn=admin,dc=test,dc=com))

The query returns all groups that admin is member of. It also returns all other users in those groups. This is an issue when you have +10.000 users that are in the same group.

Is there a way to just return the group names? Like an returned attributes filter?

In Java there is an option like that but I don't know if it just does the query and filters the results clientside, or how to write it as a LDAP query. Example: 

String returnedAtts[]={"memberOf","name","mail"};
search.setReturningAttributes(returnedAtts);
NamingEnumeration answer = ctx.search(searchBase, "(&(objectClass=user)(sAMAccountName="+username+"))", search);

Yes I know. Using memberOf would be a more better option. But this LDAP doesn't have that attribute

2
ldapopenldapldap-query
You have an LDAP search filter injection when building filter with simple string concatenation, e.g. if someone provides username="*)(otherattr=specialvalue"Vilmantas Baranauskas
A filter like (&(objectClass=groupOfNames)(member=cn=admin,dc=test,dc=com))jwilleke

2 Answers

2
votes

If you use setReturningAttributes(list), LDAP server will return only those. You do not have to include the attributes your search filter is based on. This is the correct solution to your problem.

1
votes

A filter like (&(objectClass=groupOfNames)(member=cn=admin,dc=test,dc=com)) should not return all the member(s) of the groups. It will return all the groups that the user is a member.

A filter like (&(objectClass=groupOfNames)9cn=yourdesiredgroupname)(member=cn=admin,dc=test,dc=com))

Will return only only the group of interest. Setting the returned attributes to CN will return only the group name.

-jim