Unicode Base64 values in a LDAP Filter

1
votes

I'm trying to find Active Directory users who are:

memberOf::Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPXh4eCxEQz1pbnRlcm4=

(this base64 stands for CN=Domänen-Admins,CN=Users,DC=xxx,DC=intern)

Searching for it directly (via API or ldapsearch) yields no result (since it's a unicode DN):

ldapsearch -h ... -D [email protected] -x -w '...' -b dc=xxx,dc=intern '(memberof=CN=Domänen-Benutzer,CN=Users,DC=xxx,DC=intern)'

Following filters didn't work either:

(memberof=Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPXh4eCxEQz1pbnRlcm4=)
(memberof=:Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPXh4eCxEQz1pbnRlcm4=)
(memberof=::Q049RG9tw6RuZW4tQWRtaW5zLENOPVVzZXJzLERDPXh4eCxEQz1pbnRlcm4=)

I can't find any documentation except for RFC specifying base64 encoding in LDIF files.

UPDATE the above ldapsearch commands are for convenience only, it doesn't work with LDAP API either - using:

ldap.search_s('dc=xxx,dc=intern', ldap.SCOPE_SUBTREE, filter, ['cn'])

with filters:

filter='(memberof=CN=Domänen-Benutzer,CN=Users,DC=xxx,DC=intern)'.encode('utf-8') # raw UTF
filter='(memberof=CN=Domänen-Benutzer,CN=Users,DC=xxx,DC=intern)'.encode('cp1252') # raw 1252
filter=b'(memberof=CN=Dom\\e4nen-Benutzer,CN=Users,DC=xxx,DC=intern)' # hex
filter=b'(memberof=CN=Dom\\xe4nen-Benutzer,CN=Users,DC=xxx,DC=intern)' # python repr

I've also confirmed with Wireshark that the filter is indeed transmitted in UTF8

3
unicodeactive-directoryldapldap-query

3 Answers

2
votes

The attribute type cn has a Directory String syntax according to the standard. Directory Strings are encoded using UTF-8. Saying that searching via API yields no results incorrect. You are just using the incorrect encoding. The ldapsearch tool (assuming you are using OpenLDAP) may not support searching with accented characters.

The ldapsearch utility shipped with the UnboundID Data Store handles this pretty well. Here is the LDIF that I used for testing:

dn:: Q049RG9tw4PCpG5lbi1BZG1pbnMsZGM9ZXhhbXBsZSxkYz1jb20=
objectclass: organizationalPerson
sn: person

dn: cn=mygroup,dc=example,dc=com
objectclass: groupofnames
member:: Q049RG9tw4PCpG5lbi1BZG1pbnMsZGM9ZXhhbXBsZSxkYz1jb20=

Here is my command line test:

$ ldapsearch -b "dc=example,dc=com" "member=CN=Domänen-Admins,dc=example,dc=com"
dn: cn=mygroup,dc=example,dc=com
objectClass: top
objectClass: groupofnames
cn: mygroup
member:: Q049RG9tw4PCpG5lbi1BZG1pbnMsZGM9ZXhhbXBsZSxkYz1jb20=

Also, you may want to read the Directory String syntax from RFC 4517.

UPDATE

I managed to make this working with Active Directory (Windows Server 2012 R2, DataCenter edition) and using the ldapsearch utility shipped with the UnboundID Data Store. This is what I see:

$ ldapsearch --trustAll -Z -h <hostname> -p 636 -D "cn=administrator,cn=users,dc=dom-ad2,dc=local" -w <password> -b "cn=test,dc=dom-ad2,dc=local" "member=CN=Domänen-Benutzer,CN=test,DC=dom-ad2,DC=local"

dn: CN=mygroup,CN=test,DC=dom-ad2,DC=local
objectClass: top
objectClass: group
cn: mygroup
member:: Q049RG9tw4PCpG5lbi1CZW51dHplcixDTj10ZXN0LERDPWRvbS1hZDIsREM9bG9jYWw=
member: CN=Administrator,CN=Users,DC=dom-ad2,DC=local
distinguishedName: CN=mygroup,CN=test,DC=dom-ad2,DC=local
instanceType: 4
whenCreated: 20160514104531.0Z

You can also use the LDAPSearch example class from the UnboundID LDAP SDK (jar download link) to accomplish this. Here is the equivalent command-line I used with the LDAP SDK:

$ java -cp unboundid-ldapsdk-3.1.1.jar com.unboundid.ldap.sdk.examples.LDAPSearch --trustAll -Z -h <host> -p 636 -D "cn=administrator,cn=users,dc=dom-ad2,dc=local" -w <password> -b "cn=test,dc=dom-ad2,dc=local" "member=CN=Domänen-Benutzer,CN=test,DC=dom-ad2,DC=local"
1
votes

It turned out that it's only impossible to fetch members for built-in AD groups (i.e. (isCriticalSystemObject=TRUE)). memberOf queries for user-created groups work just fine, independently from encoding used. No hex encoding was necessary.

1
votes

Why are you trying to use the base64 encoded value? You must base64 decode the value before using it in a LDAP filter. It either needs to be the string representation name of the value or a hex escaped version of the string value when used in a LDAP filter.

Edit: After translating the group names a bit from your question it became more apparent to me what your issue actually is. The default "Domain Users" group is actually a primary group for a user. It will not show up in the memberOf list (hence the empty results on a search). To check if a user is a member of "Domain Users" you must inspect the primaryGroupId value for a user. In 99% of all cases this will always be the default "Domain Users" group.