LDAP query on a OU with * in the title. How? - ldap

I'm having difficults I believe with a * character being in my OU when I'm doing a search. The OU group is called WorldWide Offices.
I have a looping query that returns all the users who are in a given group. So I type in a group name, and this brings me back a group. Then I loop through the group.members.
These members will either be a user or another group. So if it's not a user I would then loop through again to check if it's a group. The members of the group are always the DistinguishedName, and that's all I have to search on.
I'm having a current user with the DistinguishedName as
CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=Worldwide Offices,DC=OurDomain,DC=LOCAL.
I'm doing a DirectorySearcher and my filter is
Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=*Worldwide Offices*,DC=OurDomain,DC=LOCAL))
As you can see, I think the fact that our OU has * in it's title is the reason why it doesn't find the user. Any other OU that doesn't have a * in it seems to work. Which is why I believe the * is the problem.
Does anyone have any idea how to get around the * problem, apart from renaming the OU?

Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=\2aWorldwide Offices\2a,DC=OurDomain,DC=LOCAL))
A * must be escaped with a \2a - please see MSDN "Search Filter Syntax":
If any of the following special
characters must appear in the search
filter as literals, they must be
replaced by the listed escape
sequence.
* => \2a
( => \28
) => \29
\ => \5c
NUL => \00
/ => \2f
Simply escaping it with a \ should work too:
Searcher.Filter = "(&(&(objectClass=user)(!(objectClass=computers)))(distinguishedName=CN=Smith\, John a.,OU=Laptop,OU=Users,OU=London DC,OU=UK,OU=\*Worldwide Offices\*,DC=OurDomain,DC=LOCAL))

The wild card only work if the attribute type is some string type. (octet string, unicode string). if you use * agains the attribute like givenName, displayName then the wild cards will be honored. But the distinguished name is of type "Distinguished Name", hence the substring match wont be turned on by the server.
if you use * against objectcategory, dn, distinguishedname... you can see the wildcard not working.
Your logic need to be changed.

Related

filter params for import users from AD

I'm to import users used this filter:
(&(objectClass=user)(objectCategory=PERSON))
And i want to add RealName parameter as filter.
RealName should contain 3 any words.
For example RealName contained "name middle_name surname" - it's good, need to import.
If RealName contained "name surname" (only two word) - wrong, not imported.
Can you help me with with filter?
LDAP queries can only use attributes that exist in Active Directory, and there is no attribute called "RealName".
You will have to split the input string yourself. So, for example, if you were given the string "Necro The Human", you would have to split that into 3 strings using whatever programming language you're using.
Then you will have to insert those into an LDAP query that matches the three name attributes: givenName, initials, and sn (surname)
Your finished query would look something like this:
(&(objectClass=user)(objectCategory=person)(givenName=Necro)(initials=The)(sn=Human))
Check if you're using initials or the middleName attribute for the middle name. It's the initials attribute that is labelled as "Initials" in Active Directory Users and Computers, so that may be what's used, even though the documentation says it's just for the initials of the full name, or middle initials (not the full middle name). It's also limited to only 6 characters, so you may be using middleName if you're storing full middle names.
If your company has the standard of setting the displayName to the user's full name, including middle name, then you could just match against that. But I think it would be pretty rare that the middle name would be in the display name.
(&(objectClass=user)(objectCategory=person)(displayName=Necro The Human))
There is also ambiguous name resolution, but it searches other attributes (not just the first/last name) and it does not include initials or middleName. I mention it only because it's not well known and you may find some other use for it one day.

LDAP Filter Syntax Query

What would be the syntax for LDAP for the below scenario:
Where sAMAccountName = GRA-* without $. I want the records which are highlighted in green.
This is my current LADP Filter for your reference:
(&(objectClass=user)sAMAccountName=GRA-*))
Anyone, Please help with the correct syntax.
Your filter can work, but you're missing a ( in front of sAMAccountName:
(&(objectClass=user)(sAMAccountName=GRA-*))
But you may be able to do better. If those ones that end in $ are computer objects (which always have sAMAccountNames that end in $, but also have an objectClass of user), then you can make sure you only get user objects by including (objectCategory=person):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*))
If, for whatever reason, those $ objects are actually user accounts, then you can exclude them with (!sAMAccountName=*$):
(&(objectClass=user)(objectCategory=person)(sAMAccountName=GRA-*)(!sAMAccountName=*$))

user wants to apply a quite complex "User Search Filter" in his LDAP Configuration

user have to apply a quite complex "User Search Filter" in his LDAP Configuration.
The filter is too big and exceed the 256 allowed character. For customer business policy is not possible to modify the LDAP structure or data How can we proceed?
Here there is a sample of the filter:
(&
(|
(memberOf=CN=Applicazione_DocB_AmmApplicativo,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_AmmPiattaforma,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_ArchFIRead,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_ArchFIWrite,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_AreaFinanza,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_Arm,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_BoGestCanc,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_BoUpdDocum,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_Crif,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_VisualBase,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
(memberOf=CN=Applicazione_DocB_VisualEsteso,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
)(|
(userAccountControl=512)
(userAccountControl=544)
(userAccountControl=66048)
)
)
Have the customer create one single group to control access to the application, then they can add all of those groups to that one group. Then you only need to look at that one group. However, you will need to use the LDAP_MATCHING_RULE_IN_CHAIN operator so that it will look at the members of nested groups.
If the name of that new group is Applicazione_DocB, that would look something like this:
(memberOf:1.2.840.113556.1.4.1941:=CN=Applicazione_DocB,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)
Your conditions on userAccountControl can also be simplified. That attribute is a bit flag, which means that each bit in the binary value is a flag that means something. Those values are listed in the documentation for userAccountControl. The three conditions you are using are:
512: ADS_UF_NORMAL_ACCOUNT
544: ADS_UF_NORMAL_ACCOUNT | ADS_UF_PASSWD_NOTREQD (password not required)
66048: ADS_UF_NORMAL_ACCOUNT | ADS_UF_DONT_EXPIRE_PASSWD (password does not expire)
If the intent is to exclude disabled accounts (514: ADS_UF_NORMAL_ACCOUNT | ADS_UF_ACCOUNTDISABLE), then you can do that by using the LDAP_MATCHING_RULE_BIT_AND operator to check if the second bit is not set (which indicates a disabled account), like this:
(!userAccountControl:1.2.840.113556.1.4.803:=2)
Putting that all together, you get a query that is less than 256 characters:
(&(memberOf:1.2.840.113556.1.4.1941:=CN=Applicazione_DocB,OU=Intranet,OU=Gruppi,DC=CBMAIN,DC=CBDOM,DC=IT)(!userAccountControl:1.2.840.113556.1.4.803:=2))

Using DN in Search Filter

In my LDAP Client program sometimes I have to include the DN value within the search filter. But this DN is changing frequently and every I have to change this filter in my code.
When I googled it for that I got something like this
Suppose you want to pull all users of ObjectType = Person from the R&D and HR ous, but not any users from Marketing and PM. The filter would be:
(&(objectClass=person)(|(ou:dn:=ResearchAndDevelopment)(ou:dn:=HumanResources)))
Can anybody explain this more in detail?
You should check RFC 2254 (The String Representation of LDAP Search Filters).
LDAP filters use polish notation for the boolean operators. So the operator is written before its operands:
(&(condition1)(condition2)(condition3)...)
The example above means that you want all LDAP entries which satisfy condition1 AND condition2 AND condition3 and so on.
Then there are condition themselves. They are very simple and can consist only of few types:
present condition - (attrName=*)
simple condition - (attrName>=value) / (attrName<=value) / (attrNamevalue=value) / (attrName~=value)
substring condition - (attrName=*value*) / (attrName=*value) / (attrName=value*)
extensible condition - (attrName:dn:=value) / (attrName:matchingRule:=value)
The extensible condition with the :dn: keyword means, that you want attributes from the entry DN to be considered as well. So for your case entry cn=John Doe,ou=HumanResources,ou=Users,dc=example,dc=com would match the filter (ou:dn:=HumanResource).
Translating your example filter to an English sentence would be:
Find me all LDAP entries which have objectClass equal to person and have either ResearchAndDevelopment or HumanResources in their ou attribute or somewhere on their DN.
You can use dn into base and set search scope as base.
That is, set dn value into base, and set search scope as base(search scope is one of base, sub and one).
If you really need to search by the whole DN, you can search with:
(distinguishedName=CN=MyCommonName,OU=SomeEnv,...,DC=SomeDir)

Replace space with dash before save using Rails 3

I am trying to save a name to the database and a single word (firstname) works fine but when the user enter both firstname and lastname I want Rails to save it to the database as firstname-lastname instead of firstname lastname (space between).
I know I perhaps should use a before create filter but I am not sure how this need to look like. I want the validation to work to, i.e. no two people should be able to use the same name.
I am using Rails 3.
You can use ActiveSupport's inflector method parameterize on the string.
name = 'john smith' # => john smith
name.parameterize # => john-smith
Further, parameterize takes an option to use for the word-break, so you can replace the dash with an underscore like this:
name.parameterize("_") # => john_smith
An advantage of using parameterize is that it normalizes the characters to the latin, so...
name = "jöhanne såltveç"
name.parameterize # => johanne-saltvec
EDIT: As of Rails 5.0.0.1 the separator needs to be passed as an option. Therefore: name.parameterize(separator: '_')
Why don't you just have first_name and last_name columns in the db, and create your own validation rule to make sure the combination is unique (http://guides.rubyonrails.org/active_record_validations_callbacks.html#creating-custom-validation-methods). You should also create a unique index over those two columns in your db.
Another option would be to us regexp and replace all existing spaces with. You'd put something along the lines of:
self.firstname.gsub(/\s+/, '-')
in your model.
Note: I'm not sure if ruby accepts \s as "any whitespace character" And I think the * should make sure that if someone enters a name with two neighbour spaces(or more) it won't convert each space into a separate dash, but only into one.
Other answer is correct,
But, if you want to preserve case while parameterizing
name = "Donald Duck"
name.parameterize(preserve_case: true) # => Donald-Duck