James Pearson
2018-Nov-16 13:59 UTC
[CentOS] sssd ldap_user_search_base filters with '#' characters in names
I'm trying to craft an ldap search filter for use with
ldap_user_search_base in sssd.conf which is using Actice Directory (AD)
as the back end on CentOS 7 clients
The filter looks for users that are memberOf a particular group -
however, the group name start with a '#' character - i.e. in AD, the
group name is listed as something like '#ABC XYZ'
But when I set ldap_user_search_base to something like:
ldap_user_search_base =
OU=Users,DC=Example,DC=com?subtree?(memberOf=CN=#ABC
XYZ,OU=Groups,DC=Example,DC=com)
then 'getent passwd user' fails to return anything (for 'user'
that is
in that group)
However, when using the above syntax with a group name that doesn't
start with a '#' character, then things work as expected
When I use ldapsearch, it reports that the user is a memberOf:
memberOf: CN=\#ABC XYZ,OU=Groups,DC=Example,DC=com
But using the '\' in sssd.conf for the search filter cause sssd to error
with 'Invalid search filter' in the logs
Escaping the Escape ('\\') also gives 'Invalid search filter'
Does anyone know how to 'escape' special characters in search filters in
sssd.conf ?
Thanks
James Pearson
James Pearson
2018-Nov-16 21:57 UTC
[CentOS] sssd ldap_user_search_base filters with '#' characters in names
James Pearson wrote:> > I'm trying to craft an ldap search filter for use with > ldap_user_search_base in sssd.conf which is using Actice Directory (AD) > as the back end on CentOS 7 clients > > The filter looks for users that are memberOf a particular group - > however, the group name start with a '#' character - i.e. in AD, the > group name is listed as something like '#ABC XYZ' > > But when I set ldap_user_search_base to something like: > > ldap_user_search_base > OU=Users,DC=Example,DC=com?subtree?(memberOf=CN=#ABC > XYZ,OU=Groups,DC=Example,DC=com) > > then 'getent passwd user' fails to return anything (for 'user' that is > in that group) > > However, when using the above syntax with a group name that doesn't > start with a '#' character, then things work as expected > > When I use ldapsearch, it reports that the user is a memberOf: > > memberOf: CN=\#ABC XYZ,OU=Groups,DC=Example,DC=com > > But using the '\' in sssd.conf for the search filter cause sssd to error > with 'Invalid search filter' in the logs > > Escaping the Escape ('\\') also gives 'Invalid search filter' > > Does anyone know how to 'escape' special characters in search filters in > sssd.conf ?After going round in circles for a while - I managed to get this working Turns out you can use the hexadecimal code for characters in an LDAP filter/search path/whatever - which is escaped via '\' followed by 2 hexadecimal characters - so the following works: memberOf: CN=\5C#ABC XYZ,OU=Groups,DC=Example,DC=com i.e. 5C is the character code for '\' This also explains why I was getting 'Invalid search filter' previously, as my use of '\' was followed by invalid hexadecimal characters ... James Pearson
Possibly Parallel Threads
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- Samba4 and sssd authentication not working due "Transport encryption required."
- sssd - ldap host attribute ignored
- Samba4 and sssd authentication not working due "Transport encryption required."