How can i format an LDAP Filter that includes special characters? ('Classic' ASP)
You will need to escape the string according to RFC 4515 String Representation of Search Filters
Generally, you need to escape the items listed in RFC 4515 String Representation of Search Filters and I would suggest, also any non-UTF8 character.
I also found some methods that may be helpful to get your started.
I believe the proper escaped value you are trying to find is: All in 463"567y\5c22"\c2\a4&/2#%&! Test Group
Finally, quit it. Start populating an searching for Description or some other non-naming attribute. (any attribute that is not part of the DN) Make your DNs never changing. No user should ever see a DN which should be only a path to an entry. You will have issues with many "off-the-shelve" tools if you continue this practice.
I tried and was not even able to create the entry in two different vendors tools.
user3012708
A hobbyist turned professional - just like so many others!
Updated on June 04, 2022Comments
-
user3012708 almost 2 years
I'm having trouble retrieving information via LDAP for certain groups I have the DistinguishedName of. The issue seems to relate to them having special characters.
Here are two examples, one working, one not:
All in Test Group
All in 463\"567y\\22\"¤&/2#%&! Test Groupand their dn's:
CN=All in Test Group,OU=Groups,DC=some,DC=test,DC=com
CN=All in 463\"567y\\22\"¤&/2#%&! Test Group,OU=Groups,DC=some,DC=test,DC=comI know the dn's are correct, as I retrieve them from a users managedObjects attribute, and have verified them in AD and also using ADSI Edit.
Now, onto what code I am using to retrieve the information, note that this code works fine on the group without special characters:
Dim strGroupdisplayName, strGroupsAMAccountname, strGroupmail Function GetGroupInfofromDN(group_str) on error resume next DIM objGroup, objDNNamespace, strLDAPGroup strLDAPGroup = "LDAP://" + group_str Set objDNNamespace = GetObject("LDAP:") Set objGroup = objDNNamespace.OpenDSObject(strLDAPGroup, strADUsername, strADPassword,0) objGroup.GetInfo strGroupdisplayName = "" strGroupsAMAccountname = "" strGroupmail = "" strGroupdisplayName = ObjGroup.Get("displayName") strGroupsAMAccountname = ObjGroup.Get("sAMAccountname") strGroupmail = ObjGroup.Get("mail") set objGroup = Nothing End Function
As for what I've tried... I've tried encoding the groups to URI format, I've tried replacing special characters with their escaped equivalents:
strTemp = replace(strTemp, "\", "\5c") strTemp = replace(strTemp, "(", "\28") strTemp = replace(strTemp, "|", "\7c") strTemp = replace(strTemp, "<", "\3c") strTemp = replace(strTemp, "/", "\2f") strTemp = replace(strTemp, ")", "\29") strTemp = replace(strTemp, "=", "\3d") strTemp = replace(strTemp, "~", "\7e") strTemp = replace(strTemp, "&", "\26") strTemp = replace(strTemp, ">", "\3e") strTemp = replace(strTemp, "*", "\2a")
I've also tried via regex to pull out the CN= section and only alter that.
Quite frankly, i'm at a loss as to what I should do here.
I've also tried another method:
set connAD = Server.CreateObject("ADODB.Connection") connAD.Provider = "ADsDSOObject" connAD.Properties("User ID") = strADUsername connAD.Properties("Password") = strADPassword connAD.Properties("Encrypt Password") = true connAD.Open Function getADUserInfo(strUID) strGeneralLookupError = false strBase = "<LDAP://DC=SOME,DC=TEST,DC=COM>" strFilter = "(distinguishedName=" & strUID & ")" strAttributes = "cn, mail, company, givenName, sn, ADsPath, name, sAMAccountName, telephoneNumber, distinguishedName, managedObjects" strScope = "subtree" strFullCommand = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope set rsADUserInfo = Server.CreateObject("ADODB.Recordset") set rsADUserInfo = connAD.Execute(strFullCommand) set getADUserInfo = rsADUserInfo set rsADUserInfo = Nothing End Function Sub getUserData(p_strUserID) strADLookupSuccess = true set rsUserData = Server.CreateObject("ADODB.Recordset") set rsUserData = getADUserInfo(p_strUserID) if not rsUserData.EOF then strUserADsPath = rsUserData("ADsPath") strUserdistinguishedName = rsUserData("distinguishedName") else strADLookupSuccess = false end if rsUserData.Close set rsUserData = Nothing End Sub dim strUserADsPath, strUserdistinguishedName, rsUserData, rsADUserInfo, strADLookupSuccess getUserData("CN=All in 463\"567y\\\\22\"¤&/2\#%&! Test Group,OU=Groups,DC=some,DC=test,DC=com") connAD.Close set connAD = Nothing
Any suggestions? All the things I've read so far make mention to special characters, but escaping them does not seem to work...
Also, this is Classic ASP, running against Windows Server 2008 r2-based domain.
EDIT:
Active Directory error '80040e37'
An invalid directory pathname was passed
Is the error message given when I do manage to pass one with Special Characters.
-
user3012708 over 10 yearsThis was the push in the right direction I needed! To solve it, I compared the ADSI Edit strings with the ones given by "managedBy", noted the characters that were different, read your links regarding what is escaped and how, and finally escaped only the character "/" (to "\/"). I now have a list made of gibberish actually being found via LDAP. Thanks!