node-ldapjs
node-ldapjs copied to clipboard
ldapjs
Attributes with upper case letters requested in search on server are filtered out
When making a request to an ldapjs based server that includes a selection of attributes, and any of these attributes contain upper case letters, these attributes will not be included in the response. For example, the response to this request:
ldapsearch -D '<rootDN>' -b '<mount path>' -H '<hostname>' '(objectclass=*)' sn mail memberOf
if provided through:
server.search('<mount path>', (req, res, next) => {
res.send({ dn: 'cn=foo', attributes: { sn: 'Me', mail: '[email protected]', memberOf: 'ou=Everyone' } });
res.end();
next();
});
will return
dn: cn=foo
sn: Me
mail: [email protected]
i.e. memberOf is filtered out. This happens in this part of SearchResponse.js:
Object.keys(entry.attributes).forEach(function (a) {
const _a = a.toLowerCase()
if (!nofiltering && _a.length && _a[0] === '_') {
…
} else if (self.attributes.length && self.attributes.indexOf(_a) === -1) {
savedAttrs[a] = entry.attributes[a]
delete entry.attributes[a]
}
})
where the entry's attribute name is cast to lower case, but the response's ones (i.e. self.attributes) are not, so that search attributes with upper case letters will never match anything at all.
I am currently working around that by patching the attributes in the response object and converting them to lower case from my search functions. I imagine something like that should be done in SearchResponse.send instead.
Can you please provide a link to the source code in question? https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-a-permanent-link-to-a-code-snippet
What version of of ldapjs are you using?
Sure. Here's the link to that bit of code I am quoting above: https://github.com/ldapjs/node-ldapjs/blob/f2890088e49c0c7b7b880998d73d6e4a448d7b4e/lib/messages/search_response.js#L57-L71C1
I am using 3.0.2.
Thank you. I wanted to verify that I was looking at the same block of code because of your reduction in the original post.
At least this code is old 🤣
We're going to need to draft a test, probably similar to https://github.com/ldapjs/node-ldapjs/blob/f2890088e49c0c7b7b880998d73d6e4a448d7b4e/test/issue-845.test.js, that exhibits the problem and work backward from there. I think that instead of patching SearchResponse.send, we should fix the linked algorithm to compare objects correctly.
Did run into the same problem (using 3.0.7).
My (hacky) workaround is to force the allow-all-attributes mode by manually setting the * attribute on the SearchResponse object before calling send():
res.attributes = ['*'];
res.send(myResponse);
Just hit this using Apache Guacamole LDAP extension. It requests attributes using camelcase, and so they are filtered out. I think the problem is this test in search_response.js:
} else if (self.attributes.length && self.attributes.indexOf(_a) === -1) {
That line is comparing the incoming (self.attributes) with the lowercased versions of those specified in the search response.
@x-way your workaround solved my issue, so thanks!
