develooper Front page | perl.ldap | Postings from February 2021

Weird issue using AD objectGUID as search filter

Thread Next
From:
Bruce Johnson
Date:
February 17, 2021 18:24
Subject:
Weird issue using AD objectGUID as search filter
Message ID:
F476D49D-5F87-4B81-9503-3F24E03D61A3@pharmacy.arizona.edu
I've written two subroutines for getting sAMAccountName by objectGUID and vice versa; the main purpose is to manage a database table that stores the objectGUID as a Base64 encoded string. (the purpose of this is to maintain a match table for people in two different LDAP directories, one AD and the other not.) 


sub uname2guid {
	use MIME::Base64 qw(encode_base64);
	my $un = shift;
	my $aq = Net::LDAPS->new("ldaps://host.domain") or return "FAIL LDAP ERROR $0";
	my $rs=$aq->bind("$ldu\@host.domain", password=>$ldp) or return "FAIL BIND ERROR ".$aq->error;
	my $sb=“DC=Host,DC=Domain";
	my $fi = "(samAccountName=$un)";
	my $at = ['objectGUID'];
	my $m=$aq->search(base=>$sb,filter=>$fi,attrs=>$at);
	if ($m->count > 0){
		my $gu=encode_base64($m->entry(0)->get_value('objectGUID'));
		chomp $gu;
		return $gu;
		}
	else {
		return "No GUID for $un";
		}
	}
	
sub guid2uname {
	use MIME::Base64 qw(decode_base64);
	my $gu = decode_base64(shift);
	my $aq = Net::LDAPS->new("ldaps://host.domain") or return "FAIL LDAP ERROR $0";
	my $rs=$aq->bind("$ldu\@host.domain", password=>$ldp) or return "FAIL BIND ERROR ".$aq->error;
	my $sb=“DC=Host,DC=Domain";
	my $fi = "(objectGUID=$gu)";
	my $at = ['sAMAccountName'];
	my $m=$aq->search(base=>$sb,filter=>$fi,attrs=>$at);
	if ($m->count > 0){
		my $un=$m->entry(0)->get_value('sAMAccountName');
		return $un;
		}
	else {
		return "No Username for GUID ".encode_base64($gu);
		}
	}


I’m running into valid user accounts where guid2uname is returning "No Username for GUID” where the username should definitely exist, because uname2guid returns the correct encoded objectGUID.

If I construct a standard ldap search to return the objectGUID in binary form and then use that returned value to perform a new search with the filter '(objectGUID=$return)’ as the filter fir the LDAP search, I get the LDAP error “Bad Filter”  but ONLY for those particular users. It works just fine for others.

Could it be possible that somehow the binary object returned in the contains something like a control character that is doing something in perl-ldap or is this an AD LDAP issue?

Has anyone ever run into something like this?


-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About