Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getUsers() only return user with the surname * #107

Open
viyaha opened this issue Aug 13, 2021 · 1 comment
Open

getUsers() only return user with the surname * #107

viyaha opened this issue Aug 13, 2021 · 1 comment

Comments

@viyaha
Copy link

viyaha commented Aug 13, 2021

Describe the bug
I just started to "play around" with your library for now (my first time using Active Directory, so maybe I just did something wrong).
I just created a simple Windows-Hyper-V-AD-Setup (1 VM DomainController and 1 Client and 1 Server-VM to test SSO authentication). Everything works perfectly (=> Setup seems to be correct).
I just found "getUsers" in "src\sso\userdb.ts" and tried it to get all users that are registered in the AD.

Result: Empty Array

==> Looking at the code it the culprit seems to be:

node-expose-sspi/src/sso/userdb.ts

Line 106 in aa53a41

filter: `(&(objectClass=user)(objectCategory=person)(sn=*)${

In my Understanding "(sn=*)" means to return only user with the surname as "*". Updating a users surname to "*" results in returning the user in "getUsers"

To Reproduce
AD Setup and call getUsers. :)

Expected behavior
Should return users of domain.

Please indicates also:

  • Are you on a Windows domain ? yes
  • Can you reach the domain controller ? yes
  • Do your session have admin privileges ? yes
  • Which authentication protocol ? NTLM
@anotherCoward
Copy link

Normal users (humans...) have a first name and surname in AD. Most service accounts don't. I wouldn't call it a bug.

On a medium size business:

  • 942 results with (&(objectClass=user)(objectCategory=person))
    • Including: computers, humans, service accounts a lot of stuff i won't need for a user search or user list
  • 426 results with (&(objectClass=user)(objectCategory=person)(sn=*))
    • Including human, no computers, but not all accounts for services, mail-forwarding and locations
  • 615 results with (&(!(objectClass=computer))(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))
    • accounts which are listed in the AD currently, including Administrator, Guest and a lot of others you are probably looking for.

A lot of them are deactivated too, but that could be checked with other filter-options.

You compare a testing env with 3 or 4 accounts to a business with lots of users, services and groups that have all different values set in their OU.

The (sn=*) search is fine in my opinion, but if you want to be more specific use (&(!(objectClass=computer))(objectClass=person)(objectClass=organizationalPerson)(objectClass=user)) this will match all users including service accounts but no computers.

I would suggest an override option of the default filter to fit your needs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anotherCoward @viyaha