How can i format an LDAP Filter that includes special characters? ('Classic' ASP)

asp-classic ldap ldap-query
user3012708 picture user3012708 · Nov 20, 2013 · Viewed 14.5k times · Source

I'm having trouble retrieving information via LDAP for certain groups I have the DistinguishedName of. The issue seems to relate to them having special characters.

Here are two examples, one working, one not:
All in Test Group
All in 463\"567y\\22\"¤&/2#%&! Test Group

and their dn's:
CN=All in Test Group,OU=Groups,DC=some,DC=test,DC=com
CN=All in 463\"567y\\22\"¤&/2#%&! Test Group,OU=Groups,DC=some,DC=test,DC=com

I know the dn's are correct, as I retrieve them from a users managedObjects attribute, and have verified them in AD and also using ADSI Edit.

Now, onto what code I am using to retrieve the information, note that this code works fine on the group without special characters:

Dim strGroupdisplayName, strGroupsAMAccountname, strGroupmail


Function GetGroupInfofromDN(group_str)
on error resume next
DIM objGroup, objDNNamespace, strLDAPGroup
strLDAPGroup = "LDAP://" + group_str
Set objDNNamespace = GetObject("LDAP:")
Set objGroup = objDNNamespace.OpenDSObject(strLDAPGroup, strADUsername, strADPassword,0)
objGroup.GetInfo
strGroupdisplayName = ""
strGroupsAMAccountname = ""
strGroupmail = ""
strGroupdisplayName = ObjGroup.Get("displayName")
strGroupsAMAccountname = ObjGroup.Get("sAMAccountname")
strGroupmail = ObjGroup.Get("mail")
set objGroup = Nothing
End Function

As for what I've tried... I've tried encoding the groups to URI format, I've tried replacing special characters with their escaped equivalents:

strTemp = replace(strTemp, "\", "\5c")
strTemp = replace(strTemp, "(", "\28")
strTemp = replace(strTemp, "|", "\7c")
strTemp = replace(strTemp, "<", "\3c")
strTemp = replace(strTemp, "/", "\2f")
strTemp = replace(strTemp, ")", "\29")
strTemp = replace(strTemp, "=", "\3d")
strTemp = replace(strTemp, "~", "\7e")
strTemp = replace(strTemp, "&", "\26")
strTemp = replace(strTemp, ">", "\3e")
strTemp = replace(strTemp, "*", "\2a")

I've also tried via regex to pull out the CN= section and only alter that.

Quite frankly, i'm at a loss as to what I should do here.

I've also tried another method:

set connAD = Server.CreateObject("ADODB.Connection")
connAD.Provider = "ADsDSOObject"
connAD.Properties("User ID") = strADUsername 
connAD.Properties("Password") = strADPassword
connAD.Properties("Encrypt Password") = true
connAD.Open

Function getADUserInfo(strUID)

    strGeneralLookupError = false
    strBase = "<LDAP://DC=SOME,DC=TEST,DC=COM>"
    strFilter = "(distinguishedName=" & strUID & ")" 
    strAttributes = "cn, mail, company, givenName, sn, ADsPath, name, sAMAccountName, telephoneNumber, distinguishedName, managedObjects"
    strScope = "subtree"    
    strFullCommand = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope
    set rsADUserInfo = Server.CreateObject("ADODB.Recordset")
    set rsADUserInfo = connAD.Execute(strFullCommand)
    set getADUserInfo = rsADUserInfo
    set rsADUserInfo = Nothing
End Function

Sub getUserData(p_strUserID)

    strADLookupSuccess = true
    set rsUserData = Server.CreateObject("ADODB.Recordset")
    set rsUserData = getADUserInfo(p_strUserID)
    if not rsUserData.EOF then
        strUserADsPath = rsUserData("ADsPath")
        strUserdistinguishedName = rsUserData("distinguishedName")
    else
        strADLookupSuccess = false
    end if
    rsUserData.Close
    set rsUserData = Nothing
End Sub

dim strUserADsPath, strUserdistinguishedName, rsUserData, rsADUserInfo, strADLookupSuccess
getUserData("CN=All in 463\"567y\\\\22\"¤&/2\#%&! Test Group,OU=Groups,DC=some,DC=test,DC=com")

connAD.Close
set connAD = Nothing

Any suggestions? All the things I've read so far make mention to special characters, but escaping them does not seem to work...

Also, this is Classic ASP, running against Windows Server 2008 r2-based domain.

EDIT:

Active Directory error '80040e37'

An invalid directory pathname was passed

Is the error message given when I do manage to pass one with Special Characters.

Answer

jwilleke picture jwilleke · Nov 22, 2013

You will need to escape the string according to RFC 4515 String Representation of Search Filters

Generally, you need to escape the items listed in RFC 4515 String Representation of Search Filters and I would suggest, also any non-UTF8 character.

I also found some methods that may be helpful to get your started.

I believe the proper escaped value you are trying to find is: All in 463"567y\5c22"\c2\a4&/2#%&! Test Group

Finally, quit it. Start populating an searching for Description or some other non-naming attribute. (any attribute that is not part of the DN) Make your DNs never changing. No user should ever see a DN which should be only a path to an entry. You will have issues with many "off-the-shelve" tools if you continue this practice.

I tried and was not even able to create the entry in two different vendors tools.

Related questions

Classic ASP Authenticate Against Active Directory

I have a Classic ASP website (sorry!). Some parts of it need to be NT authentication enabled. I would ideally like to present the user with a nice login form (rather than a browser prompt) which I then authenticate against …

Read More
Detailed 500 error message, ASP + IIS 7.5

IIS 7.5 , 2008rc2, classic asp, 500 error msg: The page cannot be displayed because an internal server error has occurred. I need to know how to configure IIS to get a more detailed error. I've tried setting to true all of debugging …

Read More
Update div with jQuery ajax response html

I am trying to update a div with the content from an ajax html response. I beleive I have the syntax correct, however the div content gets replaced with the entire HTML page response, instead of just the div selected …

Read More