我应该如何在Active Directory过滤器中转义逗号?

时间:2016-09-30 15:02:02

标签: python active-directory ldap ldap-query python-ldap

我正在使用python-ldap查询Active Directory

我有这个DN 

CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net

在查询中作为基础工作正常但是如果我尝试在像这样的搜索过滤器中使用它

(&(objectClass=group)(memberof:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net))

我收到Bad search filter错误。从我的测试来看,CN中的逗号似乎是罪魁祸首,即使我用反斜杠(\)将其转义。但是,逗号未在Microsoft documentation中列为需要在过滤器中转义的字符。

我错过了什么?

2 个答案:

答案 0 :(得分:5)

LDAP过滤器规范为以下字符* ( ) \ NUL指定了特殊含义,这些字符应使用反斜杠进行转义,然后在搜索过滤器中使用字符的两个字符ASCII十六进制表示Treetable):

*   \2A
(   \28
)   \29
\   \5C
Nul \00

这意味着用于转义可分辨名称'特殊字符(包括逗号)的反斜杠必须在搜索过滤器中由\5c表示:

(&(objectClass=group)(memberof:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net))

以下是在搜索过滤器中使用时必须使用\\5C进行转义的dn特殊字符列表:

+-------------------------------+---+
| comma                         | , |
+-------------------------------+---+
| Backslash character           | \ |
+-------------------------------+---+
| Pound sign (hash sign)        | # |
+-------------------------------+---+
| Plus sign                     | + |
+-------------------------------+---+
| Less than symbol              | < |
+-------------------------------+---+
| Greater than symbol           | > |
+-------------------------------+---+
| Semicolon                     | ; |
+-------------------------------+---+
| Double quote (quotation mark) | " |
+-------------------------------+---+
| Equal sign                    | = |
+-------------------------------+---+
| Leading or trailing spaces    |   |
+-------------------------------+---+

答案 1 :(得分:0)

使用带有转义字符的member:1.2.840.113556.1.4.1941进行搜索时,我遇到了非常奇怪的行为。

当搜索字词“正确”转义时,搜索似乎失败,但搜索字词未转义时搜索成功!

相比之下,使用member进行简单搜索无论搜索字词是否已转义,都会有效。

这是一个PowerShell示例。

function Find-AdObjects([string]$Filter) {

    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher
    $DirectorySearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
    $DirectorySearcher.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
    $DirectorySearcher.PropertiesToLoad.Add('distinguishedname') > $null
    $DirectorySearcher.PageSize = 100
    $DirectorySearcher.Filter = $Filter

    $SearchResultCollection = $DirectorySearcher.FindAll()

    foreach ($r in $SearchResultCollection) {
        $r.Properties['distinguishedname']
    }

    $SearchResultCollection.Dispose()
    $DirectorySearcher.Dispose()
}

$UserDn        = 'CN=Rees\, John,OU=Tier3,DC=big,DC=com'
$EscapedUserDn = 'CN=Rees\5C, John,OU=Tier3,DC=big,DC=com'

# Returns expected results with escaped search term
Find-AdObjects "(&(member=$EscapedUserDn))"

# Returns same results even though search term is NOT escaped correctly
Find-AdObjects "(&(member=$UserDn))"

# Returns NO results even though search term is escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$EscapedUserDn))"

# Returns recursive results even though search term is NOT escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$UserDn))"

所以我没有看到可接受的解决方法,因为似乎没有可靠的方法来转义可能包含各种特殊字符的DN:\ *()

相关问题
最新问题