0 votes

Hi,

I recently upgraded Adaxes from 2021.1 to 2023.2, and after the upgrade, an LDAP filter for retrieving the groups a user is owner of, stopped working.
The reason it stopped working is because all the paranthesis and backslashes in the string gets escaped.

From this:
(|(ObjectGuid=\06\0A\45\13\26\02\D9\4E\8B\57\7C\4A\21\84\BC\2F)(ObjectGuid=\24\30\B9\9A\DF\F9\8A\4A\95\A0\2A\1E\7B\E9\D0\BE)(ObjectGuid=\FE\B1\58\A8\34\9C\6B\45\AD\59\0A\E4\3A\C9\92\BE)(ObjectGuid=\26\EA\1A\3C\C5\10\42\42\9C\68\D1\F8\25\6A\D0\AF)(ObjectGuid=\B1\E9\F3\93\1D\0E\CA\44\A9\40\7A\9B\68\CA\97\28)(ObjectGuid=\9A\B7\5D\9D\3F\87\D0\4A\AE\D4\D8\DA\F4\88\10\6E)(ObjectGuid=\E2\DC\B5\0E\B0\30\6E\45\9F\68\7C\88\11\06\E3\3A)(ObjectGuid=\91\8E\BD\1A\73\96\F7\45\9F\67\DE\29\A4\DA\75\81)(ObjectGuid=\AD\5C\82\1C\30\B9\21\4B\95\41\0E\2F\D8\D3\3E\7A)(ObjectGuid=\05\B8\E6\33\FB\A9\50\4F\82\08\4A\7C\77\B6\B3\14)(ObjectGuid=\06\29\D0\34\64\C6\46\49\96\45\16\B9\FA\63\91\BE)(ObjectGuid=\49\BE\FD\44\39\DB\E2\4F\A5\6F\59\A8\3C\FD\21\C8)(ObjectGuid=\88\8A\69\51\98\5D\CD\48\B9\DD\2A\E3\4D\92\82\05)(ObjectGuid=\EB\70\E9\68\5A\59\53\45\B6\2C\14\98\8E\CA\A4\0C)(ObjectGuid=\F5\88\75\69\35\18\9A\4D\A9\C8\DF\B2\B5\5E\AC\68)(ObjectGuid=\A5\5A\79\6D\3B\BB\4D\43\9B\CF\33\88\40\E9\26\BA)(ObjectGuid=\B4\CD\32\80\19\7B\6B\4F\BA\E9\AC\45\D9\9D\3B\C5)(ObjectGuid=\9C\DE\D4\8C\7C\14\37\4C\BF\55\01\27\F7\04\9D\59)(ObjectGuid=\45\3D\55\98\CC\1A\A8\4C\82\76\2D\E6\B4\F1\C2\F7)(ObjectGuid=\29\BB\57\9C\13\27\C1\47\A6\A2\37\DA\4B\EF\C0\21)(ObjectGuid=\B1\3B\E9\BC\8A\9F\E5\41\90\2D\16\A5\43\AE\62\95)(ObjectGuid=\A9\DC\BE\BF\CA\54\64\47\87\6A\41\11\3C\4A\D7\00)(ObjectGuid=\D5\19\B6\CC\B9\38\4F\4B\A6\37\02\B1\61\96\C9\E8)(ObjectGuid=\96\3C\9F\DE\B9\EB\12\47\9C\DB\64\E2\75\3B\6B\90)(ObjectGuid=\BA\EA\86\E1\7E\49\ED\44\B0\B4\27\F8\A4\19\27\5B)(ObjectGuid=\78\55\FB\E4\20\55\00\4B\B3\4B\F2\69\A1\4C\F0\D9)(ObjectGuid=\E4\07\97\F4\4F\CE\AA\42\97\4C\7E\92\44\7E\AD\21)(ObjectGuid=\3A\43\A2\FA\E6\2E\85\4B\89\5E\65\EE\01\9E\0D\E2))

To this:
\28|\28ObjectGuid=\5C06\5C0A\5C45\5C13\5C26\5C02\5CD9\5C4E\5C8B\5C57\5C7C\5C4A\5C21\5C84\5CBC\5C2F\29\28ObjectGuid=\5C24\5C30\5CB9\5C9A\5CDF\5CF9\5C8A\5C4A\5C95\5CA0\5C2A\5C1E\5C7B\5CE9\5CD0\5CBE\29\28ObjectGuid=\5CFE\5CB1\5C58\5CA8\5C34\5C9C\5C6B\5C45\5CAD\5C59\5C0A\5CE4\5C3A\5CC9\5C92\5CBE\29\28ObjectGuid=\5C26\5CEA\5C1A\5C3C\5CC5\5C10\5C42\5C42\5C9C\5C68\5CD1\5CF8\5C25\5C6A\5CD0\5CAF\29\28ObjectGuid=\5CB1\5CE9\5CF3\5C93\5C1D\5C0E\5CCA\5C44\5CA9\5C40\5C7A\5C9B\5C68\5CCA\5C97\5C28\29\28ObjectGuid=\5C9A\5CB7\5C5D\5C9D\5C3F\5C87\5CD0\5C4A\5CAE\5CD4\5CD8\5CDA\5CF4\5C88\5C10\5C6E\29\28ObjectGuid=\5CE2\5CDC\5CB5\5C0E\5CB0\5C30\5C6E\5C45\5C9F\5C68\5C7C\5C88\5C11\5C06\5CE3\5C3A\29\28ObjectGuid=\5C91\5C8E\5CBD\5C1A\5C73\5C96\5CF7\5C45\5C9F\5C67\5CDE\5C29\5CA4\5CDA\5C75\5C81\29\28ObjectGuid=\5CAD\5C5C\5C82\5C1C\5C30\5CB9\5C21\5C4B\5C95\5C41\5C0E\5C2F\5CD8\5CD3\5C3E\5C7A\29\28ObjectGuid=\5C05\5CB8\5CE6\5C33\5CFB\5CA9\5C50\5C4F\5C82\5C08\5C4A\5C7C\5C77\5CB6\5CB3\5C14\29\28ObjectGuid=\5C06\5C29\5CD0\5C34\5C64\5CC6\5C46\5C49\5C96\5C45\5C16\5CB9\5CFA\5C63\5C91\5CBE\29\28ObjectGuid=\5C49\5CBE\5CFD\5C44\5C39\5CDB\5CE2\5C4F\5CA5\5C6F\5C59\5CA8\5C3C\5CFD\5C21\5CC8\29\28ObjectGuid=\5C88\5C8A\5C69\5C51\5C98\5C5D\5CCD\5C48\5CB9\5CDD\5C2A\5CE3\5C4D\5C92\5C82\5C05\29\28ObjectGuid=\5CEB\5C70\5CE9\5C68\5C5A\5C59\5C53\5C45\5CB6\5C2C\5C14\5C98\5C8E\5CCA\5CA4\5C0C\29\28ObjectGuid=\5CF5\5C88\5C75\5C69\5C35\5C18\5C9A\5C4D\5CA9\5CC8\5CDF\5CB2\5CB5\5C5E\5CAC\5C68\29\28ObjectGuid=\5CA5\5C5A\5C79\5C6D\5C3B\5CBB\5C4D\5C43\5C9B\5CCF\5C33\5C88\5C40\5CE9\5C26\5CBA\29\28ObjectGuid=\5CB4\5CCD\5C32\5C80\5C19\5C7B\5C6B\5C4F\5CBA\5CE9\5CAC\5C45\5CD9\5C9D\5C3B\5CC5\29\28ObjectGuid=\5C9C\5CDE\5CD4\5C8C\5C7C\5C14\5C37\5C4C\5CBF\5C55\5C01\5C27\5CF7\5C04\5C9D\5C59\29\28ObjectGuid=\5C45\5C3D\5C55\5C98\5CCC\5C1A\5CA8\5C4C\5C82\5C76\5C2D\5CE6\5CB4\5CF1\5CC2\5CF7\29\28ObjectGuid=\5C29\5CBB\5C57\5C9C\5C13\5C27\5CC1\5C47\5CA6\5CA2\5C37\5CDA\5C4B\5CEF\5CC0\5C21\29\28ObjectGuid=\5CB1\5C3B\5CE9\5CBC\5C8A\5C9F\5CE5\5C41\5C90\5C2D\5C16\5CA5\5C43\5CAE\5C62\5C95\29\28ObjectGuid=\5CA9\5CDC\5CBE\5CBF\5CCA\5C54\5C64\5C47\5C87\5C6A\5C41\5C11\5C3C\5C4A\5CD7\5C00\29\28ObjectGuid=\5CD5\5C19\5CB6\5CCC\5CB9\5C38\5C4F\5C4B\5CA6\5C37\5C02\5CB1\5C61\5C96\5CC9\5CE8\29\28ObjectGuid=\5C96\5C3C\5C9F\5CDE\5CB9\5CEB\5C12\5C47\5C9C\5CDB\5C64\5CE2\5C75\5C3B\5C6B\5C90\29\28ObjectGuid=\5CBA\5CEA\5C86\5CE1\5C7E\5C49\5CED\5C44\5CB0\5CB4\5C27\5CF8\5CA4\5C19\5C27\5C5B\29\28ObjectGuid=\5C78\5C55\5CFB\5CE4\5C20\5C55\5C00\5C4B\5CB3\5C4B\5CF2\5C69\5CA1\5C4C\5CF0\5CD9\29\28ObjectGuid=\5CE4\5C07\5C97\5CF4\5C4F\5CCE\5CAA\5C42\5C97\5C4C\5C7E\5C92\5C44\5C7E\5CAD\5C21\29\28ObjectGuid=\5C3A\5C43\5CA2\5CFA\5CE6\5C2E\5C85\5C4B\5C89\5C5E\5C65\5CEE\5C01\5C9E\5C0D\5CE2\29\29

This is how it appears in the interface: image.png

This is how it is configured: image.png

Any tips on how to prevent this from happening?

I also tried using a normal filter based on the "owners (Managed by)" attribute instead, like this: image.png

It works, but sadly it is quite slow.

Best regards Martin

by (100 points)
0

Hello Martin,

Any tips on how to prevent this from happening?

How exactly is the LDAP filter placed into CustomAttributeText8? If it is done by a script, please, provide the script in TXT format.

I also tried using a normal filter based on the "owners (Managed by)" attribute instead, like this It works, but sadly it is quite slow.

Most probably, it is about the number of objects you have in all the managed domains. If you only need on-premises AD objects, try using Managed By (Primary owners) instead.

It is still better to use criteria as it will definitely be up to date while the filter in the attribute can be outdated.

0

Hi,

How exactly is the LDAP filter placed into CustomAttributeText8?

The following script populates the value:

$propertyForLDAPFilter = "adm-CustomAttributeText8" # TODO: modify me

try
{
    # Get GUIDs of all objects managed by the user
    $managedObjectGuids = $Context.TargetObject.GetEx("adm-ManagedObjectsGuid")
}
catch
{
    # Set an empty GUID as the filter so no objects are returned
    $Context.TargetObject.Put($propertyForLDAPFilter, "(objectGuid=\00)")
    $Context.TargetObject.SetInfo()
    return
}

# Build filter
$ldapFilter = New-Object "System.Text.StringBuilder"
[Void]$ldapFilter.Append("(|")
foreach ($guid in $managedObjectGuids)
{
    $filterPart = [Softerra.Adaxes.Ldap.FilterBuilder]::Create("ObjectGuid", $guid)
    [Void]$ldapFilter.Append($filterPart)
}
[Void]$ldapFilter.Append(")")

# Save filter to the property specified
$Context.TargetObject.Put($propertyForLDAPFilter, $ldapFilter.ToString())
$Context.TargetObject.SetInfo()

This is how it appears in Adaxes Management Console: image.png

Most probably, it is about the number of objects you have in all the managed domains. If you only need on-premises AD objects, try using Managed By (Primary owners) instead.

It is still better to use criteria as it will definitely be up to date while the filter in the attribute can be outdated.

I have limited the scope to a single on-prem domain, but still, using the Owners (Managed By) attribute is too slow. I would like to make use of the new multi-owner functionality, so I'll try to avoid using Managed By (Primary owners) if I can.

BTW, is the adm-ManagedObjectsGuid attribute equivalent to all owners or only primary owners? I am not familiar with the attribute as I didn't write the script, it is my predecessor's work.

1 Answer

0 votes
by (284k points)
selected by
Best answer

Hello Martin,

The following script populates the value

Thank you for the provided script. The behavior is be design and cannot be changed. Using a dedicated criteria directly in the action settings is the only way.

is the adm-ManagedObjectsGuid attribute equivalent to all owners or only primary owners?

Have a look at the following help article: https://www.adaxes.com/help/ObjectOwners. It describes the full functionality of Adaxes related to object ownership.

0

Thank you for the provided script. The behavior is be design and cannot be changed. Using a dedicated criteria directly in the action settings is the only way.

I guess the intent is to auto-escape attributes that are used in a semi hard-coded LDAP filter, but this greatly limits its usability. It is also not made clear that this conversion is applied to the inserted value reference, which is unlike how it behaves anywhere else in Adaxes, where the value is inserted unchanged. For the next version of Adaxes, may I suggest that instead of auto-escaping the string, you add an additional formatting paramenter for LDAP escaping? Similar to what is documented here: https://adaxes.com/help/ValueReferences/

Have a look at the following help article: https://www.adaxes.com/help/ObjectOwners. It describes the full functionality of Adaxes related to object ownership.

Thank you

0

Hello Martin,

may I suggest that instead of auto-escaping the string, you add an additional formatting paramenter for LDAP escaping?

Thank you for the suggestion. We forwarded it to the corresponding department for consideration.

0

Great, thank you!

Related questions

0 votes
1 answer

hi- how do I merge 2 ldap filter? Basically #1 just shows the Users OU within those NY/LA/DC OUs and #2 list other OUs. I have to update a console and ... =organizationalUnit)(|(name=Offsite*)(name=Service Accounts)(name=Pubco_Users)(name=PWD Reset OU)))

asked May 22, 2014 by MeliOnTheJob (1.7k points)
0 votes
1 answer

I have a web view set up where the user is locked down to only seeing thier approvals. When they get a email notification, and click on the approve or deny link, ... that would grant this access but I am wondering if there is something I am missing.

asked Apr 7, 2023 by mightycabal (1.0k points)
0 votes
1 answer

Hi, I want to change the default UPN suffix for user creation. We only have a single UPN suffix we use at our organization however when we create a user using the web ... We only ever want to use the @mycompany.com so a list of options isn't requried.

asked Jun 29, 2022 by PeterG (40 points)
0 votes
1 answer

I've got the script working as is and would like to add a column to display the number of days left before the password expires. I attempted to use adm-AccountExpiresDaysLeft ... error, probably because I don't know how to convert it to a displayable format.

asked Feb 12, 2021 by sandramnc (870 points)
0 votes
1 answer

We have a single AD domain that also matches our primary email domain (e.g. @primarydomain.com), but we also have multiple company specific email domains (e.g. @companydomain. ... like to also link the companydomain.com to the user's company value set in AD.

asked Apr 29, 2020 by JacquesKruger (20 points)
3,501 questions
3,193 answers
8,145 comments
547,392 users