[CentOS] sssd ldap_user_search_base filters with '#' characters in names
James Pearson
james-p at moving-picture.com
Fri Nov 16 21:57:37 UTC 2018
James Pearson wrote:
>
> I'm trying to craft an ldap search filter for use with
> ldap_user_search_base in sssd.conf which is using Actice Directory (AD)
> as the back end on CentOS 7 clients
>
> The filter looks for users that are memberOf a particular group -
> however, the group name start with a '#' character - i.e. in AD, the
> group name is listed as something like '#ABC XYZ'
>
> But when I set ldap_user_search_base to something like:
>
> ldap_user_search_base =
> OU=Users,DC=Example,DC=com?subtree?(memberOf=CN=#ABC
> XYZ,OU=Groups,DC=Example,DC=com)
>
> then 'getent passwd user' fails to return anything (for 'user' that is
> in that group)
>
> However, when using the above syntax with a group name that doesn't
> start with a '#' character, then things work as expected
>
> When I use ldapsearch, it reports that the user is a memberOf:
>
> memberOf: CN=\#ABC XYZ,OU=Groups,DC=Example,DC=com
>
> But using the '\' in sssd.conf for the search filter cause sssd to error
> with 'Invalid search filter' in the logs
>
> Escaping the Escape ('\\') also gives 'Invalid search filter'
>
> Does anyone know how to 'escape' special characters in search filters in
> sssd.conf ?
After going round in circles for a while - I managed to get this working
Turns out you can use the hexadecimal code for characters in an LDAP
filter/search path/whatever - which is escaped via '\' followed by 2
hexadecimal characters - so the following works:
memberOf: CN=\5C#ABC XYZ,OU=Groups,DC=Example,DC=com
i.e. 5C is the character code for '\'
This also explains why I was getting 'Invalid search filter' previously,
as my use of '\' was followed by invalid hexadecimal characters ...
James Pearson
More information about the CentOS
mailing list