问题
The implementation below works for regular group names but fails with groups with "#" in the name.
First I search for the DN of the group:
group = "#ABCDE"
filter := fmt.Sprintf("(&(objectCategory=group)(cn=%s)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", ldap.EscapeFilter(group))
sr, err := l.Search(&ldap.SearchRequest{
BaseDN: "dc=ad,dc=some",
Scope: 2, // subtree
Filter: filter,
Attributes: []string{"member", "cn", "dn"},
//Attributes: []string{"member", "cn", "dn", "samaccountname"},
})
//dn := "CN=//#ABCDE,OU=ABC,OU=ABGroups,OU=ADEF,OU=GHU,DC=ad,DC=some"
dn:= sr.Entries[0].DN
filter2 := fmt.Sprintf("(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=%s))", ldap.EscapeFilter(dn))
result, err := l.Search(&ldap.SearchRequest{
BaseDN: "dc=ad,dc=some",
Scope: ldap.ScopeWholeSubtree, // subtree
Filter: filter2,
Attributes: []string{"sAMAccountName"},
})
In the dn for the group contains an escape for the "#". If ldap.EscapeFilter(dn) isn't used an exception will be thrown. Same result as if setting the dn as the commented out assignement dn:="CN//#ABCD...
Using the dn from the first search I get 0 users if the groupname contains a "#"... Not having a "/#" in the first search works fine, I get the dn. Using a "/#" in the first search it returns with zero found...
Current workaround is to have a LDAP group ABDE = #ABCDE, this seem to work, but why not the one above?
来源:https://stackoverflow.com/questions/65309123/ldap-search-for-all-members-using-a-group-with-in-the-name