Python 如何在Active Directory筛选器中转义逗号?
我正在使用python ldap查询Active Directory 我有这个DNPython 如何在Active Directory筛选器中转义逗号?,python,active-directory,ldap,ldap-query,python-ldap,Python,Active Directory,Ldap,Ldap Query,Python Ldap,我正在使用python ldap查询Active Directory 我有这个DN CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net 作为查询的基础,这很好,但是如果我尝试在这样的搜索过滤器中使用它 (&(objectClass=group)(memberof:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=e
CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net
作为查询的基础,这很好,但是如果我尝试在这样的搜索过滤器中使用它
(&(objectClass=group)(memberof:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net))
我得到一个错误的搜索过滤器错误。根据我的测试,CN中的逗号似乎是罪魁祸首,尽管我用反斜杠(\
)逃过了它。但是,逗号没有作为需要在筛选器中转义的字符列在中
我错过了什么 LDAP筛选器规范为以下字符赋予特殊含义,当在搜索筛选器()中使用时,这些字符应以反斜杠转义,后跟字符的两个字符ASCII十六进制表示形式:
这意味着用于转义可分辨名称的特殊字符(包括逗号)的任何反斜杠必须在搜索筛选器中用\5c
表示:
(&(objectClass=group)(memberof:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net))
以下是在搜索筛选器中使用时必须用\
或\5C
转义的dn特殊字符列表:
+-------------------------------+---+
| comma | , |
+-------------------------------+---+
| Backslash character | \ |
+-------------------------------+---+
| Pound sign (hash sign) | # |
+-------------------------------+---+
| Plus sign | + |
+-------------------------------+---+
| Less than symbol | < |
+-------------------------------+---+
| Greater than symbol | > |
+-------------------------------+---+
| Semicolon | ; |
+-------------------------------+---+
| Double quote (quotation mark) | " |
+-------------------------------+---+
| Equal sign | = |
+-------------------------------+---+
| Leading or trailing spaces | |
+-------------------------------+---+
+-------------------------------+---+
|逗号||
+-------------------------------+---+
|反斜杠字符||
+-------------------------------+---+
|磅符号(散列符号)|#|
+-------------------------------+---+
|加号|+|
+-------------------------------+---+
|小于符号|<|
+-------------------------------+---+
|大于符号|>|
+-------------------------------+---+
|分号||
+-------------------------------+---+
|双引号(引号)|”|
+-------------------------------+---+
|等号|=|
+-------------------------------+---+
|前导或尾随空格||
+-------------------------------+---+
使用转义字符搜索成员:1.2.840.113556.1.4.1941
时,我遇到了非常奇怪的行为
当搜索项“正确”转义时,搜索似乎失败,但当搜索项未转义时,搜索成功
相比之下,无论搜索词是否转义,使用member
的普通搜索都有效
下面是一个PowerShell示例
function Find-AdObjects([string]$Filter) {
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher
$DirectorySearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$DirectorySearcher.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
$DirectorySearcher.PropertiesToLoad.Add('distinguishedname') > $null
$DirectorySearcher.PageSize = 100
$DirectorySearcher.Filter = $Filter
$SearchResultCollection = $DirectorySearcher.FindAll()
foreach ($r in $SearchResultCollection) {
$r.Properties['distinguishedname']
}
$SearchResultCollection.Dispose()
$DirectorySearcher.Dispose()
}
$UserDn = 'CN=Rees\, John,OU=Tier3,DC=big,DC=com'
$EscapedUserDn = 'CN=Rees\5C, John,OU=Tier3,DC=big,DC=com'
# Returns expected results with escaped search term
Find-AdObjects "(&(member=$EscapedUserDn))"
# Returns same results even though search term is NOT escaped correctly
Find-AdObjects "(&(member=$UserDn))"
# Returns NO results even though search term is escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$EscapedUserDn))"
# Returns recursive results even though search term is NOT escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$UserDn))"
因此,我看不到一个可接受的解决方法,因为似乎没有可靠的方法来转义可能包含各种特殊字符的DN:\*()您是否尝试添加第二个反斜杠?根据搜索的执行方式,第一个反斜杠可能需要转义才能通过LDAP;)感谢您的详细响应。查询现在似乎正在运行,但是,在花费与PowerShell相同的时间后,返回的结果为零。知道原因吗?我不知道,确保ldap正确解析查询是值得的。根据执行查询的内容(什么样的程序及其解析字符串的方式)以及Heiglanderas的建议,可能需要对反斜杠本身进行转义(将其解析为文字反斜杠),导致\\5c
@EricLavault在正确转义搜索项后,我也遇到了零结果的奇怪问题,但只有在进行递归搜索时才出现。我添加了完整的描述作为答案。@SeanW。由于转义\to\5c导致您的错误搜索过滤器
消失,我认为这是一个奇怪的问题python字符串转义和AD转义之间的相互作用。由于\5C随后被发送到AD,因此您通过AD递归搜索找到了缺陷(请参见下面的答案)当\转义到\5C时。我建议您转义到\\而不是\5C,因此搜索词的结尾应该是CN=Whalen\\,Sean,OU=Users,OU=Users and Groups,DC=example,DC=net
。我猜python会将\\解析为一个\并发送到Active Directory,一切都会好的。
function Find-AdObjects([string]$Filter) {
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher
$DirectorySearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$DirectorySearcher.SearchScope = [System.DirectoryServices.SearchScope]::Subtree
$DirectorySearcher.PropertiesToLoad.Add('distinguishedname') > $null
$DirectorySearcher.PageSize = 100
$DirectorySearcher.Filter = $Filter
$SearchResultCollection = $DirectorySearcher.FindAll()
foreach ($r in $SearchResultCollection) {
$r.Properties['distinguishedname']
}
$SearchResultCollection.Dispose()
$DirectorySearcher.Dispose()
}
$UserDn = 'CN=Rees\, John,OU=Tier3,DC=big,DC=com'
$EscapedUserDn = 'CN=Rees\5C, John,OU=Tier3,DC=big,DC=com'
# Returns expected results with escaped search term
Find-AdObjects "(&(member=$EscapedUserDn))"
# Returns same results even though search term is NOT escaped correctly
Find-AdObjects "(&(member=$UserDn))"
# Returns NO results even though search term is escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$EscapedUserDn))"
# Returns recursive results even though search term is NOT escaped correctly
Find-AdObjects "(&(member:1.2.840.113556.1.4.1941:=$UserDn))"