Giters

jlguenego / node-expose-sspi

Expose Microsoft Windows SSPI to Node for SSO authentication.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

getUsers() only return user with the surname *

viyaha opened this issue · comments

commented

Describe the bug
I just started to "play around" with your library for now (my first time using Active Directory, so maybe I just did something wrong).
I just created a simple Windows-Hyper-V-AD-Setup (1 VM DomainController and 1 Client and 1 Server-VM to test SSO authentication). Everything works perfectly (=> Setup seems to be correct).
I just found "getUsers" in "src\sso\userdb.ts" and tried it to get all users that are registered in the AD.

Result: Empty Array

==> Looking at the code it the culprit seems to be:

node-expose-sspi/src/sso/userdb.ts

Line 106 in aa53a41

filter: `(&(objectClass=user)(objectCategory=person)(sn=*)${

In my Understanding "(sn=*)" means to return only user with the surname as "*". Updating a users surname to "*" results in returning the user in "getUsers"

To Reproduce
AD Setup and call getUsers. :)

Expected behavior
Should return users of domain.

Please indicates also:

  • Are you on a Windows domain ? yes
  • Can you reach the domain controller ? yes
  • Do your session have admin privileges ? yes
  • Which authentication protocol ? NTLM
commented

Normal users (humans...) have a first name and surname in AD. Most service accounts don't. I wouldn't call it a bug.

On a medium size business:

  • 942 results with (&(objectClass=user)(objectCategory=person))
    • Including: computers, humans, service accounts a lot of stuff i won't need for a user search or user list
  • 426 results with (&(objectClass=user)(objectCategory=person)(sn=*))
    • Including human, no computers, but not all accounts for services, mail-forwarding and locations
  • 615 results with (&(!(objectClass=computer))(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))
    • accounts which are listed in the AD currently, including Administrator, Guest and a lot of others you are probably looking for.

A lot of them are deactivated too, but that could be checked with other filter-options.

You compare a testing env with 3 or 4 accounts to a business with lots of users, services and groups that have all different values set in their OU.

The (sn=*) search is fine in my opinion, but if you want to be more specific use (&(!(objectClass=computer))(objectClass=person)(objectClass=organizationalPerson)(objectClass=user)) this will match all users including service accounts but no computers.

I would suggest an override option of the default filter to fit your needs.