getUsers() only return user with the surname *
viyaha opened this issue · comments
Describe the bug
I just started to "play around" with your library for now (my first time using Active Directory, so maybe I just did something wrong).
I just created a simple Windows-Hyper-V-AD-Setup (1 VM DomainController and 1 Client and 1 Server-VM to test SSO authentication). Everything works perfectly (=> Setup seems to be correct).
I just found "getUsers" in "src\sso\userdb.ts" and tried it to get all users that are registered in the AD.
Result: Empty Array
==> Looking at the code it the culprit seems to be:
node-expose-sspi/src/sso/userdb.ts
Line 106 in aa53a41
In my Understanding "(sn=*)" means to return only user with the surname as "*". Updating a users surname to "*" results in returning the user in "getUsers"
To Reproduce
AD Setup and call getUsers. :)
Expected behavior
Should return users of domain.
Please indicates also:
- Are you on a Windows domain ? yes
- Can you reach the domain controller ? yes
- Do your session have admin privileges ? yes
- Which authentication protocol ? NTLM
Normal users (humans...) have a first name and surname in AD. Most service accounts don't. I wouldn't call it a bug.
On a medium size business:
- 942 results with
(&(objectClass=user)(objectCategory=person))
- Including: computers, humans, service accounts a lot of stuff i won't need for a user search or user list
- 426 results with
(&(objectClass=user)(objectCategory=person)(sn=*))
- Including human, no computers, but not all accounts for services, mail-forwarding and locations
- 615 results with
(&(!(objectClass=computer))(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))
- accounts which are listed in the AD currently, including Administrator, Guest and a lot of others you are probably looking for.
A lot of them are deactivated too, but that could be checked with other filter-options.
You compare a testing env with 3 or 4 accounts to a business with lots of users, services and groups that have all different values set in their OU.
The (sn=*)
search is fine in my opinion, but if you want to be more specific use (&(!(objectClass=computer))(objectClass=person)(objectClass=organizationalPerson)(objectClass=user))
this will match all users including service accounts but no computers.
I would suggest an override option of the default filter to fit your needs.