Univention Bugzilla – Bug 48082
univention-adsearch displays binary code resulting in unreadable screen
Last modified: 2019-03-30 08:32:07 CET
univention-adsearch seems to decode items not correctly: root@ucs:/etc/univention/ssl/ucsCA/crl# univention-adsearch cn=username [...] linuxobjectClass: organizationalPerson objectClass: user msExchUserAccountControl: 0 userCert*▒H▒▒te: 0▒▒0▒▒▒xt0▒▒=▒
univention-adesearch should use ldif.LDIFWriter for output with a suitable list of base64_attrs. Alternatively it should be re-implemented as just a wrapper of ldapsearch (or ldbsearch, like univention-s4search), which would simultaneously fix Bug 43319, Bug 43189, Bug 35504.
Affected attributes reported: msExchMailboxSecurityDescriptor msExchSafeSendersHash userCert thumbnailPhoto logonHours msExchMailboxGuid see also the list in the encode_s4_object method of the S4-Connector.
*** Bug 43319 has been marked as a duplicate of this bug. ***
The small step for now, no ldbsearch, there is too much going on with SSL/kerberos authentication in univention-adsearch, i dont' want to mess with right now. fixed now by base64 encode every non-printable attribute, also, i removed the replace_filter function, seems to make no difference 488212ced044ca5bb6278750bc724dba88f9efb2 - univention-ad-connector 252e48eeb342ebe7960b2537c41f849539f8578b - yaml
Ok, much better. There are still corner cases of attributes with Active Directory attributeSyntax 2.5.5.10 (octetstring), which are 8bit and may or may not be printable. The ldapsearch source code seems to check the values for printability and encode accordingly: ======================================================================== # # univention-adsearch # filter: (|(auditingPolicy=*)(dnsRecord=*)) # DN: DC=w2k8r2d2ar,DC=net auditingPolicy: ^@^A DN: DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ag^Lroot-servers^Cnet^@ dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ab^Lroot-servers^Cnet^@ dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ae^Lroot-servers^Cnet^@ dnsRecord: ^V^@^B^@^E^H^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^T^C^Ad^Lroot-servers^Cnet^@ DN: DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxwdbDQ== DN: DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwMvmCg== DN: DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAxwkOyQ== DN: DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=w2k8r2d2ar,DC=net dnsRecord: BAABAAUIAAAAAAAAAAAAAAAAAAAAAAAAwHAkBA== ======================================================================== Strangely, some dnsRecord entries are encoded, others not. Doing the same with ldapsearch returns all values base64-encoded: ldapsearch -H ldap://10.200.8.126 -D Administrator@W2K8R2D2AR.NET \ -w Univention.1 -b DC=w2k8r2d2ar,DC=net \ '(|(auditingPolicy=*)(dnsRecord=*))' auditingPolicy dnsRecord
Added special (base64 encode) handling for dnsRecord and auditingPolicy, We should definitely switch to ldbsearch, but i think we need a minor update for that
Created attachment 9752 [details] b64.diff I think we need to output the base64-encoded values with "::", see attached patch.
fixed
Verified: * univention-adsearch output is UTF-8 (verified by running "file" on it) * decoding works: univention-adsearch | ldapsearch-wrapper | ldapsearch-decode64 * objectGUID is now displayed properly * Advisory: Ok
<http://errata.software-univention.de/ucs/4.3/354.html>