All Apps and Add-ons

SA-ldapsearch issue with group members with accents

tfruru
Explorer

Hi,

I'm encountering an issue with SA-ldapsearch (version 1.1.6) where ldapgroup bugs out when group members have accented characters in their distinguishedName.

An ldapsearch for such a user works fine -

| ldapsearch domain=X search="(givenName=Agnès)" attrs="distinguishedName"

gives

dn                  distinguishedName
CN=Agnès,OU=X,DC=X "BINARY-BLOB"

but an ldapgroup for a group where this user is a member does not work at all :

| ldapsearch domain=X search="(givenName=Agnès)" attrs="memberOf" | mvexpand memberOf | head 1 | ldapgroup groupdn=memberOf

External search command 'ldapgroup' returned error code 1. Script output = "_raw,_time,host,source,sourcetype,dn,memberOf,member_dn,__mv_member_dn,member_name,__mv_member_name,member_domain,__mv_member_domain,member_type,__mv_member_type,mv_combo,__mv_mv_combo,errors,__mv_errors "
ERROR: java.lang.NullPointerException: null

The log created by the ldapgroup command shows -

2012-12-17 15:01:11.100 +0100 pid=16217 [com.splunk.ldap.ActiveDirectory:getContextForDN#-1] INFO No port parameter in default section of ldap.conf - assuming port 389
2012-12-17 15:01:11.715 +0100 pid=16217 [com.splunk.ldap.ActiveDirectory:fetchEntry#-1] INFO DN CN=Agnès,OU=X,DC=X does not exist or cannot be read (note the poison cache)
2012-12-17 15:01:11.717 +0100 pid=16217 [com.splunk.program.LDAPGroups:main#-1] ERROR Exception java.lang.NullPointerException thrown: null
2012-12-17 15:01:11.718 +0100 pid=16217 [com.splunk.program.LDAPGroups:main#-1] ERROR Stack Trace com.splunk.ldap.GroupMembership.<init> (-1)
2012-12-17 15:01:11.718 +0100 pid=16217 [com.splunk.program.LDAPGroups:main#-1] ERROR Stack Trace com.splunk.ldap.GroupMembership.membership (-1)
2012-12-17 15:01:11.719 +0100 pid=16217 [com.splunk.program.LDAPGroups:main#-1] ERROR Stack Trace com.splunk.program.LDAPGroups.Execute (-1)
2012-12-17 15:01:11.719 +0100 pid=16217 [com.splunk.program.LDAPGroups:main#-1] ERROR Stack Trace com.splunk.ldap.ActiveDirectory.getMembership (-1)
2012-12-17 15:01:11.720 +0100 pid=16217 [com.splunk.program.LDAPGroups:main#-1] ERROR Stack Trace com.splunk.program.LDAPGroups.main (-1)

ldapgroup works fine for me as long as there are no users with "strange" characters in their distinguishedName.

Did anybody experience the same behaviour - more importantly, did anyone get this to work ?

Cheers,

Tycho

1 Solution

ahall_splunk
Splunk Employee
Splunk Employee

Hi Tycho,

This is a bug, and I will file it as such just as soon as I get to a place where I can file bugs. The next release will have a fix for this.

View solution in original post

ahall_splunk
Splunk Employee
Splunk Employee

Hi Tycho,

This is a bug, and I will file it as such just as soon as I get to a place where I can file bugs. The next release will have a fix for this.

yannK
Splunk Employee
Splunk Employee

Was it addressed in the version 2.0.1 of the app ?

https://apps.splunk.com/app/1151/

0 Karma

tfruru
Explorer

Hi Adrian, any news on when a more general fix will be available ? We're still encountering the problem when trying to use the "managedBy" attribute - which we extensively use in our environment ...

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Agreed - in the prior fix, we picked out several fields that we knew were UTF8 and disregarded the base64encoding() requirement. However, that isn't good enough and we know it.

delink
Communicator

We are also experiencing this issue at a customer for usernames that contain accented characters. This seems to be the code that is doing it:

default:
for (n = 0; n < paramAttribute.size(); n++)
if (paramAttribute.needsBase64Encoding())
arrayOfString[n] = "";
else
arrayOfString[n] = paramAttribute.getValues()[n];

It seems like the decision to elide the information with "" is going to need to be more nuanced than just checking for base64 encoding.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

We have the updated bug. It will be looked at in one of our sprints.

dominiquevocat
Motivator

There still is a somewhat random problem with string attributes in version 1.1.9 resulting in fields containing . In 1.1.6 it would return all accent/umlaut strings as BINARY-BLOB, with 1.1.9 it seems random and spurious. I filed a bug twice 🙂 not sure if there is hope for a fix.

0 Karma

tfruru
Explorer

Hi - The current version (SA-ldapsearch 1.1.9) solved the issue for me !

Cheers
Tycho

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...