Weird issue using AD objectGUID as search filter

Wed, 17 Feb 2021 10:25:09 -0800 

I've written two subroutines for getting sAMAccountName by objectGUID and vice 
versa; the main purpose is to manage a database table that stores the 
objectGUID as a Base64 encoded string. (the purpose of this is to maintain a 
match table for people in two different LDAP directories, one AD and the other 
not.) 


sub uname2guid {
        use MIME::Base64 qw(encode_base64);
        my $un = shift;
        my $aq = Net::LDAPS->new("ldaps://host.domain") or return "FAIL LDAP 
ERROR $0";
        my $rs=$aq->bind("$ldu\@host.domain", password=>$ldp) or return "FAIL 
BIND ERROR ".$aq->error;
        my $sb=“DC=Host,DC=Domain";
        my $fi = "(samAccountName=$un)";
        my $at = ['objectGUID'];
        my $m=$aq->search(base=>$sb,filter=>$fi,attrs=>$at);
        if ($m->count > 0){
                my $gu=encode_base64($m->entry(0)->get_value('objectGUID'));
                chomp $gu;
                return $gu;
                }
        else {
                return "No GUID for $un";
                }
        }
        
sub guid2uname {
        use MIME::Base64 qw(decode_base64);
        my $gu = decode_base64(shift);
        my $aq = Net::LDAPS->new("ldaps://host.domain") or return "FAIL LDAP 
ERROR $0";
        my $rs=$aq->bind("$ldu\@host.domain", password=>$ldp) or return "FAIL 
BIND ERROR ".$aq->error;
        my $sb=“DC=Host,DC=Domain";
        my $fi = "(objectGUID=$gu)";
        my $at = ['sAMAccountName'];
        my $m=$aq->search(base=>$sb,filter=>$fi,attrs=>$at);
        if ($m->count > 0){
                my $un=$m->entry(0)->get_value('sAMAccountName');
                return $un;
                }
        else {
                return "No Username for GUID ".encode_base64($gu);
                }
        }


I’m running into valid user accounts where guid2uname is returning "No Username 
for GUID” where the username should definitely exist, because uname2guid 
returns the correct encoded objectGUID.

If I construct a standard ldap search to return the objectGUID in binary form 
and then use that returned value to perform a new search with the filter 
'(objectGUID=$return)’ as the filter fir the LDAP search, I get the LDAP error 
“Bad Filter”  but ONLY for those particular users. It works just fine for 
others.

Could it be possible that somehow the binary object returned in the contains 
something like a control character that is doing something in perl-ldap or is 
this an AD LDAP issue?

Has anyone ever run into something like this?


-- 
Bruce Johnson
University of Arizona
College of Pharmacy
Information Technology Group

Institutions do not have opinions, merely customs

Reply via email to