LDAP filter parse error

Active Directory, win2k3, eJabberd 1.1.4

part of config:

Quote:

% For LDAP authentication use these lines instead of above one:
{auth_method, ldap}.
{ldap_servers, ["192.168.30.97","192.168.30.13"]}.
{ldap_uidattr, "sAMAccountName"}.
{ldap_base, "dc=company,dc=com"}.
{ldap_rootdn, "cn=ejabberd,cn=Users,dc=company,dc=com"}.
{ldap_password, "secret"}.
{ldap_filter, "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Jabber Users,CN=Builtin,DC=company,DC=com)(!userAccountControl:1.2.840.113556.1.4.803:=2))"}.

Errors in log

Quote:

=CRASH REPORT==== 21-Sep-2007::09:48:59 ===
crasher:
pid: <0.239.0>
registered_name: 'ejabberd_mod_vcard_ldap_jabber.company.com'
error_info: {{badmatch,{error,bad_filter}},
[{mod_vcard_ldap,parse_options,2},
{mod_vcard_ldap,init,1},
{gen_server,init_it,6},
{proc_lib,init_p,5}]}
initial_call: {gen,
init_it,
[gen_server,
<0.191.0>,
<0.191.0>,
{local,'ejabberd_mod_vcard_ldap_jabber.company.com'},
mod_vcard_ldap,
["jabber.company.com",
[{ldap_vcard_map,
[{"NICKNAME","%u",[]},
{"GIVEN","%s",["givenName"]},
{"MIDDLE","%s",["initials"]},
{"FAMILY","%s",["sn"]},
{"FN","%s",["displayName"]},
{"EMAIL","%s",["mail"]},
{"ORGNAME","%s",["company"]},
{"ORGUNIT","%s",["department"]},
{"CTRY","%s",["c"]},
{"LOCALITY","%s",["l"]},
{"STREET","%s",["streetAddress"]},
{"REGION","%s",["st"]},
{"PCODE","%s",["postalCode"]},
{"TITLE","%s",["title"]},
{"URL","%s",["wWWHomePage"]},
{"DESC","%s",["description"]},
{"TEL","%s",["telephoneNumber"]}]},
{ldap_search_fields,
[{"User","%u"},
{"Name","givenName"},
{"Family Name","sn"},
{"Email","mail"},
{"Company","company"},
{"Department","department"},
{"Role","title"},
{"Description","description"},
{"Phone","telephoneNumber"}]},
{ldap_search_reported,
[{"Full Name","FN"},
{"Nickname","NICKNAME"},
{"Email","EMAIL"}]}]],
[]]}
ancestors: [ejabberd_sup,<0.36.0>]
messages: []
links: [<0.191.0>]
dictionary: []
trap_exit: false
status: running
heap_size: 2584
stack_size: 21
reductions: 19896
neighbours:

with this filter all ok:
{ldap_filter, "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Jabber Users,CN=Builtin,DC=company,DC=com))"}.

So problem in parse this expression: (!userAccountControl:1.2.840.113556.1.4.803:=2)
I tried to put query whith this filter directly to LDAP server, it correct and it working
I think problem in Erlang or eJabberd filter parser

Maybe some character is not

Maybe some character is not acceptable: there are: ! . :
You could try to put \! or things like that.

same result

badlop wrote:

Maybe some character is not acceptable: there are: ! . :
You could try to put \! or things like that.

I tryed \! \. \: - same result

Re: LDAP filter parse error

d.k.brazz wrote:

So problem in parse this expression: (!userAccountControl:1.2.840.113556.1.4.803:=2)
I tried to put query whith this filter directly to LDAP server, it correct and it working
I think problem in Erlang or eJabberd filter parser

You are right. Currently it is not possible to parse such expressions.
BTW. Is it possible to avoid such filters at all?

LDAP filter

zinid wrote:

BTW. Is it possible to avoid such filters at all?

MS AD stores info about Account state in bitwise form
1.2.840.113556.1.4.803 - is OID for bitwise AND operator (in MS AD)
http://support.microsoft.com/kb/269181

userAccountControl:1.2.840.113556.1.4.803:=2 - the only way to search for disabled users in MS AD
!userAccountControl:1.2.840.113556.1.4.803:=2 - the only way to search for not disabled (enabled) users in MS AD

another way - manually removing disabled users from "Jabber Users" group

Negation in LDAP search request filters

While LDAPv3 extensible match is really not yet supported in ejabberd, your search filter is invalid according to RFC 4515 — you should use

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

form.

So for instance "accounts of all users which are not disabled" will be

(&(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Syndicate content