Closed Bug 1730874 Opened 3 years ago Closed 3 years ago

LDAP regression: search using userAccountControl Filter gets empty results

Categories

(MailNews Core :: Address Book, defect)

Product:
MailNews Core
Component:
Address Book
Version:
Thunderbird 91
Type:
defect

Tracking

(thunderbird_esr91+ fixed, thunderbird93+ fixed)

Status:
RESOLVED FIXED
Milestone:
94 Branch
Tracking Flags:
Tracking Status
thunderbird_esr91 + fixed
thunderbird93 + fixed

People

(Reporter: christian.fertig, Assigned: rnons)

References

(Regression)

Details

(Keywords: regression)

Attachments

(3 files)

Bug 1730874 - Support extensibleMatch filter in LDAPMessage.jsm. r=darktrojan
(deleted), text/x-phabricator-request
wsmwk
: approval-comm-beta+
wsmwk
: approval-comm-esr91+
Details
Thunderbird 91.7 ldap-jsmodule-disabled
(deleted), image/png
Details
Thunderbird 91.7 ldap-jsmodule-enabled - no LDAP hit
(deleted), image/png
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

For two decades (even in the old mozilla before thunderbird) we're using this search filter in the advanced LDAP settings:

(&(objectclass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

to display only activated (not deactivated) users

Actual results:

since TB 91 (in fact TB91.0.3) it is not working anymore.

(objectclass=User) alone is working

(!(userAccountControl:1.2.840.113556.1.4.803:=2)) alone is not working

(userAccountControl:1.2.840.113556.1.4.803:=65536)) some example from
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostRecent
just for testing is NOT working

in my Opinion it must be something with the syntax of this query (bitwise ANDs or something like that)

I was not able to receive a log as decribed here: https://wiki.mozilla.org/MailNews:Logging
Logfile for LDAP stays empty

We rebuilt the LDAP code in this version. I'll pass this bug on to the developer in charge of that. In the meantime you can still use the old version by flipping the pref mailnews.ldap.jsmodule.

Blocks: tb91found
Keywords: regression
Product: Thunderbird → MailNews Core
Assignee: nobody → remotenonsense
Status: UNCONFIRMED → ASSIGNED
status-thunderbird93: --- → affected
status-thunderbird_esr91: --- → affected
Ever confirmed: true
Regressed by: ldap-js

An extensibleMatch filter is in the form of <type>:dn:<rule>:=<value>.

tracking-thunderbird93: --- → +
tracking-thunderbird_esr91: --- → +
Target Milestone: --- → 94 Branch

I've tested against your daily build 94.0a1 and I can confirm, that it's working again :)

Flags: needinfo?(christian.fertig)

(In reply to Geoff Lankow (:darktrojan) from comment #1)

you can still use the old version by flipping the pref mailnews.ldap.jsmodule.

this is working fine for me, a good workaround waiting for TB94. Thanks

Keywords: checkin-needed-tb

Pushed by mkmelin@iki.fi:
https://hg.mozilla.org/comm-central/rev/f72fa1a50e19
Support extensibleMatch filter in LDAPMessage.jsm. r=darktrojan

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Keywords: checkin-needed-tb
Resolution: --- → FIXED

Comment on attachment 9241496 [details]
Bug 1730874 - Support extensibleMatch filter in LDAPMessage.jsm. r=darktrojan

[Approval Request Comment]
Regression caused by (bug #): bug 1696625
User impact if declined: extensibleMatch filter returns no result
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9241496 - Flags: approval-comm-esr91?
Attachment #9241496 - Flags: approval-comm-beta?

Comment on attachment 9241496 [details]
Bug 1730874 - Support extensibleMatch filter in LDAPMessage.jsm. r=darktrojan

[Triage Comment]
Approved for beta

Attachment #9241496 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9241496 [details]
Bug 1730874 - Support extensibleMatch filter in LDAPMessage.jsm. r=darktrojan

[Triage Comment]
Approved for esr91

Attachment #9241496 - Flags: approval-comm-esr91? → approval-comm-esr91+

I have changed mailnews.ldap.jsmodule to false in 91.6.
(&(sAMAccountType=805306368)(!useraccountcontrol:1.2.840.113556.1.4.803:=2)) still not working.
"Support extensibleMatch filter in LDAPMessage.jsm. r=darktrojan"- I don't understand what to with this

Hi muncubus, according to https://datatracker.ietf.org/doc/html/rfc4515#section-3, a valid LDAP filter follows this pattern

filter         = LPAREN filtercomp RPAREN
not            = EXCLAMATION filter

This means (!useraccountcontrol:1.2.840.113556.1.4.803:=2) is invalid, but (!(useraccountcontrol:1.2.840.113556.1.4.803:=2)) is valid. Do you mind changing the filter string and try again? Thanks

(In reply to Ping Chen (:rnons) from comment #13)

Hi muncubus, according to https://datatracker.ietf.org/doc/html/rfc4515#section-3, a valid LDAP filter follows this pattern

filter         = LPAREN filtercomp RPAREN
not            = EXCLAMATION filter

This means (!useraccountcontrol:1.2.840.113556.1.4.803:=2) is invalid, but (!(useraccountcontrol:1.2.840.113556.1.4.803:=2)) is valid. Do you mind changing the filter string and try again? Thanks

Hi. Thanks a lot. Now it's working, but only with mailnews.ldap.jsmodule in false.

Can you get some debug logs

  1. set mailnews.ldap.loglevel to All
  2. open DevTools, clear existing logs in the Console
  3. trigger a ldap search

When mailnews.ldap.jsmodule in false - no any messages and filtering works fine.
When mailnews.ldap.jsmodule in true I've got:
mailnews.ldap: Connecting to ldap://-----:389 LDAPClient.jsm:43:18
mailnews.ldap: Connected LDAPClient.jsm:144:18
mailnews.ldap: Binding b-----a LDAPClient.jsm:64:18
mailnews.ldap: C: [1] BindRequest LDAPClient.jsm:254:18
mailnews.ldap: S: [1] BindResponse resultCode=0 message="" LDAPClient.jsm:191:20
mailnews.ldap: Searching dn="dc=-----" filter="(&(&(objectCategory=Person)(objectclass=user)(mail=*)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))(&(|(cn=стан)(givenName=стан)(sn=стан)(mozillaNickname=стан)(mail=стан)(mozillaSecondEmail=стан)(&(description=стан))(o=стан)(ou=стан)(title=стан)(mozillaWorkUrl=стан)(mozillaHomeUrl=стан))))" LDAPClient.jsm:124:18
mailnews.ldap: C: [2] SearchRequest LDAPClient.jsm:254:18
mailnews.ldap: S: [2] SearchResultReference <empty string> 3 LDAPClient.jsm:191:20
mailnews.ldap: S: [2] SearchResultDone resultCode=0 message="" LDAPClient.jsm:191:20
And filtering not working. about "-----" don't mind .

Thanks, looks like SearchResultReference is not correctly handled by ldap-js. With mailnews.ldap.jsmodule set to false, can you get some logs by starting TB with MOZ_LOG=LDAP:5 thunderbird. If you're on Windows, refer to https://wiki.mozilla.org/MailNews:Logging#Generating_a_Protocol_Log

Created bug 1756383 for SearchResultReference handling.

(In reply to Christian Fertig from comment #4)

I've tested against your daily build 94.0a1 and I can confirm, that it's working again :)

Hi, can you help me test if this works on TB 91 with mailnews.ldap.jsmodule set to true (a restart is needed)? Seems other people still see this problem.

Flags: needinfo?(christian.fertig)

Hi,

ok, I tested both settings with my 91.7.0 32bit and it seems not to work with ldap-jsmodule enabled.
Attached the screenshots with enabled and disabled setting, the LDAP directory is only searched with the jsmodule false.

Christian

Flags: needinfo?(christian.fertig)

(In reply to Christian Fertig from comment #21)

my Filter is still

(&(objectclass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Thanks a lot, can you also test a beta or daily build? Last time 94.0a1 seemed to work for you, I'm trying to find if there is some code we forgot to uplift to 91.

I think I've found the problem, will make a fix.

Blocks: 1763288
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: