LDAP Outpost - Microsoft .NET Application using DirectoryEntry is failing

[vherrlein]

Describe the bug
Some user and group properties are shown as byte arrays instead of strings when a Microsoft .NET app query an authentik LDAP outpost.
Eg:

To Reproduce
Steps to reproduce the behavior:

1. Setup LDAP outpost as described within the documentation: https://version-2023-4.goauthentik.io/docs/providers/ldap/generic_setup
2. As sample, from a Windows machine create a PowerShell test script in order to search object (User / Group) su as the following.

Add-Type -AssemblyName System.DirectoryServices.Protocols

$username = 'cn=YourAccount,ou=users,dc=ldap,dc=goauthentik,dc=io'
$pwd = 'YourPassword'
$ldapPath = "LDAP://YourServerAddress/dc=ldap,dc=goauthentik,dc=io"

$rootDn = [System.DirectoryServices.DirectoryEntry]::new($ldapPath, $username, $pwd, [System.DirectoryServices.AuthenticationTypes]"None")

$searcher = [System.DirectoryServices.DirectorySearcher]::new($rootDn)
$searcher.SearchScope = "Subtree"
$searcher.PropertiesToLoad.Clear()
$searcher.Filter = "(&(ObjectClass=user)"

$res = $searcher.FindOne()
$res.Properties

Expected behavior
User and group attributes must be recognized with the proper attribute type defined within LDAP RFCs in order to be used properly within Windows .NET applications.

Screenshots
If applicable, add screenshots to help explain your problem.

Logs
Output of docker-compose logs or kubectl logs respectively
Kubernetes Logs of the LDAP outpost:
{"bindDN":"cn=YourAccount,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.15.70","event":"User has access","level":"info","requestId":"01fffbb9-4ecd-40d9-b5ab-8a7d11e517f4","timestamp":"2023-04-19T09:19:47Z"} {"bindDN":"cn=YourAccount,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.15.70","event":"Allowed access to search","group":"ldap-searchers","level":"info","requestId":"01fffbb9-4ecd-40d9-b5ab-8a7d11e517f4","timestamp":"2023-04-19T09:19:48Z"} {"bindDN":"cn=YourAccount,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.15.70","event":"Bind request","level":"info","requestId":"01fffbb9-4ecd-40d9-b5ab-8a7d11e517f4","timestamp":"2023-04-19T09:19:48Z","took-ms":3354} {"baseDN":"dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=YourAccount,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.15.70","event":"Search request","filter":"(objectClass=*)","level":"info","requestId":"043a71be-7c57-43c3-bd66-9e5da048a1b6","scope":"Base Object","timestamp":"2023-04-19T09:19:49Z","took-ms":687} {"baseDN":"dc=ldap,dc=goauthentik,dc=io","bindDN":"cn=YourAccount,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"172.19.15.70","event":"Search request","filter":"(&(ObjectClass=user))","level":"info","requestId":"2c9099b0-edc3-469a-b46f-42b172e7dbdc","scope":"Whole Subtree","timestamp":"2023-04-19T09:19:49Z","took-ms":282}

Version and Deployment (please complete the following information):

• authentik version: 2023.4.0
• Deployment: helm

Additional context
With a traffic analyzer like Wireshark, searchResEntry seams OK.

Maybe the LDAP Server should be able to send it's own Schema in order to work ?
When trying to retrieve an object with it's full DN, the following error occurs:
Unknown error (0x8000500c) which means according to Microsoft : The directory datatype cannot be converted to/from a native DS datatype.
Reference: https://support.microsoft.com/en-us/topic/-0x8000500c-error-when-you-use-adsi-to-read-data-from-an-openldap-server-from-windows-8-or-windows-server-2012-c49f4427-13c8-7172-5e69-697128ecebca

[vherrlein]

Authentik LDAP Provider use nmcclain/ldap package at that location to add user/group attributes:

authentik/internal/outpost/ldap/entries.go

Line 70 in 07c4ef9

return &ldap.Entry{DN: dn, Attributes: attrs}

Then behind the scene it encode all attribute's values as Octet String :
https://github.com/nmcclain/ldap/blob/7f8d1e44eeba4156c0a258b6a1af47cb0a7e2d80/server_search.go#L215

And unfortunately, as no schema is provided by the LDAP Provider, no data conversion are made properly for attribute value type "Octet String" according to the default ADLDS Schema.

So to fix that kind of issue, Authentik LDAP Server should provide a schema according to Object Classes and attribute definitions.

[vherrlein]

It seems related to an old opened bug #3361

Do you have any plan to fix / enhance that topic ?

[mfatfhg]

+1

[BeryJu]

After a lot of learning about LDAP schema we're finally making some progress

[vherrlein]

That's a great news :)

May I suggest the following base schema which includes all minimal attributes and classes?

( 0.9.2342.19200300.100.1.1 NAME 'uid' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
( 0.9.2342.19200300.100.1.3 NAME 'mail' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 0.9.2342.19200300.100.1.41 NAME 'mobile' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.2.840.113556.1.2.102 NAME 'memberOf' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' NO-USER-MODIFICATION )
( 1.2.840.113556.1.2.13 NAME 'displayName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.2.840.113556.1.4.1 NAME 'name' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE NO-USER-MODIFICATION )
( 1.2.840.113556.1.2.131 NAME 'co' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.2.840.113556.1.2.141 NAME 'department' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.2.840.113556.1.2.146 NAME 'company' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.2.840.113556.1.4.44 NAME 'homeDirectory' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.2.840.113556.1.4.261 NAME 'division' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 1.3.6.1.1.1.1.0 NAME 'uidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
( 1.3.6.1.1.1.1.1 NAME 'gidNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE )
( 2.5.4.6 NAME 'c' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 2.5.4.7 NAME 'l' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 2.5.4.10 NAME 'o' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
( 2.5.4.11 NAME 'ou' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
( 2.5.4.20 NAME 'telephoneNumber' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 2.5.4.42 NAME 'givenName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 2.5.4.0 NAME 'objectClass' SYNTAX '1.3.6.1.4.1.1466.115.121.1.38' NO-USER-MODIFICATION )
( 2.5.4.3 NAME 'cn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 2.5.4.4 NAME 'sn' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 2.5.4.12 NAME 'title' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )
( 2.5.4.13 NAME 'description' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
( 2.5.4.31 NAME 'member' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' )
( 99.99.99.99.2 NAME ( 'goauthentik.io/ldap/superuser' 'ak-superuser' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' )
( 99.99.99.99.3 NAME ( 'goauthentik.io/ldap/active' 'ak-active' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' )
( 99.99.99.99.4 NAME ( 'goauthentik.io/user/sources' 'goauthentikio-user-sources' ) SYNTAX '1.3.6.1.4.1.1466.115.121.1.40' )
( 99.99.99.99.5 NAME 'goauthentikio-user-override-ips' SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' )
( 99.99.99.99.6 NAME 'goauthentikio-user-service-account' SYNTAX '1.3.6.1.4.1.1466.115.121.1.7' )


( 2.5.6.0 NAME 'top' ABSTRACT MUST ( objectClass ) MAY (cn $ description $ displayName $ memberOf $ name ) )
( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( cn ) MAY (sn $ telephoneNumber ) )
( 2.5.6.7 NAME 'organizationalPerson' SUP person STRUCTURAL MAY (c $ l $ o $ ou $ title $ givenName $ co $ department $ company $ division $ mail $ mobile $ telephoneNumber ) )
( 2.5.6.9 NAME 'groupOfNames' SUP top STRUCTURAL MUST (cn $ member ) MAY (o $ ou ) )
( 1.2.840.113556.1.5.9 NAME 'user' SUP organizationalPerson STRUCTURAL MAY ( name $ displayName $ uid $ mail ) )
( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY MAY (cn $ description $ homeDirectory $ uid $ uidNumber $ gidNumber ) )
( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' AUX ( posixAccount ) MUST ( sAMAccountName ) MAY ( uidNumber $ gidNumber ))
( 99.99.99.99.1 NAME 'goauthentik.io/ldap/user' SUP organizationalPerson STRUCTURAL MAY ( ak-active $ sAMAccountName $ goauthentikio-user-sources $ goauthentik.io/user/sources $ goauthentik.io/ldap/active $ goauthentik.io/ldap/superuser $ goauthentikio-user-override-ips $ goauthentikio-user-service-account ) )

Another question remain, how to make an update of the schema for dynamic user/group properties?

• Allowing manual schema updates from the outpost setting page ?
• A scheduled background worker scanning user/group JSON objects and update the schema?

Regards,

[BeryJu]

Cheers for that schema, I'm currently using the OID 1.3.6.1.4.1.26027.1.1 as a base, which seems to be used by an Oracle directory server as a base for custom attributes? I'll get around to requesting an OID base from IANA at some point to do this properly.

For the dynamic fields, I was also wondering about that. Allowing manual schema definitions are certainly more customisable but also not really user friendly, and since we already have the Memory searcher which regularly fetches all users, we can use that to build the custom schema in the background

(It would probably be good enough to do this once on start since a lot of applications either don't use the LDAP schema or only fetch it once on startup, but might as well do it properly)