Search code examples
active-directoryldapfilteringwildcard

ldapsearch does not return users with special chars (e.g. user.name) on AD

I want to search for users with descriptions in AD which on Windows Powershell can be done with the PowerView function Get-DomainUser:

Get-DomainUser -v * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

VERBOSE: [Get-DomainSearcher] search base: LDAP://LAB-DC01.DOMAIN.LOCAL/DC=DOMAIN,DC=LOCAL
VERBOSE: [Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=*)))

samaccountname description
-------------- -----------
administrator  Built-in account for administering the computer/domain
jdoe           .......................
user.name      FOOBAR

Now I want to get that list on a Linux machine with ldapsearch. Using the search filter from Get-DomainUser I tested the following ldapsearch command line which indeed lists the accounts and I can grep for descriptions:

ldapsearch -h 172.12.0.1 -D 'domain\user' -w 'pass' -b "DC=DOMAIN,DC=LOCAL" "(&(samAccountType=805306368)(|(samAccountName=*)))"

However, I noticed that this search does not return the account user.name. Even if I completely remove the name filter using only "(samAccountType=805306368)" it is not returned.

Only if I explicitly search the pattern with "(&(samAccountType=805306368)(|(samAccountName=*.*)))" it returns this (and only this) account.

Why is this account not returned? Is there a more "general" wildcard? There's also a "user-name" which I must filter with *-*.

Solution

  • Oh crap. In fact, it has nothing to do with the search filter and special chars at all. The returned result is just simply to big...

    I traced the ldap connection from Get-DomainUser with wireshark and I noticed the ldap result is returned paginated - but I still thought nothing of it.

    Before ldapsearch I actually tried the tool crackmapexec to get the user description but it didn't work. So now I tried it again and had a closer look at the error message: LDAPSearchError: Error in searchRequest -> 'sizeLimitExceeded'...

    And in fact, after I instructed ldapsearch to use pagination with the parameter -E pr=2147483647/noprompt the user in question is also returned with my search filter. It really was just a coincident that this user was not in the partial result.