Request Additional Operational Attributes from AD/LDAP Connector

rueben.tiow · February 1, 2024, 11:43pm

Problem statement

When using the LDAP connector, all is working well (users are authenticated, and the mapped profile is successfully shown in Auth0). However, the problem appears when it comes to pulling operational attributes. The attribute needed that cannot be read is “sample-attribute”, which is attempting to map onto the profile using the profileMapper.js file from the AD/LDAP Connector.

Despite the updates made to this file, the ‘raw_data’ object, which contains attributes from the LDAP server, does not contain the operational attribute, so mapping this attribute appears to be unsupported. Can Auth0 confirm if this is the case, or are there other updates to make to the AD/LDAP Connector to get these attributes sent during user authentication?

Cause

Retrieving operational attributes cannot be done through configuration alone. The configuration key ‘LDAP_USER_BY_NAME’ only allows for controlling the search filter; it DOES NOT allow for controlling which attributes are being requested as part of the search.

The connector uses the ldap.js library and for this scenario what’s relevant is a search operation documented in LDAPJS Documentation - Search.

The connector logic does not pass any value into the attributes options sent to ldap.js, which would be necessary to retrieve the operational attributes:

github.com

auth0/ad-ldap-connector/blob/1cfab69c3cb297160f819488a1a5e930ecf556fc/lib/users.js#L324


      
          
          if (typeof options === 'function') {
            callback = options;
            options = {};
          }
          
          const searchUsername = options.escaped ? userName : escapeLdapFilter(userName);
          const filter = parseLdapFilter(nconf.get('LDAP_USER_BY_NAME').replace(/\{0\}/g, searchUsername));
          if (!filter.isValid) return callback(null);  // Input username does not resolve to valid ldap filter, return no match
          
          var opts = { scope: 'sub', filter: filter.filter };
          var entries = [];
          
          var done = cb(function (err) {
            if (err) {
              console.log(err);
              return callback(UnexpectedError.wrap(err));
            }
            if (entries.length === 0) return callback(null);
            callback(null, getProperObject(entries[0]));
          }).timeout(5000);

This means the default behavior occurs, which can be paraphrased as the following:

When explicit attributes are selected to be returned, the server will return only these attributes. The default behavior is an empty set, which means all attributes. The all attributes reference means all user attributes, so operational attributes will not be returned by default.

Solution

The AD/LDAP Connector can be modified to allow for these operational attributes but it would mean modifying the source code directly. Particularly the ‘users.js’ file here will need the following update:

Before:

var opts = { scope: 'sub', filter: filter.filter };

After:

var opts = { scope: 'sub', filter: filter.filter, attributes: ["*", "sample-attribute"] };

The * means that all user attributes should be returned (which maintains current behavior) while the second array entry explicitly requests the ‘sample-attribute’ operational attribute. This should then make that attribute available in the profile mapper.