rapid7 · igorski-r7 · Jan 8, 2024 · Jan 5, 2024
diff --git a/plugins/active_directory_ldap/.CHECKSUM b/plugins/active_directory_ldap/.CHECKSUM
@@ -1,7 +1,7 @@
 {
-	"spec": "d5dfdb03974651b69e5a02256df71e03",
-	"manifest": "5d016144fec71b932d8182d5c1a7f81d",
-	"setup": "def3e06498eabadbc9aaa7270aff8be6",
+	"spec": "7ccbd3e54069b451819765d331a5e422",
+	"manifest": "eec2dabd6adf20679bf09da7cda157b5",
+	"setup": "c2867f07c815fafae59884272249fe1e",
 	"schemas": [
 		{
 			"identifier": "add_user/schema.py",

diff --git a/plugins/active_directory_ldap/Dockerfile b/plugins/active_directory_ldap/Dockerfile
@@ -1,4 +1,4 @@
-FROM rapid7/insightconnect-python-3-38-plugin:5
+FROM --platform=linux/amd64 rapid7/insightconnect-python-3-slim-plugin:5
 
 LABEL organization=rapid7
 LABEL sdk=python

diff --git a/plugins/active_directory_ldap/bin/komand_active_directory_ldap b/plugins/active_directory_ldap/bin/komand_active_directory_ldap
@@ -6,7 +6,7 @@ from sys import argv
 
 Name = "Active Directory LDAP"
 Vendor = "rapid7"
-Version = "9.0.0"
+Version = "9.0.1"
 Description = "This plugin utilizes Microsoft's Active Directory service to create and manage domains, users, and objects within a network"
 
 

diff --git a/plugins/active_directory_ldap/help.md b/plugins/active_directory_ldap/help.md
@@ -57,7 +57,7 @@ Example input:
 
 #### Add User
 
-Adds the specified Active Directory user
+This action is used to add the specified Active Directory user
 
 ##### Input
 
@@ -107,7 +107,7 @@ Example output:
 
 #### Delete
 
-Deletes the LDAP object specified
+This action is used to delete the LDAP object specified
 
 ##### Input
 
@@ -139,7 +139,7 @@ Example output:
 
 #### Disable User
 
-Disable an account
+This action is used to disable an account
 
 ##### Input
 
@@ -171,7 +171,7 @@ Example output:
 
 #### Disable Users
 
-Disable multiple accounts
+This action is used to disable multiple accounts
 
 ##### Input
 
@@ -214,7 +214,7 @@ Example output:
 
 #### Enable User
 
-Enable an account
+This action is used to enable an account
 
 ##### Input
 
@@ -246,7 +246,7 @@ Example output:
 
 #### Enable Users
 
-Enable multiple accounts
+This action is used to enable multiple accounts
 
 ##### Input
 
@@ -289,7 +289,7 @@ Example output:
 
 #### Force Password Reset
 
-Force a user to reset their password on next login
+This action is used to force a user to reset their password on next login
 
 ##### Input
 
@@ -321,7 +321,7 @@ Example output:
 
 #### Add or Remove an Object from Group
 
-Add or remove an object from an Active Directory group
+This action is used to add or remove an object from an Active Directory group
 
 ##### Input
 
@@ -357,7 +357,7 @@ Example output:
 
 #### Modify Object
 
-Modify the attributes for an Active Directory object
+This action is used to modify the attributes for an Active Directory object
 
 ##### Input
 
@@ -393,7 +393,7 @@ Example output:
 
 #### Move Object
 
-Move an Active Directory object from one organizational unit to another
+This action is used to move an Active Directory object from one organizational unit to another
 
 ##### Input
 
@@ -427,7 +427,7 @@ Example output:
 
 #### Query
 
-Run an LDAP query
+This action is used to run an LDAP query
 
 ##### Input
 
@@ -455,7 +455,7 @@ Example input:
 |Name|Type|Required|Description|Example|
 | :--- | :--- | :--- | :--- | :--- |
 |count|integer|False|Number of results|1|
-|results|[]result|False|Results returned|[ { "dn": string, "attributes": { "pwdLastSet": date, "objectClass": [ string, string, string, string ], "memberOf": [ string ], "sAMAccountType": int, "uSNChanged": int, "givenName": string, "userPrincipalName": string, "countryCode": int, "lastLogon": date, "sAMAccountName": string, "name": string, "primaryGroupID": int, "dSCorePropagationData": [ date ], "displayName": string, "logonCount": int, "cn": string, "objectSid": string, "codePage": int, "badPwdCount": int, "objectGUID": string, "distinguishedName": string, "whenChanged": date, "badPasswordTime": date, "instanceType": int, "uSNCreated": int, "sn": string, "whenCreated": date, "accountExpires": date, "userAccountControl": int, "lastLogoff": date, "objectCategory": "string" } } ]|
+|results|[]result|False|Results returned|[{"dn":"string","attributes":{"pwdLastSet":"date","objectClass":["string","string","string","string"],"memberOf":["string"],"sAMAccountType":"int","uSNChanged":"int","givenName":"string","userPrincipalName":"string","countryCode":"int","lastLogon":"date","sAMAccountName":"string","name":"string","primaryGroupID":"int","dSCorePropagationData":["date"],"displayName":"string","logonCount":"int","cn":"string","objectSid":"string","codePage":"int","badPwdCount":"int","objectGUID":"string","distinguishedName":"string","whenChanged":"date","badPasswordTime":"date","instanceType":"int","uSNCreated":"int","sn":"string","whenCreated":"date","accountExpires":"date","userAccountControl":"int","lastLogoff":"date","objectCategory":"string"}}]|
 
 Example output:
 
@@ -464,57 +464,57 @@ Example output:
   "count": 1,
   "results": [
     {
-      "dn": "string",
       "attributes": {
-        "pwdLastSet": "date",
+        "accountExpires": "date",
+        "badPasswordTime": "date",
+        "badPwdCount": "int",
+        "cn": "string",
+        "codePage": "int",
+        "countryCode": "int",
+        "dSCorePropagationData": [
+          "date"
+        ],
+        "displayName": "string",
+        "distinguishedName": "string",
+        "givenName": "string",
+        "instanceType": "int",
+        "lastLogoff": "date",
+        "lastLogon": "date",
+        "logonCount": "int",
+        "memberOf": [
+          "string"
+        ],
+        "name": "string",
+        "objectCategory": "string",
         "objectClass": [
           "string",
           "string",
           "string",
           "string"
         ],
-        "memberOf": [
-          "string"
-        ],
+        "objectGUID": "string",
+        "objectSid": "string",
+        "primaryGroupID": "int",
+        "pwdLastSet": "date",
+        "sAMAccountName": "string",
         "sAMAccountType": "int",
+        "sn": "string",
         "uSNChanged": "int",
-        "givenName": "string",
-        "userPrincipalName": "string",
-        "countryCode": "int",
-        "lastLogon": "date",
-        "sAMAccountName": "string",
-        "name": "string",
-        "primaryGroupID": "int",
-        "dSCorePropagationData": [
-          "date"
-        ],
-        "displayName": "string",
-        "logonCount": "int",
-        "cn": "string",
-        "objectSid": "string",
-        "codePage": "int",
-        "badPwdCount": "int",
-        "objectGUID": "string",
-        "distinguishedName": "string",
-        "whenChanged": "date",
-        "badPasswordTime": "date",
-        "instanceType": "int",
         "uSNCreated": "int",
-        "sn": "string",
-        "whenCreated": "date",
-        "accountExpires": "date",
         "userAccountControl": "int",
-        "lastLogoff": "date",
-        "objectCategory": "string"
-      }
+        "userPrincipalName": "string",
+        "whenChanged": "date",
+        "whenCreated": "date"
+      },
+      "dn": "string"
     }
   ]
 }
 ```
 
 #### Query Group Membership
 
-Return users and groups that belonging to the specific group
+This action is used to return users and groups that belonging to the specific group
 
 ##### Input
 
@@ -604,7 +604,7 @@ Example output:
 
 #### Reset Password
 
-Reset a users password
+This action is used to reset a users password
 
 ##### Input
 
@@ -638,7 +638,7 @@ Example output:
 
 #### Unlock User
 
-Unlock an account
+This action is used to unlock an account
 
 ##### Input
 
@@ -667,11 +667,9 @@ Example output:
   "success": true
 }
 ```
-
 ### Triggers
 
 *This plugin does not contain any triggers.*
-
 ### Tasks
 
 *This plugin does not contain any tasks.*
@@ -762,6 +760,7 @@ the query results, and then using the variable step $item.dn
 
 # Version History
 
+* 9.0.1 - Fix problem where some ASCII characters were not escaped properly
 * 9.0.0 - Action: `Disable User` & `Enable User` - Rename title of actions from `Disable` & `Enable` to `Disable Users` & `Enable Users` on the front-end.
 * 8.0.0 - Update actions Enable Users and Enable Users to add outputs Completed and Failed and remove output All Operations Succeeded
 * 7.0.0 - Update actions Enable Users and Enable Users to replace output Success with All Operations Succeeded True/False
@@ -809,10 +808,11 @@ the query results, and then using the variable step $item.dn
 * 1.0.0 - Revise input names, bugfixes for missing attributes and character escaping, fix security issue
 * 0.1.0 - Initial plugin
 
-
 # Links
 
 [Learn Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/)
+[AD LDAP](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3c5916a9-f1a0-429d-b937-f8fe672d777c)
+[Microsoft's Active Directory service](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx)
 
 ## References
 

diff --git a/plugins/active_directory_ldap/komand_active_directory_ldap/actions/add_user/action.py b/plugins/active_directory_ldap/komand_active_directory_ldap/actions/add_user/action.py
@@ -1,7 +1,9 @@
 import insightconnect_plugin_runtime
+from insightconnect_plugin_runtime.exceptions import PluginException
 
 # Custom imports below
 from .schema import AddUserInput, AddUserOutput, Output, Input
+from komand_active_directory_ldap.util.utils import ADUtils
 
 
 class AddUser(insightconnect_plugin_runtime.Action):
@@ -14,7 +16,7 @@ def __init__(self):
         )
 
     def run(self, params={}):
-        use_ssl = self.connection.use_ssl
+        # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION
         domain_name = params.get(Input.DOMAIN_NAME)
         first_name = params.get(Input.FIRST_NAME)
         last_name = params.get(Input.LAST_NAME)
@@ -24,8 +26,9 @@ def run(self, params={}):
         password = params.get(Input.PASSWORD)
         additional_parameters = params.get(Input.ADDITIONAL_PARAMETERS)
         user_principal_name = params.get(Input.USER_PRINCIPAL_NAME)
+        # END INPUT BINDING - DO NOT REMOVE
 
-        if account_disabled or not use_ssl:
+        if account_disabled or not self.connection.use_ssl:
             user_account_control = 514
         else:
             user_account_control = 512
@@ -56,6 +59,21 @@ def run(self, params={}):
         log_parameters = parameters
         log_parameters.pop("userPassword")
         self.logger.info(log_parameters)
-        return {
-            Output.SUCCESS: self.connection.client.add_user(dn, user_account_control, use_ssl, password, parameters)
-        }
+
+        try:
+            return {
+                Output.SUCCESS: self.connection.client.add_user(
+                    dn, user_account_control, self.connection.use_ssl, password, parameters
+                )
+            }
+        except PluginException:
+            self.logger.info("Escaping non-ascii characters...")
+            return {
+                Output.SUCCESS: self.connection.client.add_user(
+                    ADUtils.escape_non_ascii_characters(dn),
+                    user_account_control,
+                    self.connection.use_ssl,
+                    password,
+                    parameters,
+                )
+            }
diff --git a/plugins/active_directory_ldap/komand_active_directory_ldap/actions/delete/action.py b/plugins/active_directory_ldap/komand_active_directory_ldap/actions/delete/action.py
@@ -1,6 +1,7 @@
 import insightconnect_plugin_runtime
 
 # Custom imports below
+from insightconnect_plugin_runtime.exceptions import PluginException
 from komand_active_directory_ldap.util.utils import ADUtils
 from .schema import DeleteInput, DeleteOutput, Output, Input
 
@@ -15,8 +16,17 @@ def __init__(self):
         )
 
     def run(self, params={}):
-        formatter = ADUtils()
-        dn = params.get(Input.DISTINGUISHED_NAME)
-        dn = formatter.format_dn(dn)[0]
-        dn = formatter.unescape_asterisk(dn)
-        return {Output.SUCCESS: self.connection.client.delete(dn)}
+        # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION
+        distinguished_name = params.get(Input.DISTINGUISHED_NAME)
+        # END INPUT BINDING - DO NOT REMOVE
+
+        distinguished_name = ADUtils.format_dn(distinguished_name)[0]
+        distinguished_name = ADUtils.unescape_asterisk(distinguished_name)
+
+        try:
+            return {Output.SUCCESS: self.connection.client.delete(distinguished_name)}
+        except PluginException:
+            self.logger.info("Escaping non-ascii characters...")
+            return {
+                Output.SUCCESS: self.connection.client.delete(ADUtils.escape_non_ascii_characters(distinguished_name))
+            }
diff --git a/plugins/active_directory_ldap/komand_active_directory_ldap/actions/disable_user/action.py b/plugins/active_directory_ldap/komand_active_directory_ldap/actions/disable_user/action.py
@@ -1,7 +1,9 @@
 import insightconnect_plugin_runtime
+from insightconnect_plugin_runtime.exceptions import PluginException
 
 # Custom imports below
 from .schema import DisableUserInput, DisableUserOutput, Input, Output
+from komand_active_directory_ldap.util.utils import ADUtils
 
 
 class DisableUser(insightconnect_plugin_runtime.Action):
@@ -14,4 +16,16 @@ def __init__(self):
         )
 
     def run(self, params={}):
-        return {Output.SUCCESS: self.connection.client.manage_user(params.get(Input.DISTINGUISHED_NAME), False)}
+        # START INPUT BINDING - DO NOT REMOVE - ANY INPUTS BELOW WILL UPDATE WITH YOUR PLUGIN SPEC AFTER REGENERATION
+        distinguished_name = params.get(Input.DISTINGUISHED_NAME)
+        # END INPUT BINDING - DO NOT REMOVE
+
+        try:
+            return {Output.SUCCESS: self.connection.client.manage_user(distinguished_name, False)}
+        except PluginException:
+            self.logger.info("Escaping non-ascii characters...")
+            return {
+                Output.SUCCESS: self.connection.client.manage_user(
+                    ADUtils.escape_non_ascii_characters(distinguished_name), False
+                )
+            }