DSGVO und LDAP fix

services/ldap-service.js

@@ -479,11 +479,44 @@ class LDAPService {
         });
   }
 
+  /**
+   * DN-Unescaping für Active Directory
+   * 
+   * AD liefert DNs mit hex-escaped UTF-8 (z.B. \c3\9f für ß).
+   * Für Bind erwartet AD die unescaped UTF-8-Form.
+   * Siehe: https://github.com/ldapjs/node-ldapjs/issues/968
+   */
+  static unescapeLdapDN(dn) {
+    if (!dn || typeof dn !== 'string') return dn;
+    let result = '';
+    let bytes = [];
+    let i = 0;
+    while (i < dn.length) {
+      if (dn[i] === '\\' && i + 2 < dn.length && /^[0-9a-fA-F]{2}$/.test(dn.slice(i + 1, i + 3))) {
+        bytes.push(parseInt(dn.slice(i + 1, i + 3), 16));
+        i += 3;
+      } else {
+        if (bytes.length > 0) {
+          result += Buffer.from(bytes).toString('utf8');
+          bytes = [];
+        }
+        result += dn[i];
+        i++;
+      }
+    }
+    if (bytes.length > 0) {
+      result += Buffer.from(bytes).toString('utf8');
+    }
+    return result;
+  }
+
   /**
    * LDAP Bind durchführen (Passwort-Authentifizierung)
    */
   static performBind(config, userDN, password, canonicalUsername, callback) {
-    console.log('[LDAP] Attempting bind with userDN:', userDN);
+    // DN unescapen: AD liefert hex-escaped (z.B. \c3\9f), Bind benötigt echte UTF-8 (ß)
+    const bindDN = this.unescapeLdapDN(userDN);
+    console.log('[LDAP] Attempting bind with userDN:', bindDN);
     
     const authClient = ldap.createClient({
       url: config.url,
@@ -497,7 +530,7 @@ class LDAPService {
       callback(err, false);
     });
 
-    authClient.bind(userDN, password, (err) => {
+    authClient.bind(bindDN, password, (err) => {
       authClient.unbind();
       if (err) {
         const errorMsg = err.message || String(err);