Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LDAP Bad search filter (-7) error when CN has a comma in it (fix included) #224

Open
drewferagen opened this issue Aug 23, 2019 · 2 comments · May be fixed by #239
Open

LDAP Bad search filter (-7) error when CN has a comma in it (fix included) #224

drewferagen opened this issue Aug 23, 2019 · 2 comments · May be fixed by #239

Comments

@drewferagen
Copy link

drewferagen commented Aug 23, 2019

So I ran into an issue with this auth module. When the user logging in has a CN with a comma aka CN="Lastname, Firstname" the result returns it escaped like CN="Lastname\, Firstname"

Now when the group filter is created it has a slash in there, but to work it needs a \5c instead, which is the ascii for \, I modified the source to change that character in the userdn and it started working for me.

I attached my code change, you will probably want to rewrite it, I am not very experienced in C.
diff.txt

@nskalis
Copy link

nskalis commented Oct 21, 2019

Thank you for this. I tried your way, but unfortunately it didn't work for me.
Do you mind checking for any diff between my version and yours ?
Please find it attached.
ngx_http_auth_ldap_module.c.zip

@drewferagen
Copy link
Author

I checked and that code matches the changes that I had made. I compiled my nginx with debug turned on and set up the error_log to debug.

Before I Would get the search error and now with the changes I made I get this:
2019/10/24 09:24:57 [debug] 3386#0: *58 http_auth_ldap: Search group filter is "(&(cn=ldapgroup)(member=CN=Feragen\5c, Andrew,OU=Users,OU=User Accounts,DC=domain,DC=org))"
2019/10/24 09:24:57 [debug] 3386#0: *58 http_auth_ldap: ldap_search_ext() -> msgid=3

Before at the group search phase it would have a \ instead of \5c and fail with a -7 error.

When testing I did a ldapsearch command with that same filter. I suggest turning on debugging and see what filter it was using when it fails and try to replicate the search with ldapsearch and see what is broken with it?

onovy added a commit to seznam/nginx-auth-ldap that referenced this issue Jun 10, 2020
When username contains any special character (parentheses, asterisk, ...)
user search will fail.

When returned DN of user contains any escaped character (for example ",")
group filter will fail.

Example:
(&(CN=group)(member=CN=dummy\, dummy2,OU=ou,DC=dc))"

Which is wrong and doesn't work with Active directory.

Correct is:
(&(CN=group)(member=CN=dummy\5C, dummy2,OU=ou,DC=dc))"

This patch fixies both of these bugs by using ldap_bv2escaped_filter_value
from LDAP client to escape all of filter values.

See: https://tools.ietf.org/search/rfc2254#page-5
Fix: kvspb#224 kvspb#180
@onovy onovy linked a pull request Jun 10, 2020 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants