-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP Bad search filter (-7) error when CN has a comma in it (fix included) #224
Comments
Thank you for this. I tried your way, but unfortunately it didn't work for me. |
I checked and that code matches the changes that I had made. I compiled my nginx with debug turned on and set up the error_log to debug. Before I Would get the search error and now with the changes I made I get this: Before at the group search phase it would have a \ instead of \5c and fail with a -7 error. When testing I did a ldapsearch command with that same filter. I suggest turning on debugging and see what filter it was using when it fails and try to replicate the search with ldapsearch and see what is broken with it? |
When username contains any special character (parentheses, asterisk, ...) user search will fail. When returned DN of user contains any escaped character (for example ",") group filter will fail. Example: (&(CN=group)(member=CN=dummy\, dummy2,OU=ou,DC=dc))" Which is wrong and doesn't work with Active directory. Correct is: (&(CN=group)(member=CN=dummy\5C, dummy2,OU=ou,DC=dc))" This patch fixies both of these bugs by using ldap_bv2escaped_filter_value from LDAP client to escape all of filter values. See: https://tools.ietf.org/search/rfc2254#page-5 Fix: kvspb#224 kvspb#180
So I ran into an issue with this auth module. When the user logging in has a CN with a comma aka CN="Lastname, Firstname" the result returns it escaped like CN="Lastname\, Firstname"
Now when the group filter is created it has a slash in there, but to work it needs a \5c instead, which is the ascii for \, I modified the source to change that character in the userdn and it started working for me.
I attached my code change, you will probably want to rewrite it, I am not very experienced in C.
diff.txt
The text was updated successfully, but these errors were encountered: