From 4d12cd6eacd49752cefb34d79053ff1ec6ea2d84 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Wed, 20 Mar 2024 12:30:46 +0100 Subject: [PATCH 1/2] fix(LDAP): escape DN on check-user the DN has to be escaped differently when used as a base and we were missing it here in the search method call in the check-user command. Signed-off-by: Arthur Schiwon --- apps/user_ldap/lib/Command/CheckUser.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/user_ldap/lib/Command/CheckUser.php b/apps/user_ldap/lib/Command/CheckUser.php index 1174408cb4923..9bff10441f1e5 100644 --- a/apps/user_ldap/lib/Command/CheckUser.php +++ b/apps/user_ldap/lib/Command/CheckUser.php @@ -144,7 +144,8 @@ private function updateUser(string $uid, OutputInterface $output): void { $attrs = $access->userManager->getAttributes(); $user = $access->userManager->get($uid); $avatarAttributes = $access->getConnection()->resolveRule('avatar'); - $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); + $baseDn = $this->helper->DNasBaseParameter($user->getDN()); + $result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0); foreach ($result[0] as $attribute => $valueSet) { $output->writeln(' ' . $attribute . ': '); foreach ($valueSet as $value) { From a5acdf24ed2f114beb6ddf1c272302c281176101 Mon Sep 17 00:00:00 2001 From: Arthur Schiwon Date: Fri, 5 Apr 2024 16:47:55 +0200 Subject: [PATCH 2/2] docs(LDAP): add info on stored DN form Signed-off-by: Arthur Schiwon --- apps/user_ldap/lib/Access.php | 4 ++++ apps/user_ldap/lib/Helper.php | 15 +++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index b6c5386fe6263..c9f449d29f188 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -279,6 +279,8 @@ public function executeRead(string $dn, string $attribute, string $filter) { * Normalizes a result grom getAttributes(), i.e. handles DNs and binary * data if present. * + * DN values are escaped as per RFC 2253 + * * @param array $result from ILDAPWrapper::getAttributes() * @param string $attribute the attribute name that was read * @return string[] @@ -1260,6 +1262,8 @@ private function countEntriesInSearchResults($sr): int { /** * Executes an LDAP search * + * DN values in the result set are escaped as per RFC 2253 + * * @throws ServerNotAvailableException */ public function search( diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php index 057a12cc0b50a..b9e5405d014a5 100644 --- a/apps/user_ldap/lib/Helper.php +++ b/apps/user_ldap/lib/Helper.php @@ -206,6 +206,21 @@ public function getDomainFromURL($url) { /** * sanitizes a DN received from the LDAP server * + * This is used and done to have a stable format of DNs that can be compared + * and identified again. The input DN value is modified as following: + * + * 1) whitespaces after commas are removed + * 2) the DN is turned to lower-case + * 3) the DN is escaped according to RFC 2253 + * + * When a future DN is supposed to be used as a base parameter, it has to be + * run through DNasBaseParameter() first, to recode \5c into a backslash + * again, otherwise the search or read operation will fail with LDAP error + * 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash + * being escaped, however. + * + * Internally, DNs are stored in their sanitized form. + * * @param array|string $dn the DN in question * @return array|string the sanitized DN */