diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2024-04-10 12:02:13 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-10 12:02:13 +0200 |
| commit | e70cf9c14b2fd53ad47452f1b95ad46fce90155b (patch) | |
| tree | 783a1aa8a39f3c8d76645ace6abcdf3d755a7e2d | |
| parent | 640d2bcfec25803bc083fa84b3561f4c68a12b85 (diff) | |
| parent | 55d3a2af9ef502244d36f5cf415aa3faad6914e1 (diff) | |
| download | nextcloud-server-e70cf9c14b2fd53ad47452f1b95ad46fce90155b.tar.gz nextcloud-server-e70cf9c14b2fd53ad47452f1b95ad46fce90155b.zip | |
Merge pull request #44350 from nextcloud/fix/noid/ldap-check-user-escape
fix(LDAP): escape DN on check-user
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 4 | ||||
| -rw-r--r-- | apps/user_ldap/lib/Command/CheckUser.php | 3 | ||||
| -rw-r--r-- | apps/user_ldap/lib/Helper.php | 15 |
3 files changed, 21 insertions, 1 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index a51dfc3b349..931da301400 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -279,6 +279,8 @@ class Access extends LDAPUtility { * Normalizes a result grom getAttributes(), i.e. handles DNs and binary * data if present. * + * DN values are escaped as per RFC 2253 + * * @param array $result from ILDAPWrapper::getAttributes() * @param string $attribute the attribute name that was read * @return string[] @@ -1260,6 +1262,8 @@ class Access extends LDAPUtility { /** * Executes an LDAP search * + * DN values in the result set are escaped as per RFC 2253 + * * @throws ServerNotAvailableException */ public function search( diff --git a/apps/user_ldap/lib/Command/CheckUser.php b/apps/user_ldap/lib/Command/CheckUser.php index 8805d494800..4e9fefd9b55 100644 --- a/apps/user_ldap/lib/Command/CheckUser.php +++ b/apps/user_ldap/lib/Command/CheckUser.php @@ -138,7 +138,8 @@ class CheckUser extends Command { $attrs = $access->userManager->getAttributes(); $user = $access->userManager->get($uid); $avatarAttributes = $access->getConnection()->resolveRule('avatar'); - $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); + $baseDn = $this->helper->DNasBaseParameter($user->getDN()); + $result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0); foreach ($result[0] as $attribute => $valueSet) { $output->writeln(' ' . $attribute . ': '); foreach ($valueSet as $value) { diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php index 057a12cc0b5..b9e5405d014 100644 --- a/apps/user_ldap/lib/Helper.php +++ b/apps/user_ldap/lib/Helper.php @@ -206,6 +206,21 @@ class Helper { /** * sanitizes a DN received from the LDAP server * + * This is used and done to have a stable format of DNs that can be compared + * and identified again. The input DN value is modified as following: + * + * 1) whitespaces after commas are removed + * 2) the DN is turned to lower-case + * 3) the DN is escaped according to RFC 2253 + * + * When a future DN is supposed to be used as a base parameter, it has to be + * run through DNasBaseParameter() first, to recode \5c into a backslash + * again, otherwise the search or read operation will fail with LDAP error + * 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash + * being escaped, however. + * + * Internally, DNs are stored in their sanitized form. + * * @param array|string $dn the DN in question * @return array|string the sanitized DN */ |