diff options
| author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2024-04-11 15:52:59 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-04-11 15:52:59 +0200 |
| commit | c90389af6bda5a806c8db73b75936e70370cf93c (patch) | |
| tree | 384ac59a7a9831384ba4f97ff7ecc5a5c13b672a | |
| parent | 0c56331611c05a7ed1697f843abda54cf4ea5fe8 (diff) | |
| parent | ee59d6c7dcc77df8fc357c6852d46f5a442e8b3d (diff) | |
| download | nextcloud-server-c90389af6bda5a806c8db73b75936e70370cf93c.tar.gz nextcloud-server-c90389af6bda5a806c8db73b75936e70370cf93c.zip | |
Merge pull request #44766 from nextcloud/backport/44350/stable27
[stable27] fix(LDAP): escape DN on check-user
| -rw-r--r-- | apps/user_ldap/lib/Access.php | 4 | ||||
| -rw-r--r-- | apps/user_ldap/lib/Command/CheckUser.php | 3 | ||||
| -rw-r--r-- | apps/user_ldap/lib/Helper.php | 15 |
3 files changed, 21 insertions, 1 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php index bd6a48813ce..d0806e786b6 100644 --- a/apps/user_ldap/lib/Access.php +++ b/apps/user_ldap/lib/Access.php @@ -279,6 +279,8 @@ class Access extends LDAPUtility { * Normalizes a result grom getAttributes(), i.e. handles DNs and binary * data if present. * + * DN values are escaped as per RFC 2253 + * * @param array $result from ILDAPWrapper::getAttributes() * @param string $attribute the attribute name that was read * @return string[] @@ -1260,6 +1262,8 @@ class Access extends LDAPUtility { /** * Executes an LDAP search * + * DN values in the result set are escaped as per RFC 2253 + * * @throws ServerNotAvailableException */ public function search( diff --git a/apps/user_ldap/lib/Command/CheckUser.php b/apps/user_ldap/lib/Command/CheckUser.php index 6ccfc9c19ea..72a3220868a 100644 --- a/apps/user_ldap/lib/Command/CheckUser.php +++ b/apps/user_ldap/lib/Command/CheckUser.php @@ -144,7 +144,8 @@ class CheckUser extends Command { $attrs = $access->userManager->getAttributes(); $user = $access->userManager->get($uid); $avatarAttributes = $access->getConnection()->resolveRule('avatar'); - $result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0); + $baseDn = $this->helper->DNasBaseParameter($user->getDN()); + $result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0); foreach ($result[0] as $attribute => $valueSet) { $output->writeln(' ' . $attribute . ': '); foreach ($valueSet as $value) { diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php index 6668338d195..12491d1db76 100644 --- a/apps/user_ldap/lib/Helper.php +++ b/apps/user_ldap/lib/Helper.php @@ -206,6 +206,21 @@ class Helper { /** * sanitizes a DN received from the LDAP server * + * This is used and done to have a stable format of DNs that can be compared + * and identified again. The input DN value is modified as following: + * + * 1) whitespaces after commas are removed + * 2) the DN is turned to lower-case + * 3) the DN is escaped according to RFC 2253 + * + * When a future DN is supposed to be used as a base parameter, it has to be + * run through DNasBaseParameter() first, to recode \5c into a backslash + * again, otherwise the search or read operation will fail with LDAP error + * 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash + * being escaped, however. + * + * Internally, DNs are stored in their sanitized form. + * * @param array|string $dn the DN in question * @return array|string the sanitized DN */ |