aboutsummaryrefslogtreecommitdiffstats
path: root/apps/user_ldap
diff options
context:
space:
mode:
authorArthur Schiwon <blizzz@arthur-schiwon.de>2024-04-05 16:47:55 +0200
committerArthur Schiwon <blizzz@arthur-schiwon.de>2024-04-05 16:47:55 +0200
commit55d3a2af9ef502244d36f5cf415aa3faad6914e1 (patch)
tree01a5abc4d07d7fff0e998119e18a354767b2b85e /apps/user_ldap
parent659125b3950e7d97cbc8721e9fd5b560e6d41b67 (diff)
downloadnextcloud-server-55d3a2af9ef502244d36f5cf415aa3faad6914e1.tar.gz
nextcloud-server-55d3a2af9ef502244d36f5cf415aa3faad6914e1.zip
docs(LDAP): add info on stored DN form
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
Diffstat (limited to 'apps/user_ldap')
-rw-r--r--apps/user_ldap/lib/Access.php4
-rw-r--r--apps/user_ldap/lib/Helper.php15
2 files changed, 19 insertions, 0 deletions
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index a51dfc3b349..931da301400 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -279,6 +279,8 @@ class Access extends LDAPUtility {
* Normalizes a result grom getAttributes(), i.e. handles DNs and binary
* data if present.
*
+ * DN values are escaped as per RFC 2253
+ *
* @param array $result from ILDAPWrapper::getAttributes()
* @param string $attribute the attribute name that was read
* @return string[]
@@ -1260,6 +1262,8 @@ class Access extends LDAPUtility {
/**
* Executes an LDAP search
*
+ * DN values in the result set are escaped as per RFC 2253
+ *
* @throws ServerNotAvailableException
*/
public function search(
diff --git a/apps/user_ldap/lib/Helper.php b/apps/user_ldap/lib/Helper.php
index 057a12cc0b5..b9e5405d014 100644
--- a/apps/user_ldap/lib/Helper.php
+++ b/apps/user_ldap/lib/Helper.php
@@ -206,6 +206,21 @@ class Helper {
/**
* sanitizes a DN received from the LDAP server
*
+ * This is used and done to have a stable format of DNs that can be compared
+ * and identified again. The input DN value is modified as following:
+ *
+ * 1) whitespaces after commas are removed
+ * 2) the DN is turned to lower-case
+ * 3) the DN is escaped according to RFC 2253
+ *
+ * When a future DN is supposed to be used as a base parameter, it has to be
+ * run through DNasBaseParameter() first, to recode \5c into a backslash
+ * again, otherwise the search or read operation will fail with LDAP error
+ * 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash
+ * being escaped, however.
+ *
+ * Internally, DNs are stored in their sanitized form.
+ *
* @param array|string $dn the DN in question
* @return array|string the sanitized DN
*/