Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-4020

User DN not escaped if enabled support for nested groups(ldapRealm)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.8.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      HI!
      We use ldapReam and need nested group.
      Out shiro.ini config contains:

      ldapRealm.groupSearchEnableMatchingRuleInChain = true

       

      We have an issue: groups are not returned if CN contain backslash.

      Example:

      ...
      DEBUG [2019-02-25 21: 12: 01,986] ({qtp1509563803-15} LdapRealm.java [getUserDn]: 942) - SearchBase, SearchFilter, UserSearchScope: OU = Main, DC = COMPANY, DC = ru, (((( objectclass = person) (sAMAccou
      ntName = ilya.makarov)), subtree
      DEBUG [2019-02-25 21: 12: 01,997] ({qtp1509563803-15} LdapRealm.java [getUserDn]: 951) - UserDN Returned, Principal: CN = Makarov \, Ilya, OU = Main, DC = COMPANY, DC = ru,
      ilya.makarov
      DEBUG [2019-02-25 21: 12: 01,997] ({qtp1509563803-15} LdapRealm.java [rolesFor: 358) - Ldap PagingSize: 100
      DEBUG [2019-02-25 21: 12: 02,001] ({qtp1509563803-15} LdapRealm.java [rolesFor: 445) - User RoleNames: ilya.makarov :: []
      DEBUG [2019-02-25 21: 12: 02,001] ({qtp1509563803-15} LdapRealm.java [queryForAuthorizationInfo]: 297) - RolesNames Authorization: []

       

      If we debug it with strace:

      10487 sendto (233, "0 \ 201 \ 377 \ 2 \ 1 \ 5c \ 201 \ 271 \ 4'OU = DWH, OU = Resources, OU = Main, DC = COMPANY, DC = en \ n \ 1 \ 2 \ n \ 1 \ 3 \ 2 \ 1 \ 0 \ 2 \ 1 \ 0 \ 1 \ 1 \ 0 \ 240} \ 243 \ 24 \ 4 \ vobjectClass \ 4 \ 5group \ 251e \ 201 \ 0271.2.840.113556.1.4.1941 \ 202 \ 6member \ 203? CN = Makarov, Ilya, OU = Main, DC = COMPANY, DC = en \ 204 \ 1 \ 0000 \ 0 \ 240> 0! \ 4 \ 0261.2.840.113556.1.4.319 \ 4 \ 0070 \ 5 \ 2 \ 1d \ 4 \ 0000 \ 31 \ 4 \ 0272.16.840.1.113730.3.4.2 ", 258, 0, NULL, 0) = 258
      12676 <... recvfrom resumed> "0 \ 204 \ 0 \ 0 \ 0A \ 2 \ 1 \ 5e \ 204 \ 0 \ 0 \ 0 \ 7 \ n \ 1 \ 0 \ 4 \ 0 \ 4 \ 0 \ 240 \ 204 \ 0 \ 0 \ 0 + 0 \ 204 \ 0 \ 0 \ 0% \ 4 \ 0261.2.840.113556.1.4.319 \ 4 \ v0 \ 204 \ 0 \ 0 \ 0 \ 5 \ 2 \ 1 \ 0 \ 4 \ 0 ", 8192, 0, NULL, NULL) = 71

       

      Sended `CN = Makarov, Ilya..`

      But according to doc (https://docs.microsoft.com/ru-ru/windows/desktop/ADSI/search-filter-syntax#special-characters):
      Backslash `\` should be replaced with `\ 5c`.(Backslash was lost and not properly escaped)

      Following ldapsearch command successfully return groups:

      ldapsearch -H ldap: //ldap.COMPANY.ru: 389 -D ad-test@COMPANY.ru -W -b "OU = DWH, OU = Resources, OU = Main, DC = COMPANY, DC = ru" -s sub '(& (objectClass = group) (member: 1.2.840.113556.1.4.1941: = CN = Makarov \ 5c, Ilya, OU = Main, DC = COMPANY, DC = ru))' cn

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              e11it Ilya Makarov
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: