Skip to content

Commit e70cf9c

Browse files
authored
Merge pull request #44350 from nextcloud/fix/noid/ldap-check-user-escape
fix(LDAP): escape DN on check-user
2 parents 640d2bc + 55d3a2a commit e70cf9c

File tree

3 files changed

+21
-1
lines changed

3 files changed

+21
-1
lines changed

apps/user_ldap/lib/Access.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -279,6 +279,8 @@ public function executeRead(string $dn, string $attribute, string $filter) {
279279
* Normalizes a result grom getAttributes(), i.e. handles DNs and binary
280280
* data if present.
281281
*
282+
* DN values are escaped as per RFC 2253
283+
*
282284
* @param array $result from ILDAPWrapper::getAttributes()
283285
* @param string $attribute the attribute name that was read
284286
* @return string[]
@@ -1260,6 +1262,8 @@ private function countEntriesInSearchResults($sr): int {
12601262
/**
12611263
* Executes an LDAP search
12621264
*
1265+
* DN values in the result set are escaped as per RFC 2253
1266+
*
12631267
* @throws ServerNotAvailableException
12641268
*/
12651269
public function search(

apps/user_ldap/lib/Command/CheckUser.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,8 @@ private function updateUser(string $uid, OutputInterface $output): void {
138138
$attrs = $access->userManager->getAttributes();
139139
$user = $access->userManager->get($uid);
140140
$avatarAttributes = $access->getConnection()->resolveRule('avatar');
141-
$result = $access->search('objectclass=*', $user->getDN(), $attrs, 1, 0);
141+
$baseDn = $this->helper->DNasBaseParameter($user->getDN());
142+
$result = $access->search('objectclass=*', $baseDn, $attrs, 1, 0);
142143
foreach ($result[0] as $attribute => $valueSet) {
143144
$output->writeln(' ' . $attribute . ': ');
144145
foreach ($valueSet as $value) {

apps/user_ldap/lib/Helper.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -206,6 +206,21 @@ public function getDomainFromURL($url) {
206206
/**
207207
* sanitizes a DN received from the LDAP server
208208
*
209+
* This is used and done to have a stable format of DNs that can be compared
210+
* and identified again. The input DN value is modified as following:
211+
*
212+
* 1) whitespaces after commas are removed
213+
* 2) the DN is turned to lower-case
214+
* 3) the DN is escaped according to RFC 2253
215+
*
216+
* When a future DN is supposed to be used as a base parameter, it has to be
217+
* run through DNasBaseParameter() first, to recode \5c into a backslash
218+
* again, otherwise the search or read operation will fail with LDAP error
219+
* 32, NO_SUCH_OBJECT. Regular usage in LDAP filters requires the backslash
220+
* being escaped, however.
221+
*
222+
* Internally, DNs are stored in their sanitized form.
223+
*
209224
* @param array|string $dn the DN in question
210225
* @return array|string the sanitized DN
211226
*/

0 commit comments

Comments
 (0)