LDAP Search fails when CN contains brackets ( ) #337
Comments
|
Hi, are these parentheses added by user? Or they are part of the username
template?
realroywalker <[email protected]> schrieb am Mi., 9. Sept. 2020,
12:55:
… I am using LDAP auth with the script server and want to use LDAP groups
for restricting access and adding to the admin role.
This works fine on another system I have, but I just tried it with a
system that uses ( and ) in the CN attribute for the user, and I'm running
into issues with groups not pulling back to the script server.
When I login to script server as a user with the CN "Test User (Test1)" I
see the error 'Failed to load groups for the user test user'.
I guess that the ( and ) in the CN are not getting escaped in the search
filter? as it's fine if I remove those.
Last part of the error is:-
File "/usr/lib/python3.6/site-packages/ldap3/operation/search.py", line
215, in parse_filter
raise LDAPInvalidFilterError('malformed filter')
Is there any workaround for this? - I have thousands of users with this
format of CN.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#337>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJXPJIDE5NCZ4WS7PJDINLSE5NL5ANCNFSM4RB4TH6Q>
.
|
|
They are part of the username standard for this particular system unfortunately - so a users CN will be something like "Joe Bloggs (JBloggs)" All of the users Active Directory accounts are made with this particular format. |
|
I see, could you send me the exception stack trace please? I'd like to know, which particular place is failing |
|
Sure:- For username_template, do you mean what I have set for the 'username_pattern' config value of the script server? - if so, I have this set to $[email protected] |
|
Thanks! Can you try editing source code of script server locally? replace it with: |
|
Thanks for the suggestion. I've just tried that out and it didn't fix the issue (same error detail and behaviour). However I have changed get_entry_dn to do something similar (line 68) And now it's working - I see in the logs that the username is now displayed with \28 and \29 where the brackets would have been. |
|
Thanks for checking! I'll try to reproduce and commit the fix (probably a
couple of other places should be changed)
realroywalker <[email protected]> schrieb am Do., 10. Sept. 2020,
08:40:
… Thanks for the suggestion.
I've just tried that out and it didn't fix the issue (same error detail
and behaviour).
However I have changed get_entry_dn to do something similar (line 68)
from ldap3.utils.conv import escape_filter_chars
return escape_filter_chars(entry.entry_dn)
And now it's working - I see in the logs that the username is now
displayed with \28 and \29 where the brackets would have been.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#337 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAJXPJJUV37POSTIZMJ2WWLSFBYFBANCNFSM4RB4TH6Q>
.
|
|
Hi @realroywalker I made a fix in master |
I am using LDAP auth with the script server and want to use LDAP groups for restricting access and adding to the admin role.
This works fine on another system I have, but I just tried it with a system that uses ( and ) in the CN attribute for the user, and I'm running into issues with groups not pulling back to the script server.
When I login to script server as a user with the CN "Test User (Test1)" I see the error 'Failed to load groups for the user test user'.
I guess that the ( and ) in the CN are not getting escaped in the search filter? as it's fine if I remove those.
Last part of the error is:-
File "/usr/lib/python3.6/site-packages/ldap3/operation/search.py", line 215, in parse_filter
raise LDAPInvalidFilterError('malformed filter')
Is there any workaround for this? - I have thousands of users with this format of CN.
The text was updated successfully, but these errors were encountered: