-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usernames containing + cannot be autoprovisioned #4078
Comments
Just some notes because I can't work on this for the next two weeks. So the issue is here: https://github.com/cs3org/reva/blob/0b65112600ccfd07504c8927d96c7a1e9ac85e7b/pkg/utils/ldap/identity.go#L534 We aren't escaping the memberName correctly which results in this error when parsing the filter: Our filter looks like this My temporary change to check the fix was this: func (i *Identity) getGroupMemberFilter(memberName string) string {
return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
i.Group.Filter,
i.Group.Objectclass,
i.Group.Schema.Member,
~ strings.ReplaceAll(memberName, "+", "2B"),
)
} With that change logging into oCIS was possible. |
Actually I think that filter is correct. However, it seems there is a but in libregraph/idm that fails to correctly reescape the filter when decompiling it from BER to string. And the later for what ever reason tries to re-compile that string to BER, which fails because of wrong escaping 🤦♂️ Somewhere here: https://github.com/libregraph/idm/blob/491c539a42bb90395ea23dcc11181891f244f2b4/pkg/ldapserver/search.go#L25 I think the is mainly caused by idm using it's own fliter compliation/de-compliation code instead of the stuff coming from go-ldap. |
Should be fixed with: libregraph/idm#68 |
Fix has been merged into ocis with: #4132 |
Actually it still doesn't fully work. 😭 let's reopen... |
final fix was in idm libregraph/idm#71 which was merged with #4200 |
Describe the bug
Usernames containing + cannot be autoprovisioned
Steps to reproduce
Steps to reproduce the behavior:
Expected behavior
Login to oCIS should occur.
Actual behavior
Login Error.
Your user session is invalid or has expired.
If you like to login with a different user please proceed to exit.
Setup
owncloud/ocis:2.0.0-beta.4
https://owncloud.dev/ocis/deployment/ocis_keycloak/
Originally changed realm login to use email as username.
The text was updated successfully, but these errors were encountered: