Bug 707047

Summary: LDAP Group Member search doesn't escape special characters
Product: [Other] RHQ Project Reporter: Larry O'Leary <loleary>
Component: Core ServerAssignee: Simeon Pinder <spinder>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: medium Docs Contact:
Priority: high    
Version: 4.0.1CC: dsteigne, hrupp, loleary, skondkar, spinder
Target Milestone: ---   
Target Release: RHQ 4.3.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 700121 Environment:
Last Closed: 2013-08-31 10:32:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 700121    
Bug Blocks: 734807    
Attachments:
Description Flags
Patch diff to fix LDAP special characters in group filter
none
ldap users with special characters that have logged into JON3 with successful role display none

Description Larry O'Leary 2011-05-23 20:10:58 UTC 
Description of problem:
If the CN attribute has a comma (or other special character) the search for this user's group doesn't escape this character and so doesn't find a group.  With the exact same JON LDAP settings and a CN that doesn't contain a comma, the search resolves to a group.

Version-Release number of selected component (if applicable):
2.4.1

How reproducible:
Always

Steps to Reproduce:
1. Add an LDAP user that contains a comma (,) in their cn attribute value
      dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
      objectClass: organizationalPerson
      objectClass: person
      objectClass: inetOrgPerson
      objectClass: top
      cn: Cannon, Brett
      sn: Cannon
      homephone: 555-555-1212
      mail: bcannon.com
      mail: brett.cannon.com
      uid: bcannon
      userpassword:: cmVkaGF0
      ou: RHQ Admin Group
      description: User with comma (,) in 'cn' in the RHQ Admin Group

2. Add the newly created user to an LDAP group that will be mapped to an RHQ Role
      dn: cn=RHQ Admin Group,ou=groups,dc=test,dc=rhq,dc=redhat,dc=com
      objectClass: groupOfNames
      objectClass: top
      cn: RHQ Admin Group
      member: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
      description: RHQ administrators group

3. Configure RHQ Server to use the LDAP server which contains the test user and test group

4. In RHQ Server create a RHQ Admin Group role and map the LDAP group to the new role

5. Log-in to RHQ Server UI using the test user bcannon (password redhat)

6. Navigate to Administration -> Security -> Users

7. Select user bcannon
  
Actual results:
User bcannon has no Roles assigned to them

Expected results:
User bcannon should have RHQ Admin Group role
Comment 1 Charles Crouch 2011-06-08 20:05:17 UTC 
This needs to be fixed in master
Comment 2 Larry O'Leary 2011-06-29 17:40:26 UTC 
Created attachment 510504 [details]
Patch diff to fix LDAP special characters in group filter
Comment 3 Charles Crouch 2011-09-30 17:46:40 UTC 
removing superfluous trackers
Comment 6 Simeon Pinder 2011-10-19 17:30:35 UTC 
Created attachment 529065 [details]
ldap users with special characters that have logged into JON3 with successful role display
Comment 7 Simeon Pinder 2011-10-19 17:33:22 UTC 
It does not look like this problem still exists in the new JON3 UI. I have created users with commas, parenthesis and backslash and all are able to see their assigned LDAP group correctly and are assigned to the correct role.  See the attached screenshot using latest JON3 BETA3 build: https://brewweb.devel.redhat.com//buildinfo?buildID=183867

Perhaps the specific LDAP server matters?  For the examples above I was able to add several users with special characters and pulled that information into JON successfully and see the roles.

Aside from that, the contents of the patch look pretty good, but I hesitate to apply code that does not look to be necessary anymore.

I'm putting a 'needinfo' on larry to see if he still thinks that is a problem in the new JON3 UI.
Comment 8 Larry O'Leary 2011-10-24 21:03:01 UTC 
Tested against commit a3d2bf56e34fcd2c5229d37fbab7ce922d88c85c and the problem still exists.

It appears that the reason your tests were successful is that the DN is using the uid attribute instead of the cn attribute:

# BCannon, conchfritter.com
dn: uid=BCannon,dc=conchfritter,dc=com
telephoneNumber: 96868585857474
mail: bcannon
uid: BCannon
givenName: Brett,
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Cannon
cn: Brett, Cannon

instead of the test-case entry:

dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Cannon, Brett
sn: Cannon
homephone: 555-555-1212
mail: bcannon.com
mail: brett.cannon.com
uid: bcannon
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with comma (,) in 'cn' in the RHQ Admin Group



It is the DN that is of concern. If the dn contains any special characters, they must be escaped as per the LDAP spec. That is what we are failing to do.
Comment 9 Simeon Pinder 2011-10-25 12:41:29 UTC 
Hi Larry,
  I've merged in all the suggested changes into master. Can you re-run with you test setup to make sure that the fixes are being applied for your specific scenario where uid==CN?

Commit hash '4727d585a165686' to master and hudson build(http://hudson.qa.jboss.com/hudson/job/rhq-master/634/) include the suggested changes.

-Simeon
Comment 10 Larry O'Leary 2011-10-25 16:04:27 UTC 
Tested and my scenario now works.

dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Cannon, Brett
sn: Cannon
homephone: 555-555-1212
mail: bcannon.com
mail: brett.cannon.com
uid: bcannon
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with comma (,) in 'cn' in the RHQ Admin Group


In this test, the RDN includes the cn attribute and the cn includes a special character -- comma in this case.
Comment 11 Simeon Pinder 2011-10-25 16:10:56 UTC 
Excellent. Thx. Moving this to ON_QA.  

Specific commit hash for bulk of patch application to master is : 84665eac5.
Comment 12 Mike Foley 2011-11-09 19:56:45 UTC 
TCMS test run looking for regressions with LDAP in JON 3.0 CR1

https://tcms.engineering.redhat.com/run/30501/?from_plan=1973
Comment 13 Sunil Kondkar 2011-11-11 12:16:51 UTC 
Verified on build#70 in release_jon3.x branch (Version: 4.2.0.JON300-SNAPSHOT
Build Number: 077f81a)

Verified on Redhat Directory Server 8.2.0

Created a LDAP user that contains a comma (,) in cn attribute value.

dn: CN=Cannon\, Brett,dc=rajantest
telephoneNumber: 7777777777777
mail: bcannon.com
mail: brett.cannon.com
uid: bcannon
givenName: bcannon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Cannon
cn: Cannon, Brett
description: User with comma (,) in 'cn' in the RHQ Admin Group
userPassword:: e1NTSEF9WGhXalhGbkxlS25KYkRvbkczc01DS2IrSk9YaXdTR3dYcXE4VVE9PQ==

Added the newly created user to LDAP group:

dn: cn=RHQ Admin Group,dc=rajantest
objectClass: top
objectClass: groupofuniquenames
uniqueMember: CN=Cannon\, Brett,dc=rajantest
cn: RHQ Admin Group
description: RHQ administrators group

Configured LDAP congiguration properties in RHQ. Created a RHQ Admin Group role and mapped the LDAP group to the new RHQ role.

Logged in to RHQ using the user bcannon. Navigated to Administration -> Security -> Users. Selected user bcannon.

Observed that the user bcannon has RHQ Admin Group role.