Bug 707047 - LDAP Group Member search doesn't escape special characters
LDAP Group Member search doesn't escape special characters
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
4.0.1
All All
high Severity medium (vote)
: ---
: RHQ 4.3.0
Assigned To: Simeon Pinder
Mike Foley
:
Depends On: 700121
Blocks: rhq42
  Show dependency treegraph
 
Reported: 2011-05-23 16:10 EDT by Larry O'Leary
Modified: 2013-10-11 16:57 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 700121
Environment:
Last Closed: 2013-08-31 06:32:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch diff to fix LDAP special characters in group filter (137.81 KB, patch)
2011-06-29 13:40 EDT, Larry O'Leary
no flags Details | Diff
ldap users with special characters that have logged into JON3 with successful role display (46.31 KB, image/png)
2011-10-19 13:30 EDT, Simeon Pinder
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 414733 None None None Never

  None (edit)
Description Larry O'Leary 2011-05-23 16:10:58 EDT
Description of problem:
If the CN attribute has a comma (or other special character) the search for this user's group doesn't escape this character and so doesn't find a group.  With the exact same JON LDAP settings and a CN that doesn't contain a comma, the search resolves to a group.

Version-Release number of selected component (if applicable):
2.4.1

How reproducible:
Always

Steps to Reproduce:
1. Add an LDAP user that contains a comma (,) in their cn attribute value
      dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
      objectClass: organizationalPerson
      objectClass: person
      objectClass: inetOrgPerson
      objectClass: top
      cn: Cannon, Brett
      sn: Cannon
      homephone: 555-555-1212
      mail: bcannon@rhq.redhat.com
      mail: brett.cannon@rhq.redhat.com
      uid: bcannon
      userpassword:: cmVkaGF0
      ou: RHQ Admin Group
      description: User with comma (,) in 'cn' in the RHQ Admin Group

2. Add the newly created user to an LDAP group that will be mapped to an RHQ Role
      dn: cn=RHQ Admin Group,ou=groups,dc=test,dc=rhq,dc=redhat,dc=com
      objectClass: groupOfNames
      objectClass: top
      cn: RHQ Admin Group
      member: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
      description: RHQ administrators group

3. Configure RHQ Server to use the LDAP server which contains the test user and test group

4. In RHQ Server create a RHQ Admin Group role and map the LDAP group to the new role

5. Log-in to RHQ Server UI using the test user bcannon (password redhat)

6. Navigate to Administration -> Security -> Users

7. Select user bcannon
  
Actual results:
User bcannon has no Roles assigned to them

Expected results:
User bcannon should have RHQ Admin Group role
Comment 1 Charles Crouch 2011-06-08 16:05:17 EDT
This needs to be fixed in master
Comment 2 Larry O'Leary 2011-06-29 13:40:26 EDT
Created attachment 510504 [details]
Patch diff to fix LDAP special characters in group filter
Comment 3 Charles Crouch 2011-09-30 13:46:40 EDT
removing superfluous trackers
Comment 6 Simeon Pinder 2011-10-19 13:30:35 EDT
Created attachment 529065 [details]
ldap users with special characters that have logged into JON3 with successful role display
Comment 7 Simeon Pinder 2011-10-19 13:33:22 EDT
It does not look like this problem still exists in the new JON3 UI. I have created users with commas, parenthesis and backslash and all are able to see their assigned LDAP group correctly and are assigned to the correct role.  See the attached screenshot using latest JON3 BETA3 build: https://brewweb.devel.redhat.com//buildinfo?buildID=183867

Perhaps the specific LDAP server matters?  For the examples above I was able to add several users with special characters and pulled that information into JON successfully and see the roles.

Aside from that, the contents of the patch look pretty good, but I hesitate to apply code that does not look to be necessary anymore.

I'm putting a 'needinfo' on larry to see if he still thinks that is a problem in the new JON3 UI.
Comment 8 Larry O'Leary 2011-10-24 17:03:01 EDT
Tested against commit a3d2bf56e34fcd2c5229d37fbab7ce922d88c85c and the problem still exists.

It appears that the reason your tests were successful is that the DN is using the uid attribute instead of the cn attribute:

# BCannon, conchfritter.com
dn: uid=BCannon,dc=conchfritter,dc=com
telephoneNumber: 96868585857474
mail: bcannon@test.org
uid: BCannon
givenName: Brett,
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Cannon
cn: Brett, Cannon

instead of the test-case entry:

dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Cannon, Brett
sn: Cannon
homephone: 555-555-1212
mail: bcannon@rhq.redhat.com
mail: brett.cannon@rhq.redhat.com
uid: bcannon
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with comma (,) in 'cn' in the RHQ Admin Group



It is the DN that is of concern. If the dn contains any special characters, they must be escaped as per the LDAP spec. That is what we are failing to do.
Comment 9 Simeon Pinder 2011-10-25 08:41:29 EDT
Hi Larry,
  I've merged in all the suggested changes into master. Can you re-run with you test setup to make sure that the fixes are being applied for your specific scenario where uid==CN?

Commit hash '4727d585a165686' to master and hudson build(http://hudson.qa.jboss.com/hudson/job/rhq-master/634/) include the suggested changes.

-Simeon
Comment 10 Larry O'Leary 2011-10-25 12:04:27 EDT
Tested and my scenario now works.

dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: top
cn: Cannon, Brett
sn: Cannon
homephone: 555-555-1212
mail: bcannon@rhq.redhat.com
mail: brett.cannon@rhq.redhat.com
uid: bcannon
userpassword:: cmVkaGF0
ou: RHQ Admin Group
description: User with comma (,) in 'cn' in the RHQ Admin Group


In this test, the RDN includes the cn attribute and the cn includes a special character -- comma in this case.
Comment 11 Simeon Pinder 2011-10-25 12:10:56 EDT
Excellent. Thx. Moving this to ON_QA.  

Specific commit hash for bulk of patch application to master is : 84665eac5.
Comment 12 Mike Foley 2011-11-09 14:56:45 EST
TCMS test run looking for regressions with LDAP in JON 3.0 CR1

https://tcms.engineering.redhat.com/run/30501/?from_plan=1973
Comment 13 Sunil Kondkar 2011-11-11 07:16:51 EST
Verified on build#70 in release_jon3.x branch (Version: 4.2.0.JON300-SNAPSHOT
Build Number: 077f81a)

Verified on Redhat Directory Server 8.2.0

Created a LDAP user that contains a comma (,) in cn attribute value.

dn: CN=Cannon\, Brett,dc=rajantest
telephoneNumber: 7777777777777
mail: bcannon@rhq.redhat.com
mail: brett.cannon@rhq.redhat.com
uid: bcannon
givenName: bcannon
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Cannon
cn: Cannon, Brett
description: User with comma (,) in 'cn' in the RHQ Admin Group
userPassword:: e1NTSEF9WGhXalhGbkxlS25KYkRvbkczc01DS2IrSk9YaXdTR3dYcXE4VVE9PQ==

Added the newly created user to LDAP group:

dn: cn=RHQ Admin Group,dc=rajantest
objectClass: top
objectClass: groupofuniquenames
uniqueMember: CN=Cannon\, Brett,dc=rajantest
cn: RHQ Admin Group
description: RHQ administrators group

Configured LDAP congiguration properties in RHQ. Created a RHQ Admin Group role and mapped the LDAP group to the new RHQ role.

Logged in to RHQ using the user bcannon. Navigated to Administration -> Security -> Users. Selected user bcannon.

Observed that the user bcannon has RHQ Admin Group role.

Note You need to log in before you can comment on or make changes to this bug.