Description of problem: If the CN attribute has a comma (or other special character) the search for this user's group doesn't escape this character and so doesn't find a group. With the exact same JON LDAP settings and a CN that doesn't contain a comma, the search resolves to a group. Version-Release number of selected component (if applicable): 2.4.1 How reproducible: Always Steps to Reproduce: 1. Add an LDAP user that contains a comma (,) in their cn attribute value dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Cannon, Brett sn: Cannon homephone: 555-555-1212 mail: bcannon.com mail: brett.cannon.com uid: bcannon userpassword:: cmVkaGF0 ou: RHQ Admin Group description: User with comma (,) in 'cn' in the RHQ Admin Group 2. Add the newly created user to an LDAP group that will be mapped to an RHQ Role dn: cn=RHQ Admin Group,ou=groups,dc=test,dc=rhq,dc=redhat,dc=com objectClass: groupOfNames objectClass: top cn: RHQ Admin Group member: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com description: RHQ administrators group 3. Configure RHQ Server to use the LDAP server which contains the test user and test group 4. In RHQ Server create a RHQ Admin Group role and map the LDAP group to the new role 5. Log-in to RHQ Server UI using the test user bcannon (password redhat) 6. Navigate to Administration -> Security -> Users 7. Select user bcannon Actual results: User bcannon has no Roles assigned to them Expected results: User bcannon should have RHQ Admin Group role
This needs to be fixed in master
Created attachment 510504 [details] Patch diff to fix LDAP special characters in group filter
removing superfluous trackers
Created attachment 529065 [details] ldap users with special characters that have logged into JON3 with successful role display
It does not look like this problem still exists in the new JON3 UI. I have created users with commas, parenthesis and backslash and all are able to see their assigned LDAP group correctly and are assigned to the correct role. See the attached screenshot using latest JON3 BETA3 build: https://brewweb.devel.redhat.com//buildinfo?buildID=183867 Perhaps the specific LDAP server matters? For the examples above I was able to add several users with special characters and pulled that information into JON successfully and see the roles. Aside from that, the contents of the patch look pretty good, but I hesitate to apply code that does not look to be necessary anymore. I'm putting a 'needinfo' on larry to see if he still thinks that is a problem in the new JON3 UI.
Tested against commit a3d2bf56e34fcd2c5229d37fbab7ce922d88c85c and the problem still exists. It appears that the reason your tests were successful is that the DN is using the uid attribute instead of the cn attribute: # BCannon, conchfritter.com dn: uid=BCannon,dc=conchfritter,dc=com telephoneNumber: 96868585857474 mail: bcannon uid: BCannon givenName: Brett, objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Cannon cn: Brett, Cannon instead of the test-case entry: dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Cannon, Brett sn: Cannon homephone: 555-555-1212 mail: bcannon.com mail: brett.cannon.com uid: bcannon userpassword:: cmVkaGF0 ou: RHQ Admin Group description: User with comma (,) in 'cn' in the RHQ Admin Group It is the DN that is of concern. If the dn contains any special characters, they must be escaped as per the LDAP spec. That is what we are failing to do.
Hi Larry, I've merged in all the suggested changes into master. Can you re-run with you test setup to make sure that the fixes are being applied for your specific scenario where uid==CN? Commit hash '4727d585a165686' to master and hudson build(http://hudson.qa.jboss.com/hudson/job/rhq-master/634/) include the suggested changes. -Simeon
Tested and my scenario now works. dn: cn=Cannon\, Brett,ou=users,dc=test,dc=rhq,dc=redhat,dc=com objectClass: organizationalPerson objectClass: person objectClass: inetOrgPerson objectClass: top cn: Cannon, Brett sn: Cannon homephone: 555-555-1212 mail: bcannon.com mail: brett.cannon.com uid: bcannon userpassword:: cmVkaGF0 ou: RHQ Admin Group description: User with comma (,) in 'cn' in the RHQ Admin Group In this test, the RDN includes the cn attribute and the cn includes a special character -- comma in this case.
Excellent. Thx. Moving this to ON_QA. Specific commit hash for bulk of patch application to master is : 84665eac5.
TCMS test run looking for regressions with LDAP in JON 3.0 CR1 https://tcms.engineering.redhat.com/run/30501/?from_plan=1973
Verified on build#70 in release_jon3.x branch (Version: 4.2.0.JON300-SNAPSHOT Build Number: 077f81a) Verified on Redhat Directory Server 8.2.0 Created a LDAP user that contains a comma (,) in cn attribute value. dn: CN=Cannon\, Brett,dc=rajantest telephoneNumber: 7777777777777 mail: bcannon.com mail: brett.cannon.com uid: bcannon givenName: bcannon objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Cannon cn: Cannon, Brett description: User with comma (,) in 'cn' in the RHQ Admin Group userPassword:: e1NTSEF9WGhXalhGbkxlS25KYkRvbkczc01DS2IrSk9YaXdTR3dYcXE4VVE9PQ== Added the newly created user to LDAP group: dn: cn=RHQ Admin Group,dc=rajantest objectClass: top objectClass: groupofuniquenames uniqueMember: CN=Cannon\, Brett,dc=rajantest cn: RHQ Admin Group description: RHQ administrators group Configured LDAP congiguration properties in RHQ. Created a RHQ Admin Group role and mapped the LDAP group to the new RHQ role. Logged in to RHQ using the user bcannon. Navigated to Administration -> Security -> Users. Selected user bcannon. Observed that the user bcannon has RHQ Admin Group role.