* [pve-devel] [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively
@ 2022-08-29 16:07 Stoiko Ivanov
2022-08-30 10:44 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Stoiko Ivanov @ 2022-08-29 16:07 UTC (permalink / raw)
To: pve-devel
currently we add a user to a group if it's DN is listed in the
member-attributes of a group. The comparison for this is done via
existence check of a hash key, which is case-sensitive.
The equality for DNs is defined in a not straight forward way [0]:
(roughly translating to you need to honor the equality rules for each
'component' (RDN) of the DN) and is implementation-specific (Microsoft
AD is case-insensitive).
While this patch does not address the complete complexity of comparing
DNs it should work fine in practice.
issue with case-sensitive mismatches was reported in our community
forum:
https://forum.proxmox.com/threads/.113387
tested against a local test-vm used for reproducing the issue.
[0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
src/PVE/Auth/LDAP.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 97d0778..4792586 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -310,7 +310,7 @@ sub get_users {
if (wantarray) {
my $dn = $user->{dn};
- $dnmap->{$dn} = $username;
+ $dnmap->{lc($dn)} = $username;
}
}
@@ -351,7 +351,7 @@ sub get_groups {
$ret->{$name} = { users => {} };
foreach my $member (@{$group->{members}}) {
- if (my $user = $dnmap->{$member}) {
+ if (my $user = $dnmap->{lc($member)}) {
$ret->{$name}->{users}->{$user} = 1;
}
}
--
2.30.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively
2022-08-29 16:07 [pve-devel] [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively Stoiko Ivanov
@ 2022-08-30 10:44 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2022-08-30 10:44 UTC (permalink / raw)
To: Proxmox VE development discussion, Stoiko Ivanov
Am 29/08/2022 um 18:07 schrieb Stoiko Ivanov:
> currently we add a user to a group if it's DN is listed in the
> member-attributes of a group. The comparison for this is done via
> existence check of a hash key, which is case-sensitive.
>
> The equality for DNs is defined in a not straight forward way [0]:
> (roughly translating to you need to honor the equality rules for each
> 'component' (RDN) of the DN) and is implementation-specific (Microsoft
> AD is case-insensitive).
>
> While this patch does not address the complete complexity of comparing
> DNs it should work fine in practice.
>
> issue with case-sensitive mismatches was reported in our community
> forum:
> https://forum.proxmox.com/threads/.113387
>
> tested against a local test-vm used for reproducing the issue.
>
> [0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity
>
> Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> ---
> src/PVE/Auth/LDAP.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>
applied, thanks!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-30 10:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-29 16:07 [pve-devel] [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively Stoiko Ivanov
2022-08-30 10:44 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.