[pve-devel] [PATCH access-control] fix #5136: ldap: Decode non-ASCII characters in attributes

[pve-devel] [PATCH access-control] fix #5136: ldap: Decode non-ASCII characters in attributes

[Filip Schauer]

Decode non-ASCII character when syncing user attributes, since those
will be encoded later on. Without this fix the attributes where encoded
twice, resulting in cases such as 'ü' turning into 'ü'.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
 src/PVE/Auth/LDAP.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index b958f2b..5e7a30c 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -301,7 +301,7 @@ sub get_users {
 
 	foreach my $attr (keys %$user_attributes) {
 	    if (my $ours = $ldap_attribute_map->{$attr}) {
-		$ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
+		$ret->{$username}->{$ours} = PVE::Tools::decode_text($user_attributes->{$attr}->[0]);
 	    }
 	}
 
-- 
2.39.2

Re: [pve-devel] [PATCH access-control] fix #5136: ldap: Decode non-ASCII characters in attributes

[Lukas Wagner]

Hi, thanks for tackling this!

On 12/20/23 15:37, Filip Schauer wrote:
> Decode non-ASCII character when syncing user attributes, since those
> will be encoded later on. Without this fix the attributes where encoded
> twice, resulting in cases such as 'ü' turning into 'ü'.
> 
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
>   src/PVE/Auth/LDAP.pm | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index b958f2b..5e7a30c 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -301,7 +301,7 @@ sub get_users {
>   
>   	foreach my $attr (keys %$user_attributes) {
>   	    if (my $ours = $ldap_attribute_map->{$attr}) {
> -		$ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
> +		$ret->{$username}->{$ours} = PVE::Tools::decode_text($user_attributes->{$attr}->[0]);
>   	    }
>   	}
>   

Gave this a quick test.
Set up a glauth LDAP server, added some unicode symbols to the 'sn' LDAP 
attribute, configured sync_attributes lastname=sn in domains.cfg and
tested the sync.

Tested-by: Lukas Wagner <l.wagner@proxmox.com>


-- 
- Lukas

Re: [pve-devel] [PATCH access-control] fix #5136: ldap: Decode non-ASCII characters in attributes

[Christoph Heiss]

Tested it using Windows Server 2022 and Samba 4.19.2 on Linux, with
both LDAP and AD realms.

Fixes the problem after a re-sync, LGTM.

Tested-by: Christoph Heiss <c.heiss@proxmox.com>

On Wed, Dec 20, 2023 at 03:37:03PM +0100, Filip Schauer wrote:
> Decode non-ASCII character when syncing user attributes, since those
> will be encoded later on. Without this fix the attributes where encoded
> twice, resulting in cases such as 'ü' turning into 'ü'.
>
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
>  src/PVE/Auth/LDAP.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index b958f2b..5e7a30c 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -301,7 +301,7 @@ sub get_users {
>
>  	foreach my $attr (keys %$user_attributes) {
>  	    if (my $ours = $ldap_attribute_map->{$attr}) {
> -		$ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
> +		$ret->{$username}->{$ours} = PVE::Tools::decode_text($user_attributes->{$attr}->[0]);
>  	    }
>  	}
>
> --
> 2.39.2
>
>
>
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] [PATCH access-control] fix #5136: ldap: Decode non-ASCII characters in attributes

[Lukas Wagner]

On 12/20/23 15:37, Filip Schauer wrote:
> Decode non-ASCII character when syncing user attributes, since those
> will be encoded later on. Without this fix the attributes where encoded
> twice, resulting in cases such as 'ü' turning into 'ü'.
> 
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
>   src/PVE/Auth/LDAP.pm | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index b958f2b..5e7a30c 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -301,7 +301,7 @@ sub get_users {
>   
>   	foreach my $attr (keys %$user_attributes) {
>   	    if (my $ours = $ldap_attribute_map->{$attr}) {
> -		$ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
> +		$ret->{$username}->{$ours} = PVE::Tools::decode_text($user_attributes->{$attr}->[0]);
>   	    }
>   	}
>   

For the record, the reporter of the issue also confirmed that the fix 
works for them:

https://bugzilla.proxmox.com/show_bug.cgi?id=5136

-- 
- Lukas

Re: [pve-devel] [PATCH access-control] fix #5136: ldap: Decode non-ASCII characters in attributes

[Wolfgang Bumiller]

On Wed, Dec 20, 2023 at 03:37:03PM +0100, Filip Schauer wrote:
> Decode non-ASCII character when syncing user attributes, since those

decode *how*?

> will be encoded later on. Without this fix the attributes where encoded
> twice, resulting in cases such as 'ü' turning into 'ü'.
> 
> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
> ---
>  src/PVE/Auth/LDAP.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index b958f2b..5e7a30c 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -301,7 +301,7 @@ sub get_users {
>  
>  	foreach my $attr (keys %$user_attributes) {
>  	    if (my $ours = $ldap_attribute_map->{$attr}) {
> -		$ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
> +		$ret->{$username}->{$ours} = PVE::Tools::decode_text($user_attributes->{$attr}->[0]);

This does 2 things: URI unescaping and utf-8 decoding.
Does the former make sense?

Given that 'decode_text' is a way too generic name in a module with yet
another way too generic name "tools", I'd argue against its use in
general and would prefer to call the *actual* decode function right
there so you can see what's going on.

>  	    }
>  	}
>  
> -- 
> 2.39.2

Re: [pve-devel] [PATCH access-control] fix #5136: ldap: Decode non-ASCII characters in attributes

[Filip Schauer]

Patch v2 is available:

https://lists.proxmox.com/pipermail/pve-devel/2024-January/061273.html

On 08/01/2024 10:26, Wolfgang Bumiller wrote:
> On Wed, Dec 20, 2023 at 03:37:03PM +0100, Filip Schauer wrote:
>> Decode non-ASCII character when syncing user attributes, since those
> decode *how*?
>
>> will be encoded later on. Without this fix the attributes where encoded
>> twice, resulting in cases such as 'ü' turning into 'ü'.
>>
>> Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
>> ---
>>   src/PVE/Auth/LDAP.pm | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
>> index b958f2b..5e7a30c 100755
>> --- a/src/PVE/Auth/LDAP.pm
>> +++ b/src/PVE/Auth/LDAP.pm
>> @@ -301,7 +301,7 @@ sub get_users {
>>   
>>   	foreach my $attr (keys %$user_attributes) {
>>   	    if (my $ours = $ldap_attribute_map->{$attr}) {
>> -		$ret->{$username}->{$ours} = $user_attributes->{$attr}->[0];
>> +		$ret->{$username}->{$ours} = PVE::Tools::decode_text($user_attributes->{$attr}->[0]);
> This does 2 things: URI unescaping and utf-8 decoding.
> Does the former make sense?
>
> Given that 'decode_text' is a way too generic name in a module with yet
> another way too generic name "tools", I'd argue against its use in
> general and would prefer to call the *actual* decode function right
> there so you can see what's going on.
>
>>   	    }
>>   	}
>>   
>> -- 
>> 2.39.2