[pve-devel] [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively

Stoiko Ivanov s.ivanov at proxmox.com
Mon Aug 29 18:07:55 CEST 2022


currently we add a user to a group if it's DN is listed in the
member-attributes of a group. The comparison for this is done via
existence check of a hash key, which is case-sensitive.

The equality for DNs is defined in a not straight forward way [0]:
(roughly translating to you need to honor the equality rules for each
'component' (RDN) of the DN) and is implementation-specific (Microsoft
AD is case-insensitive).

While this patch does not address the complete complexity of comparing
DNs it should work fine in practice.

issue with case-sensitive mismatches was reported in our community
forum:
https://forum.proxmox.com/threads/.113387

tested against a local test-vm used for reproducing the issue.

[0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 src/PVE/Auth/LDAP.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 97d0778..4792586 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -310,7 +310,7 @@ sub get_users {
 
 	if (wantarray) {
 	    my $dn = $user->{dn};
-	    $dnmap->{$dn} = $username;
+	    $dnmap->{lc($dn)} = $username;
 	}
     }
 
@@ -351,7 +351,7 @@ sub get_groups {
 
 	    $ret->{$name} = { users => {} };
 	    foreach my $member (@{$group->{members}}) {
-		if (my $user = $dnmap->{$member}) {
+		if (my $user = $dnmap->{lc($member)}) {
 		    $ret->{$name}->{users}->{$user} = 1;
 		}
 	    }
-- 
2.30.2






More information about the pve-devel mailing list