[pve-devel] [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively
Stoiko Ivanov
s.ivanov at proxmox.com
Mon Aug 29 18:07:55 CEST 2022
currently we add a user to a group if it's DN is listed in the
member-attributes of a group. The comparison for this is done via
existence check of a hash key, which is case-sensitive.
The equality for DNs is defined in a not straight forward way [0]:
(roughly translating to you need to honor the equality rules for each
'component' (RDN) of the DN) and is implementation-specific (Microsoft
AD is case-insensitive).
While this patch does not address the complete complexity of comparing
DNs it should work fine in practice.
issue with case-sensitive mismatches was reported in our community
forum:
https://forum.proxmox.com/threads/.113387
tested against a local test-vm used for reproducing the issue.
[0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
src/PVE/Auth/LDAP.pm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 97d0778..4792586 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -310,7 +310,7 @@ sub get_users {
if (wantarray) {
my $dn = $user->{dn};
- $dnmap->{$dn} = $username;
+ $dnmap->{lc($dn)} = $username;
}
}
@@ -351,7 +351,7 @@ sub get_groups {
$ret->{$name} = { users => {} };
foreach my $member (@{$group->{members}}) {
- if (my $user = $dnmap->{$member}) {
+ if (my $user = $dnmap->{lc($member)}) {
$ret->{$name}->{users}->{$user} = 1;
}
}
--
2.30.2
More information about the pve-devel
mailing list