[pve-devel] applied: [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Aug 30 12:44:42 CEST 2022


Am 29/08/2022 um 18:07 schrieb Stoiko Ivanov:
> currently we add a user to a group if it's DN is listed in the
> member-attributes of a group. The comparison for this is done via
> existence check of a hash key, which is case-sensitive.
> 
> The equality for DNs is defined in a not straight forward way [0]:
> (roughly translating to you need to honor the equality rules for each
> 'component' (RDN) of the DN) and is implementation-specific (Microsoft
> AD is case-insensitive).
> 
> While this patch does not address the complete complexity of comparing
> DNs it should work fine in practice.
> 
> issue with case-sensitive mismatches was reported in our community
> forum:
> https://forum.proxmox.com/threads/.113387
> 
> tested against a local test-vm used for reproducing the issue.
> 
> [0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  src/PVE/Auth/LDAP.pm | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
>

applied, thanks!





More information about the pve-devel mailing list