[pve-devel] applied: [PATCH access-control] auth ldap/ad: compare group member dn case-insensitively
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Aug 30 12:44:42 CEST 2022
Am 29/08/2022 um 18:07 schrieb Stoiko Ivanov:
> currently we add a user to a group if it's DN is listed in the
> member-attributes of a group. The comparison for this is done via
> existence check of a hash key, which is case-sensitive.
>
> The equality for DNs is defined in a not straight forward way [0]:
> (roughly translating to you need to honor the equality rules for each
> 'component' (RDN) of the DN) and is implementation-specific (Microsoft
> AD is case-insensitive).
>
> While this patch does not address the complete complexity of comparing
> DNs it should work fine in practice.
>
> issue with case-sensitive mismatches was reported in our community
> forum:
> https://forum.proxmox.com/threads/.113387
>
> tested against a local test-vm used for reproducing the issue.
>
> [0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity
>
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
> src/PVE/Auth/LDAP.pm | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
>
applied, thanks!
More information about the pve-devel
mailing list