[pve-devel] [PATCH access-control 1/1] fix #4609: allow valid DN in ldap/ad realm config

Dominik Csapak d.csapak at proxmox.com
Thu Mar 23 14:14:29 CET 2023

we previously added support for ',' in the dns attribute by allowing a
quoted format. the regex was sadly too restrictive:

in a quoted attribute we'd only allow \w (alphanumeric + _) and the
restricted characters. this patch now changes that to everything
except " (nearer to the original regex which allowed everything aside
from ',')

the unquoted attributes now did not allow spaces, but reading the RFC[0]
again, spaces are only forbidden at the beginning (also #) and end
so fix the regex to accommodate for that

Fixes 1aa2355 ("ldap: Allow quoted values for DN attribute values")

0: https://www.ietf.org/rfc/rfc2253.txt

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
 src/PVE/Auth/LDAP.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 4d771e7..57782ad 100755
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -10,7 +10,8 @@ use PVE::Tools;
 use base qw(PVE::Auth::Plugin);
-our $dn_regex = qr!\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*!;
+my  $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^,+"/<>;=#])!;
+our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!;
 sub type {
     return 'ldap';

More information about the pve-devel mailing list