[pve-devel] [PATCH access-control 1/1] fix #4609: allow valid DN in ldap/ad realm config
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Mar 23 14:43:40 CET 2023
Am 23/03/2023 um 14:14 schrieb Dominik Csapak:
> we previously added support for ',' in the dns attribute by allowing a
> quoted format. the regex was sadly too restrictive:
>
> in a quoted attribute we'd only allow \w (alphanumeric + _) and the
> restricted characters. this patch now changes that to everything
> except " (nearer to the original regex which allowed everything aside
> from ',')
>
> the unquoted attributes now did not allow spaces, but reading the RFC[0]
> again, spaces are only forbidden at the beginning (also #) and end
> so fix the regex to accommodate for that
>
> Fixes 1aa2355 ("ldap: Allow quoted values for DN attribute values")
this should be a git trailer, directly above your S-o-b as then various
git analyzing script can actually make use of it.
>
> 0: https://www.ietf.org/rfc/rfc2253.txt
>
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
> src/PVE/Auth/LDAP.pm | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index 4d771e7..57782ad 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -10,7 +10,8 @@ use PVE::Tools;
>
> use base qw(PVE::Auth::Plugin);
>
> -our $dn_regex = qr!\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*!;
> +my $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^,+"/<>;=#])!;
> +our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!;
Christoph, can you check/review this?
>
> sub type {
> return 'ldap';
More information about the pve-devel
mailing list