[pve-devel] [PATCH access-control 1/1] fix #4609: allow valid DN in ldap/ad realm config

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Mar 23 14:43:40 CET 2023


Am 23/03/2023 um 14:14 schrieb Dominik Csapak:
> we previously added support for ',' in the dns attribute by allowing a
> quoted format. the regex was sadly too restrictive:
> 
> in a quoted attribute we'd only allow \w (alphanumeric + _) and the
> restricted characters. this patch now changes that to everything
> except " (nearer to the original regex which allowed everything aside
> from ',')
> 
> the unquoted attributes now did not allow spaces, but reading the RFC[0]
> again, spaces are only forbidden at the beginning (also #) and end
> so fix the regex to accommodate for that
> 
> Fixes 1aa2355 ("ldap: Allow quoted values for DN attribute values")

this should be a git trailer, directly above your S-o-b as then various
git analyzing script can actually make use of it.

> 
> 0: https://www.ietf.org/rfc/rfc2253.txt
> 
> Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
> ---
>  src/PVE/Auth/LDAP.pm | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
> index 4d771e7..57782ad 100755
> --- a/src/PVE/Auth/LDAP.pm
> +++ b/src/PVE/Auth/LDAP.pm
> @@ -10,7 +10,8 @@ use PVE::Tools;
>  
>  use base qw(PVE::Auth::Plugin);
>  
> -our $dn_regex = qr!\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+)(,\s*\w+=("[\w ,+/<>;=]+"|[^ ,+"/<>;=]+))*!;
> +my  $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^,+"/<>;=#])!;
> +our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!;

Christoph, can you check/review this?

>  
>  sub type {
>      return 'ldap';






More information about the pve-devel mailing list