Commit 73ff044c authored by ale's avatar ale

Allow specifying template search_base in LDAP queries

With proper DN escaping.
parent e88d35e3
Pipeline #1602 passed with stages
in 1 minute and 20 seconds
......@@ -17,8 +17,9 @@ import (
type LDAPServiceConfig struct {
// SearchBase, SearchFilter and Scope define parameters for
// the LDAP search. The search should return a single object.
// SearchFilter should contain the string "%s", which will be
// replaced with the username before performing a query.
// SearchBase or SearchFilter should contain the string "%s",
// which will be replaced with the username before performing
// a query.
SearchBase string `yaml:"search_base"`
SearchFilter string `yaml:"search_filter"`
ScopeStr string `yaml:"scope"`
......@@ -78,9 +79,10 @@ func (c *LDAPServiceConfig) compile() error {
}
func (c *LDAPServiceConfig) searchRequest(username string) *ldap.SearchRequest {
base := strings.Replace(c.SearchBase, "%s", escapeDN(username), -1)
filter := strings.Replace(c.SearchFilter, "%s", ldap.EscapeFilter(username), -1)
return ldap.NewSearchRequest(
c.SearchBase,
base,
c.scope,
ldap.NeverDerefAliases,
0,
......@@ -260,3 +262,42 @@ func (b *ldapBackend) GetUser(ctx context.Context, spec *BackendSpec, name strin
}
return serviceConfig.userFromResponse(name, result)
}
var hex = "0123456789abcdef"
func mustEscape(c byte) bool {
return (c > 0x7f || c == '<' || c == '>' || c == '\\' || c == '*' ||
c == '"' || c == ',' || c == '+' || c == ';' || c == 0)
}
// escapeDN escapes from the provided LDAP RDN value string the
// special characters in the 'escaped' set and those out of the range
// 0 < c < 0x80, as defined in RFC4515.
//
// escaped = DQUOTE / PLUS / COMMA / SEMI / LANGLE / RANGLE
//
func escapeDN(s string) string {
escape := 0
for i := 0; i < len(s); i++ {
if mustEscape(s[i]) {
escape++
}
}
if escape == 0 {
return s
}
buf := make([]byte, len(s)+escape*2)
for i, j := 0, 0; i < len(s); i++ {
c := s[i]
if mustEscape(c) {
buf[j+0] = '\\'
buf[j+1] = hex[c>>4]
buf[j+2] = hex[c&0xf]
j += 3
} else {
buf[j] = c
j++
}
}
return string(buf)
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment