diff --git a/crates/defguard_core/src/enterprise/ldap/client.rs b/crates/defguard_core/src/enterprise/ldap/client.rs index 5e57cdf625..30f06f2e51 100644 --- a/crates/defguard_core/src/enterprise/ldap/client.rs +++ b/crates/defguard_core/src/enterprise/ldap/client.rs @@ -5,7 +5,8 @@ use std::{ }; use ldap3::{ - adapters::PagedResults, drive, LdapConnAsync, LdapConnSettings, Mod, Scope, SearchEntry, + adapters::PagedResults, drive, ldap_escape, LdapConnAsync, LdapConnSettings, Mod, Scope, + SearchEntry, }; use super::error::LdapError; @@ -112,7 +113,11 @@ impl super::LDAPConnection { &mut self, user_dn: &str, ) -> Result, LdapError> { - let filter = format!("({}={})", self.config.ldap_group_member_attr, user_dn); + let user_dn_escaped = ldap_escape(user_dn); + let filter = format!( + "({}={})", + self.config.ldap_group_member_attr, user_dn_escaped + ); let (rs, res) = self .ldap .search( @@ -252,13 +257,15 @@ impl super::LDAPConnection { groupname: &str, ) -> Result { debug!("Checking if user {user_dn} is member of group {groupname}"); + let user_dn_escaped = ldap_escape(user_dn); + let groupname_escaped = ldap_escape(groupname); let filter = format!( "(&(objectClass={})({}={})({}={}))", self.config.ldap_group_obj_class, self.config.ldap_groupname_attr, - groupname, + groupname_escaped, self.config.ldap_group_member_attr, - user_dn + user_dn_escaped ); debug!( "Using the following filter for group search: {filter} and base: {}", @@ -283,9 +290,10 @@ impl super::LDAPConnection { groupname: &str, ) -> Result, LdapError> { debug!("Searching for group memberships for group {}", groupname); + let groupname_escaped = ldap_escape(groupname); let filter = format!( "(&(objectClass={})({}={}))", - self.config.ldap_group_obj_class, self.config.ldap_groupname_attr, groupname + self.config.ldap_group_obj_class, self.config.ldap_groupname_attr, groupname_escaped ); debug!( "Using the following filter for group search: {filter} and base: {}", @@ -335,7 +343,11 @@ impl super::LDAPConnection { let mut group_filters = vec![]; for group in self.config.ldap_sync_groups.iter() { let group_dn = self.config.group_dn(group); - group_filters.push(format!("({}={})", self.config.ldap_member_attr, group_dn)); + let group_dn_escaped = ldap_escape(&group_dn); + group_filters.push(format!( + "({}={})", + self.config.ldap_member_attr, group_dn_escaped + )); } debug!( "Using the following group filters for user search: {:?}", diff --git a/crates/defguard_core/src/enterprise/ldap/mod.rs b/crates/defguard_core/src/enterprise/ldap/mod.rs index 54c33b977f..e049d11c0d 100644 --- a/crates/defguard_core/src/enterprise/ldap/mod.rs +++ b/crates/defguard_core/src/enterprise/ldap/mod.rs @@ -441,8 +441,9 @@ impl LDAPConnection { /// Checks if a group with the given name exists in LDAP. async fn group_exists(&mut self, groupname: &str) -> Result { let groupname_attr = self.config.ldap_groupname_attr.clone(); + let groupname_escaped = ldap_escape(groupname); let res = self - .search_groups(format!("({groupname_attr}={groupname})").as_str()) + .search_groups(format!("({groupname_attr}={groupname_escaped})").as_str()) .await?; Ok(!res.is_empty()) @@ -451,8 +452,9 @@ impl LDAPConnection { /// Checks if a user with the given username exists in LDAP. async fn user_exists_by_username(&mut self, username: &str) -> Result { let username_attr = self.config.ldap_username_attr.clone(); + let username_escaped = ldap_escape(username); let res = self - .search_users(format!("({username_attr}={username})").as_str()) + .search_users(format!("({username_attr}={username_escaped})").as_str()) .await?; Ok(!res.is_empty()) @@ -465,8 +467,9 @@ impl LDAPConnection { /// the RDN would be `test` (assuming `cn` is the RDN attribute). async fn user_exists_by_rdn(&mut self, rdn: &str) -> Result { let rdn_attr = self.config.get_rdn_attr(); + let rdn_escaped = ldap_escape(rdn); let res = self - .search_users(format!("({rdn_attr}={rdn})").as_str()) + .search_users(format!("({rdn_attr}={rdn_escaped})").as_str()) .await?; Ok(!res.is_empty())