LDAP Search fails when CN contains brackets ( )

[realroywalker]

I am using LDAP auth with the script server and want to use LDAP groups for restricting access and adding to the admin role.
This works fine on another system I have, but I just tried it with a system that uses ( and ) in the CN attribute for the user, and I'm running into issues with groups not pulling back to the script server.
When I login to script server as a user with the CN "Test User (Test1)" I see the error 'Failed to load groups for the user test user'.

I guess that the ( and ) in the CN are not getting escaped in the search filter? as it's fine if I remove those.
Last part of the error is:-

File "/usr/lib/python3.6/site-packages/ldap3/operation/search.py", line 215, in parse_filter
raise LDAPInvalidFilterError('malformed filter')

Is there any workaround for this? - I have thousands of users with this format of CN.

[bugy]

Hi, are these parentheses added by user? Or they are part of the username template? realroywalker <notifications@github.com> schrieb am Mi., 9. Sept. 2020, 12:55:

…

I am using LDAP auth with the script server and want to use LDAP groups for restricting access and adding to the admin role. This works fine on another system I have, but I just tried it with a system that uses ( and ) in the CN attribute for the user, and I'm running into issues with groups not pulling back to the script server. When I login to script server as a user with the CN "Test User (Test1)" I see the error 'Failed to load groups for the user test user'. I guess that the ( and ) in the CN are not getting escaped in the search filter? as it's fine if I remove those. Last part of the error is:- File "/usr/lib/python3.6/site-packages/ldap3/operation/search.py", line 215, in parse_filter raise LDAPInvalidFilterError('malformed filter') Is there any workaround for this? - I have thousands of users with this format of CN. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#337>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJXPJIDE5NCZ4WS7PJDINLSE5NL5ANCNFSM4RB4TH6Q> .

[realroywalker]

They are part of the username standard for this particular system unfortunately - so a users CN will be something like "Joe Bloggs (JBloggs)"

All of the users Active Directory accounts are made with this particular format.

[bugy]

I see, could you send me the exception stack trace please? I'd like to know, which particular place is failing
Also, could you share the username_template? At least how the format looks like (you can replace real values)

[realroywalker]

Sure:-
2020-09-09 12:09:35,094 [script_server.LdapAuthorizer.ERROR] Failed to load groups for the user jbloggs
Traceback (most recent call last):
File "src/auth/auth_ldap.py", line 126, in authenticate
user_groups = self.fetch_user_groups(user_dn, user_uid, connection)
File "src/auth/auth_ldap.py", line 178, in _fetch_user_groups
result.update(_load_multiple_entries_values(base_dn, '(member=%s)' % user_dn, 'cn', connection))
File "src/auth/auth_ldap.py", line 54, in _load_multiple_entries_values
entries = _search(dn, search_filter, [attribute_name], connection)
File "src/auth/auth_ldap.py", line 43, in _search
success = connection.search(dn, search_filter, attributes=attributes)
File "/usr/lib/python3.6/site-packages/ldap3/core/connection.py", line 786, in search
check_names=self.check_names
File "/usr/lib/python3.6/site-packages/ldap3/operation/search.py", line 372, in search_operation
request['filter'] = compile_filter(parse_filter(search_filter, schema, auto_escape, auto_encode, validator, check_names).elements[0]) # Parse the searchFilter string and compile it starting from the root node
File "/usr/lib/python3.6/site-packages/ldap3/operation/search.py", line 215, in parse_filter
raise LDAPInvalidFilterError('malformed filter')
ldap3.core.exceptions.LDAPInvalidFilterError: malformed filter

For username_template, do you mean what I have set for the 'username_pattern' config value of the script server? - if so, I have this set to $username@my.domain.local

[bugy]

Thanks! Can you try editing source code of script server locally?
in script-server/src/auth/auth_ldap.py:

search_filter = '(userPrincipalName=%s)' % full_username

replace it with:

from ldap3.utils.conv import escape_filter_chars
search_filter = '(userPrincipalName=%s)' % escape_filter_chars(full_username)

[realroywalker]

Thanks for the suggestion.

I've just tried that out and it didn't fix the issue (same error detail and behaviour).

However I have changed get_entry_dn to do something similar (line 68)

from ldap3.utils.conv import escape_filter_chars
return escape_filter_chars(entry.entry_dn)

And now it's working - I see in the logs that the username is now displayed with \28 and \29 where the brackets would have been.

[bugy]

Thanks for checking! I'll try to reproduce and commit the fix (probably a couple of other places should be changed) realroywalker <notifications@github.com> schrieb am Do., 10. Sept. 2020, 08:40:

…

Thanks for the suggestion. I've just tried that out and it didn't fix the issue (same error detail and behaviour). However I have changed get_entry_dn to do something similar (line 68) from ldap3.utils.conv import escape_filter_chars return escape_filter_chars(entry.entry_dn) And now it's working - I see in the logs that the username is now displayed with \28 and \29 where the brackets would have been. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#337 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJXPJJUV37POSTIZMJ2WWLSFBYFBANCNFSM4RB4TH6Q> .

[bugy]

Hi @realroywalker I made a fix in master
If you could test the latest version and confirm it works for you, it would be amazing!