Task #2294
closed
Add support for escaped characters in LDAP/AD
Added by Tomáš Doischer over 4 years ago.
Updated over 1 year ago.
Description
There are some characters in LDAP/AD which need to be escaped in DN (https://ldapwiki.com/wiki/DN%20Escape%20Values), incl. the forward slash "/". Ideally, they should not be used in naming attributes but they often are and we should be able to handle that.
The goal of this ticket is to add support for using those special characters in DN in the connector itself.
- Project changed from winrm-ad-connector to ad-connector
- Status changed from New to In Progress
- Target version set to 1.3.5
- % Done changed from 0 to 10
I did some testing on local environment and found the place where this problem is caused.
This is bug directly in connector and there is no way how we can make some workaround in IdM.
This issue is now in update method when you updating some attributes, connector load DN from system and use this value for update operation, we need to escape this value to make it work.
Class ADUpdate::update line 172 I did some PoC and it works. So now I need to check other places in connector if this issue is somewhere else and implement some universal escape method which will perform escape for all chars which are specified in the link from Tomas.
The same thing happened in our project where OU contains the forward slash. The exception from the provisioning is:
javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007E5, problem 5012 (DIR_ERROR), data 0
- Target version changed from 1.3.5 to 1.3.5.1
Fixed encoding in update as mention in previous commend.
But changing DN is still not working because not all characters are encoded.
Next step is to implement encoding in ADUpdate::getNewName line 139
Maybe easier will be to do this encoding already in LDAP connector, but forking, releasing, administration around it would be bigger then direct solution in AD connector.
For create add encoding to ADCreate::executeImpl line 94 and it should work
So I will implement some universal method for encoding which will be used in mentioned places
- Assignee changed from Roman Kučera to Peter Štrunc
- % Done changed from 10 to 50
I created a PoC implementation that escapes group membership values by encoding them to base64. This is inspired by the behavior that Apache Directory Studio does when there is a character that needs escaping.
It needs some testing, which I will do tomorrow when I have the appropriate testing environment.
This approach should be the least error-prone but needs thorough testing before release. Just to be safe, I added a configuration property that enables and disables the base 64 encodings.
Once this is tested on group memberships, I will expand this behavior for other needed attributes.
We made the check on project with new connector version - it was success!
- Status changed from In Progress to Resolved
- % Done changed from 50 to 100
- Status changed from Resolved to Closed
Also available in: Atom
PDF
