[jira] [Comment Edited] (IMPALA-11042) Special characters are not escaped during LDAP search bind authentication

Tamas Mate (Jira) Thu, 02 Dec 2021 08:43:04 -0800


    [ 
https://issues.apache.org/jira/browse/IMPALA-11042?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452501#comment-17452501
 ]


Tamas Mate edited comment on IMPALA-11042 at 12/2/21, 4:42 PM:
---------------------------------------------------------------

It is a bit tricky, when I add an extra escape {{\}} within Impala, the 
following works:
{code}
(uniqueMember=cn=Doe\\, John,ou=Users2,dc=myorg,dc=com)
{code}

However, when I use {{ldapsearch}} with bash, I have to add an additional {{\}}:
{code}
(uniqueMember=cn=Doe\\\, John,ou=Users2,dc=myorg,dc=com)
{code}

So far I have tested this with AD and the LDAP which is embedded in the unit 
tests, in both cases the double backlash worked.


was (Author: tmate):
It is a bit tricky, when I add an extra escape {{\}} within Impala, the 
following works:
{code}
(uniqueMember=cn=Doe\\, John,ou=Users2,dc=myorg,dc=com)
{code}

However, when I use {{ldapsearch}} with bash, I have to add an additional {{\}}:
{code}
(uniqueMember=cn=Doe\\\, John,ou=Users2,dc=myorg,dc=com)
{code}

So far I have tested this with AD and the LDAP which is embedded in the unit 
tests.

> Special characters are not escaped during LDAP search bind authentication
> -------------------------------------------------------------------------
>
>                 Key: IMPALA-11042
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11042
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: Impala 4.0.0
>            Reporter: Tamas Mate
>            Assignee: Tamas Mate
>            Priority: Major
>
> For search bind authentication during group search {{{{}1{}}}} notation is 
> allowed, it represents the user's distinguished name, which is extracted from 
> the result of the user search. In certain use-cases this can contain special 
> characters, for example this a valid {{dn: cn=Doe\, 
> John,ou=Users2,dc=myorg,dc=com}}. This string is then used to create a group 
> search filter, however from the client end these characters should be escaped 
> properly, without that the following happens:
> {code}
> W1201 15:27:45.801143 32013 ldap-util.cc:196] LDAP search failed with base 
> DN=ou=Groups,dc=myorg,dc=com and filter=(uniqueMember=cn=Doe\, 
> John,ou=Users2,dc=myorg,dc=com) : Bad search filter
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Comment Edited] (IMPALA-11042) Special characters are not escaped during LDAP search bind authentication

Reply via email to