Fix invalid LDAP filter for user ID with comma
The Keystone server would respond with a 500 error when configured to use the LDAP identity backend and a request is made to get a token for a user that has an ID with a comma. The response is like: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500) This is because the user DN wasn't properly escaped in the filter for the query to get the groups that the user is a member of. Closes-Bug: #1302106 Change-Id: Ib4886e66af0e979fcf23a84bcd51b07034547cb9
This commit is contained in:
parent
13ca3ee130
commit
5b5331fa02
@ -15,6 +15,7 @@ from __future__ import absolute_import
|
|||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
import ldap
|
import ldap
|
||||||
|
import ldap.filter
|
||||||
|
|
||||||
from keystone import clean
|
from keystone import clean
|
||||||
from keystone.common import dependency
|
from keystone.common import dependency
|
||||||
@ -328,9 +329,10 @@ class GroupApi(common_ldap.BaseLdap):
|
|||||||
def list_user_groups(self, user_dn):
|
def list_user_groups(self, user_dn):
|
||||||
"""Return a list of groups for which the user is a member."""
|
"""Return a list of groups for which the user is a member."""
|
||||||
|
|
||||||
|
user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
|
||||||
query = '(&(objectClass=%s)(%s=%s)%s)' % (self.object_class,
|
query = '(&(objectClass=%s)(%s=%s)%s)' % (self.object_class,
|
||||||
self.member_attribute,
|
self.member_attribute,
|
||||||
user_dn,
|
user_dn_esc,
|
||||||
self.ldap_filter or '')
|
self.ldap_filter or '')
|
||||||
memberships = self.get_all(query)
|
memberships = self.get_all(query)
|
||||||
return memberships
|
return memberships
|
||||||
|
Loading…
Reference in New Issue
Block a user