Fix invalid LDAP filter for user ID with comma
The Keystone server would respond with a 500 error when configured to use the LDAP identity backend and a request is made to get a token for a user that has an ID with a comma. The response is like: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500) This is because the user DN wasn't properly escaped in the filter for the query to get the groups that the user is a member of. Closes-Bug: #1302106 Change-Id: Ib4886e66af0e979fcf23a84bcd51b07034547cb9
This commit is contained in:
parent
13ca3ee130
commit
5b5331fa02
@ -15,6 +15,7 @@ from __future__ import absolute_import
|
||||
import uuid
|
||||
|
||||
import ldap
|
||||
import ldap.filter
|
||||
|
||||
from keystone import clean
|
||||
from keystone.common import dependency
|
||||
@ -328,9 +329,10 @@ class GroupApi(common_ldap.BaseLdap):
|
||||
def list_user_groups(self, user_dn):
|
||||
"""Return a list of groups for which the user is a member."""
|
||||
|
||||
user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
|
||||
query = '(&(objectClass=%s)(%s=%s)%s)' % (self.object_class,
|
||||
self.member_attribute,
|
||||
user_dn,
|
||||
user_dn_esc,
|
||||
self.ldap_filter or '')
|
||||
memberships = self.get_all(query)
|
||||
return memberships
|
||||
|
Loading…
Reference in New Issue
Block a user