in ldapquery, validation out of bounds query should be case insensitive as ldap is. #1755
Assignees
Comments
|
Potential fix is: index 19f276f3e..8868f287a 100644
--- a/pkg/security/ldapquery/query.go
+++ b/pkg/security/ldapquery/query.go
@@ -112,9 +112,9 @@ func (o *LDAPQueryOnAttribute) NewSearchRequest(attributeValue string, attribute
if err != nil {
return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err)
}
- if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) {
- return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)
- }
+ if !baseDN.AncestorOfFold(dn) && !baseDN.EqualFold(dn) {
+ return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)
+ }
return o.buildDNQuery(attributeValue, attributes), nil
} else { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When validating if a particular dn is equal to basedn or if this dn is included in the base dn we use:
if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) {
return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN)
}
But since this is ldap protocol and ldap is case insensitve, we should rather do this control as case-insentiive.
This issue is corresponding to:
https://issues.redhat.com/browse/OCPBUGS-36591
group sync is showing error "entry would search outside of the base dn specified" but it's not
/assign
The text was updated successfully, but these errors were encountered: