Fix invalid LDAP filter for user ID with comma

The Keystone server would respond with a 500 error when configured to use the LDAP identity backend and a request is made to get a token for a user that has an ID with a comma. The response is like: Authorization Failed: An unexpected error prevented the server from fulfilling your request. {'desc': 'Bad search filter'} (HTTP 500) This is because the user DN wasn't properly escaped in the filter for the query to get the groups that the user is a member of. Closes-Bug: #1302106 Change-Id: Ib4886e66af0e979fcf23a84bcd51b07034547cb9
2014-04-04 10:50:07 -05:00 · 2014-04-04 10:50:07 -05:00 · 5b5331fa02
parent 13ca3ee130
commit 5b5331fa02
1 changed files with 3 additions and 1 deletions
--- a/keystone/identity/backends/ldap.py
+++ b/keystone/identity/backends/ldap.py
@ -15,6 +15,7 @@ from __future__ import absolute_import
 import uuid

 import ldap
+import ldap.filter

 from keystone import clean
 from keystone.common import dependency
@ -328,9 +329,10 @@ class GroupApi(common_ldap.BaseLdap):
    def list_user_groups(self, user_dn):
        """Return a list of groups for which the user is a member."""

+        user_dn_esc = ldap.filter.escape_filter_chars(user_dn)
        query = '(&(objectClass=%s)(%s=%s)%s)' % (self.object_class,
                                                  self.member_attribute,
-                                                  user_dn,
+                                                  user_dn_esc,
                                                  self.ldap_filter or '')
        memberships = self.get_all(query)
        return memberships