Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-79425

User-UserGroup assignments are not exported from OpenLDAP if LDAP user has a comma or other special character

    Details

      Description

      This bug is only reproduced using OpenLDAP

      This bug was caused by --LPS-73915--

      user-usergroup assignments are not exported from OpenLDAP in case of DN from LDAP user entry has a comma or other special character:

      ' ', '"', '#', '+', ',', ';', '<', '=', '>', and '\'
      

      Steps to reproduce

      1. Configure an OpenLDAP server (other LDAPs work fine)
      2. Go to LDAP and create a user with a comma in its name, ex: User, with, commas
      3. Check that its DN has a escaped comma, ex: cn=User\, with \, comas,ou=users,dc=example,dc=com or cn=User\2c with \2c comas,ou=users,dc=example,dc=com
      4. Also create a user without any comma in its name, ex: User without commas
      5. In LDAP, create a group called "Test"
      6. In LDAP, add both created users to "Test" group.
      7. Configure Liferay to import users and groups from LDAP using "User" Import Method.
      8. Wait until Liferay imports the users and groups from LDAP
        • Expected behavior: Usergroup and users are created in Liferay side and both users are included into the new usergroup
        • Wrong behavior: Usergroup and users are created in Liferay side but only *User without commas is included into the new usergroup

      Note: To avoid portal screenName errors configure LDAP server mapping and exchange ScreenName<->FirstName mapping (screenName->givenName and firstName->cn).

       Root cause of the issue

      According to LDAP RFC-4514, the problematic characters ' ', '"', '#', '+', ',', ';', '<', '=', '>', and '\' can be encoded in two ways:

      Each octet of the character to be escaped is replaced by a backslash
      and two hex digits, which form a single octet in the code of the
      character. Alternatively, if and only if the character to be escaped
      is one of

      ' ', '"', '#', '+', ',', ';', '<', '=', '>', or '\'
      (U+0020, U+0022, U+0023, U+002B, U+002C, U+003B,
      U+003C, U+003D, U+003E, U+005C, respectively)

      it can be prefixed by a backslash ('\' U+005C).

      So ',' comma character, can be encoded in two ways: \, and \2c

      In LDAPUserImporterImpl.java, in order to solve --LPS-73915--, we replaced following call:

      _portalLDAP.getNameInNamespace(long ldapServerId, long companyId, Binding binding) 
      

      with

      binding.getNameInNamespace()
      

      Both methods returns the full DN of the user:

      1. _portalLDAP.getNameInNamespace concatenates binding.getName() + ldapServerConfiguration.baseDN()
      2. binding.getNameInNamespace() gets the full DN directly from the object.

      The problem is behavior of Java LDAP API is not consistent:

      1. Java LDAP API returns the special characters encoding in different ways:
        • binding.getName() method, always returns the special character encoded in the simplify mode: backslash + character
        • binding.getNameInNamespace() method, returns the special character encoded using the format received from LDAP server (backslash + character or backslash + hex code)
      2. OpenLDAP internally encodes the special characters encoded in the hex mode: backslash + hex code.
      3. But when we query OpenLDAP from java side for the groups of a user with the special character, only the queries with the encoding (backslash + character) works, because LDAPUserImporterImpl.escapeValue only scapes some characters
      4. So because of --LPS-73915-- changes and Java LDAP API behavior, we are creating LDAP queries that returns zero results, because the encoding of special characters in the query are not correct: "\2c" instead of "\,"

      Solution

      As a solution, we have to modify the escape logic of LDAP queryies

       

       

        Attachments

        1. Fixed.png
          Fixed.png
          30 kB
        2. ImportError.txt
          5 kB
        3. LDAPGroup.png
          LDAPGroup.png
          16 kB
        4. LDAPu,ser3.png
          LDAPu,ser3.png
          25 kB
        5. LocalResult.png
          LocalResult.png
          22 kB

          Activity

            People

            • Assignee:
              sharry.shi Sharry Shi
              Reporter:
              jorge.diaz Jorge Diaz
              Participants of an Issue:
              Recent user:
              Csaba Turcsan
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 year, 25 weeks, 6 days ago

                Packages

                Version Package
                7.0.0 DXP FP48
                7.0.0 DXP SP8
                7.0.X
                7.1.0 Beta 1
                7.1.X
                Master