Affects Version/s: 7.1.3 CE GA4
Fix Version/s: None
Component/s: Application Security > LDAP
When configuring LDAP one can step in 2 related issues:
- BN does not use consider UTF-8 characters in general, escaping legit characters, like in OU=Л
- With an attempt to work around by using the LDAP URL with BN, the system is able to use the characters but not for authentication, while the test function still works.
One problem that can initially be seen with this scenario is that the BN in the URL has a different behavior than that of the field. And if escaping is to happen, must likely both would have to follow the same rules, probably allowing UTF-8 with escaping as dictated by the RFC.
A second issue is that the URL's BN is a component of the search during the authentication process, and used to complete queries like for a CN, which is a different behavior from the BN field, which is not used.
This makes sense if the BN field is meant to be the inicial point of search for users, and nothing else, but leads to the issue where UTF-8 chars cannot be used; thus, one is not able to start a search for users in a OU that contains the incorrectly escaped chars.
Around Liferay LDAP module impl, one can find multiple of the following (sometimes not used as well)
Which lead to the execution of this arbitrary and protocol unrelated escaping:
(corresponding API module, at com.liferay.portal.security.ldap.util)
PS: org.apache.commons.lang.StringEscapeUtils -> Escapes and unescapes Strings for Java, Java Script, HTML, XML, and SQL.