Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-96439

LDAP URL not following the standards for BN

    Details

    • Type: Bug
    • Status: Verified
    • Resolution: Unresolved
    • Affects Version/s: 7.1.3 CE GA4
    • Fix Version/s: None
    • Labels:
      None

      Description

      When configuring LDAP one can step in 2 related issues:

      • BN does not use consider UTF-8 characters in general, escaping legit characters, like in OU=Л
      • With an attempt to work around by using the LDAP URL with BN, the system is able to use the characters but not for authentication, while the test function still works.

      One problem that can initially be seen with this scenario is that the BN in the URL has a different behavior than that of the field. And if escaping is to happen, must likely both would have to follow the same rules, probably allowing UTF-8 with escaping as dictated by the RFC.

      A second issue is that the URL's BN is a component of the search during the authentication process, and used to complete queries like for a CN, which is a different behavior from the BN field, which is not used.
      This makes sense if the BN field is meant to be the inicial point of search for users, and nothing else, but leads to the issue where UTF-8 chars cannot be used; thus, one is not able to start a search for users in a OU that contains the incorrectly escaped chars.

      Around Liferay LDAP module impl, one can find multiple of the following (sometimes not used as well)

      		baseDN = LDAPUtil.escapeCharacters(baseDN);
      

      Which lead to the execution of this arbitrary and protocol unrelated escaping:
      (corresponding API module, at com.liferay.portal.security.ldap.util)

      	public static String escapeCharacters(String attribute) {
      		if (attribute.contains(StringPool.BACK_SLASH)) {
      			String escapedSingleBackSlash = StringPool.DOUBLE_BACK_SLASH.concat(
      				StringPool.BACK_SLASH);
      
      			attribute = attribute.replace(
      				StringPool.BACK_SLASH, escapedSingleBackSlash);
      		}
      		else {
      			attribute = StringEscapeUtils.escapeJava(attribute);
      		}
      
      		return StringUtil.replace(
      			attribute, _INVALID_CHARS, _INVALID_CHARS_SUBS);
      	}
      

      PS: org.apache.commons.lang.StringEscapeUtils -> Escapes and unescapes Strings for Java, Java Script, HTML, XML, and SQL.

        Attachments

          Activity

            People

            • Assignee:
              support-lep@liferay.com SE Support
              Reporter:
              victorlima02 Victor de Lima Soares
              Participants of an Issue:
              Recent user:
              Liferay JIRA Bot
              Engineering Assignee:
              Marta Medio
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Days since last comment:
                27 weeks, 2 days ago

                Packages

                Version Package