Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-96439

LDAP URL not following the standards for BN


    • Type: Bug
    • Status: Verified
    • Resolution: Unresolved
    • Affects Version/s: 7.1.3 CE GA4
    • Fix Version/s: None
    • Labels:


      When configuring LDAP one can step in 2 related issues:

      • BN does not use consider UTF-8 characters in general, escaping legit characters, like in OU=Л
      • With an attempt to work around by using the LDAP URL with BN, the system is able to use the characters but not for authentication, while the test function still works.

      One problem that can initially be seen with this scenario is that the BN in the URL has a different behavior than that of the field. And if escaping is to happen, must likely both would have to follow the same rules, probably allowing UTF-8 with escaping as dictated by the RFC.

      A second issue is that the URL's BN is a component of the search during the authentication process, and used to complete queries like for a CN, which is a different behavior from the BN field, which is not used.
      This makes sense if the BN field is meant to be the inicial point of search for users, and nothing else, but leads to the issue where UTF-8 chars cannot be used; thus, one is not able to start a search for users in a OU that contains the incorrectly escaped chars.

      Around Liferay LDAP module impl, one can find multiple of the following (sometimes not used as well)

      		baseDN = LDAPUtil.escapeCharacters(baseDN);

      Which lead to the execution of this arbitrary and protocol unrelated escaping:
      (corresponding API module, at com.liferay.portal.security.ldap.util)

      	public static String escapeCharacters(String attribute) {
      		if (attribute.contains(StringPool.BACK_SLASH)) {
      			String escapedSingleBackSlash = StringPool.DOUBLE_BACK_SLASH.concat(
      			attribute = attribute.replace(
      				StringPool.BACK_SLASH, escapedSingleBackSlash);
      		else {
      			attribute = StringEscapeUtils.escapeJava(attribute);
      		return StringUtil.replace(
      			attribute, _INVALID_CHARS, _INVALID_CHARS_SUBS);

      PS: org.apache.commons.lang.StringEscapeUtils -> Escapes and unescapes Strings for Java, Java Script, HTML, XML, and SQL.




            support-lep@liferay.com SE Support
            victorlima02 Victor de Lima Soares
            Participants of an Issue:
            Recent user:
            Tibor Lipusz
            Engineering Assignee:
            Marta Medio (Inactive)
            0 Vote for this issue
            2 Start watching this issue


              Days since last comment:
              2 years, 26 weeks ago


                Version Package