You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zeppelin.apache.org by "Ilya Makarov (JIRA)" <ji...@apache.org> on 2019/02/25 19:29:00 UTC

[jira] [Created] (ZEPPELIN-4020) User DN not escaped if enabled support for nested groups(ldapRealm)

Ilya Makarov created ZEPPELIN-4020:
--------------------------------------

             Summary: User DN not escaped if enabled support for nested groups(ldapRealm)
                 Key: ZEPPELIN-4020
                 URL: https://issues.apache.org/jira/browse/ZEPPELIN-4020
             Project: Zeppelin
          Issue Type: Bug
          Components: security
    Affects Versions: 0.8.0
            Reporter: Ilya Makarov


HI!
We use ldapReam and need nested group.
Out shiro.ini config contains:
{code:java}
ldapRealm.groupSearchEnableMatchingRuleInChain = true{code}
 

We have an issue: groups are not returned if CN contain backslash.

Example:
{code:java}
...
DEBUG [2019-02-25 21: 12: 01,986] ({qtp1509563803-15} LdapRealm.java [getUserDn]: 942) - SearchBase, SearchFilter, UserSearchScope: OU = Main, DC = COMPANY, DC = ru, (((( objectclass = person) (sAMAccou
ntName = ilya.makarov)), subtree
DEBUG [2019-02-25 21: 12: 01,997] ({qtp1509563803-15} LdapRealm.java [getUserDn]: 951) - UserDN Returned, Principal: CN = Makarov \, Ilya, OU = Main, DC = COMPANY, DC = ru,
ilya.makarov
DEBUG [2019-02-25 21: 12: 01,997] ({qtp1509563803-15} LdapRealm.java [rolesFor: 358) - Ldap PagingSize: 100
DEBUG [2019-02-25 21: 12: 02,001] ({qtp1509563803-15} LdapRealm.java [rolesFor: 445) - User RoleNames: ilya.makarov :: []
DEBUG [2019-02-25 21: 12: 02,001] ({qtp1509563803-15} LdapRealm.java [queryForAuthorizationInfo]: 297) - RolesNames Authorization: []{code}
 

If we debug it with strace:
{code:java}
10487 sendto (233, "0 \ 201 \ 377 \ 2 \ 1 \ 5c \ 201 \ 271 \ 4'OU = DWH, OU = Resources, OU = Main, DC = COMPANY, DC = en \ n \ 1 \ 2 \ n \ 1 \ 3 \ 2 \ 1 \ 0 \ 2 \ 1 \ 0 \ 1 \ 1 \ 0 \ 240} \ 243 \ 24 \ 4 \ vobjectClass \ 4 \ 5group \ 251e \ 201 \ 0271.2.840.113556.1.4.1941 \ 202 \ 6member \ 203? CN = Makarov, Ilya, OU = Main, DC = COMPANY, DC = en \ 204 \ 1 \ 0000 \ 0 \ 240> 0! \ 4 \ 0261.2.840.113556.1.4.319 \ 4 \ 0070 \ 5 \ 2 \ 1d \ 4 \ 0000 \ 31 \ 4 \ 0272.16.840.1.113730.3.4.2 ", 258, 0, NULL, 0) = 258
12676 <... recvfrom resumed> "0 \ 204 \ 0 \ 0 \ 0A \ 2 \ 1 \ 5e \ 204 \ 0 \ 0 \ 0 \ 7 \ n \ 1 \ 0 \ 4 \ 0 \ 4 \ 0 \ 240 \ 204 \ 0 \ 0 \ 0 + 0 \ 204 \ 0 \ 0 \ 0% \ 4 \ 0261.2.840.113556.1.4.319 \ 4 \ v0 \ 204 \ 0 \ 0 \ 0 \ 5 \ 2 \ 1 \ 0 \ 4 \ 0 ", 8192, 0, NULL, NULL) = 71{code}
 

Sended `CN = Makarov, Ilya..`

But according to doc (https://docs.microsoft.com/ru-ru/windows/desktop/ADSI/search-filter-syntax#special-characters):
Backslash `\` should be replaced with `\ 5c`.(Backslash was lost and not properly escaped)

Following ldapsearch command successfully return groups:
{code:java}
ldapsearch -H ldap: //ldap.COMPANY.ru: 389 -D ad-test@COMPANY.ru -W -b "OU = DWH, OU = Resources, OU = Main, DC = COMPANY, DC = ru" -s sub '(& (objectClass = group) (member: 1.2.840.113556.1.4.1941: = CN = Makarov \ 5c, Ilya, OU = Main, DC = COMPANY, DC = ru))' cn{code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)