[SERVER-83864] Incorrect escaping of LDAP DN with comma Created: 04/Dec/23  Updated: 05/Jan/24  Resolved: 05/Jan/24

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Adrian Gonzalez Montemayor
Resolution: Works as Designed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 2023-12-25, Security 2024-01-08
Participants:
Case:

 Description   

If a user with name "John Smith" and LDAP DN "Smith, John" in AD tries to login, the comma gets first escaped in the result from AD as "\," and then as "\5c," by escapeDN in the server. This double escaping results in an incorrect LDAP query for "CN=Smith\5c, John" instead of "CN=Smith\, John".

Example URL
mongodb://john.smith%40example.com:*****@localhost:27017/?authMechanism=PLAIN&authSource=%24external

Example LDAP Config:

  ldap:
    bind:
      queryUser: "ldap@example.com"
      queryPassword: "*******"
    servers: "dc.example.com:3269"
    userToDNMapping:
        '[
            {
                match: "(.+)",
                ldapQuery: "DC=example,DC=com??sub?(userPrincipalName={0})"
            }
        ]'
    authz:
        queryTemplate: "DC=example,DC=com??sub?(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={USER}))" # Nested Groups



 Comments   
Comment by Mark Benvenuto [ 04/Dec/23 ]

See https://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx for the LDAP DN escaping rules.

Generated at Thu Feb 08 06:53:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.