Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

colons are ':' valid filter characters #73

Merged
merged 1 commit into from

3 participants

@sahglie

ruby-net-ldap is choking on queries that work with our university LDAP using the ldapsearch utility. Here is an example of such a query:

ldapsearch -H ldaps://ldap.berkeley.edu -x -D "<bind>" -W -s sub -b "ou=people,dc=berkeley,dc=edu" "(&(objectclass=person)(ismemberof=cn=edu:berkeley:app:calmessages:deans,ou=campus groups,dc=berkeley,dc=edu))" "uid"

In this case, ruby-net-ldap would raise Net::LDAP::LdapError: Invalid filter syntax

I've also run this query using the python ldap library and like ldapsearch it works fine.

While debugging this I isolated the problem down to the parse_filter_branch method: the scanner doesn't include ':' in its regex when--I believe--it should. After updating the regex everything worked as expected for me. Please let me know if you have any questions.

@slbug

also '/' valid too

2.1.1 :010 > Net::LDAP::Filter.construct("(|(loginShell=/bin/bash)(loginShell=/bin/zsh))")
Net::LDAP::LdapError: Invalid filter syntax.
2.1.1 :002 > (Net::LDAP::Filter.eq('loginShell', '/bin/bash') | Net::LDAP::Filter.eq('loginShell', '/bin/zsh')).to_s
 => "(|(loginShell=/bin/bash)(loginShell=/bin/zsh))" 
@schaary schaary merged commit bbf351b into ruby-ldap:master

1 check failed

Details default The Travis CI build could not complete due to an error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Sep 5, 2013
  1. @sahglie
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 1 deletion.
  1. +1 −1  lib/net/ldap/filter.rb
  2. +6 −0 spec/unit/ldap/filter_parser_spec.rb
View
2  lib/net/ldap/filter.rb
@@ -755,7 +755,7 @@ def parse_filter_branch(scanner)
scanner.scan(/\s*/)
if op = scanner.scan(/<=|>=|!=|:=|=/)
scanner.scan(/\s*/)
- if value = scanner.scan(/(?:[-\w*.+@=,#\$%&!'\s\xC3\x80-\xCA\xAF]|[^\x00-\x7F]|\\[a-fA-F\d]{2})+/u)
+ if value = scanner.scan(/(?:[-\w*.+:@=,#\$%&!'\s\xC3\x80-\xCA\xAF]|[^\x00-\x7F]|\\[a-fA-F\d]{2})+/u)
# 20100313 AZ: Assumes that "(uid=george*)" is the same as
# "(uid=george* )". The standard doesn't specify, but I can find
# no examples that suggest otherwise.
View
6 spec/unit/ldap/filter_parser_spec.rb
@@ -16,5 +16,11 @@
expect(Net::LDAP::Filter::FilterParser.parse(filter_string)).to be_a Net::LDAP::Filter
end
end
+ context "Given string including colons ':'" do
+ let(:filter_string) { "(ismemberof=cn=edu:berkeley:app:calmessages:deans,ou=campus groups,dc=berkeley,dc=edu)" }
+ specify "should generate filter object" do
+ expect(Net::LDAP::Filter::FilterParser.parse(filter_string)).to be_a Net::LDAP::Filter
+ end
+ end
end
end
Something went wrong with that request. Please try again.