fixed LDAP search by distinguishedName

- as reported by https://synopse.info/forum/viewtopic.php?pid=40666#p40666
synopse · Nov 20, 2023 · 5a61008 · 5a61008
1 parent 0c8eeb5
commit 5a61008
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/src/mormot.commit.inc b/src/mormot.commit.inc
@@ -1 +1 @@
-'2.1.6282'
+'2.1.6283'
diff --git a/src/net/mormot.net.ldap.pas b/src/net/mormot.net.ldap.pas
@@ -1864,7 +1864,8 @@ function CldapGetDomainInfo(var Info: TCldapDomainInfo; TimeOutMS: integer;
   if sock <> nil then
   try
     id := Random31;
-    FormatUtf8('(&(DnsDomain=%)(NtVer=%))', [LdapEscapeName(DomainName), NTVER], filter);
+    FormatUtf8('(&(DnsDomain=%)(NtVer=%))',
+      [LdapEscapeName(DomainName), NTVER], filter);
     req := AsnSeq([
              Asn(id),
              RawLdapSearch('', false, filter, ['NetLogon'])
@@ -2672,17 +2673,20 @@ function InfoFilter(AT: cardinal; const AN, DN, UPN, CustomFilter: RawUtf8): Raw
 begin
   result := '';
   if AN <> '' then
-    FormatUtf8('(sAMAccountName=%)', [LdapEscapeName(AN)], result);
+    FormatUtf8('(sAMAccountName=%)',
+      [LdapEscapeName(AN)], result);
   if DN <> '' then
-    result := FormatUtf8('%(distinguishedName=%)', [result, LdapEscapeName(DN)]);
+    result := FormatUtf8('%(distinguishedName=%)',
+      [result, LdapValidDistinguishedName(DN)]); // no escape
   if UPN <> '' then
-    result := FormatUtf8('%(userPrincipalName=%)', [result, LdapEscapeName(UPN)]);
+    result := FormatUtf8('%(userPrincipalName=%)',
+      [result, LdapEscapeName(UPN)]);
   if result = '' then
   begin
     result := '(cn=)'; // return no answer whatsoever
     exit;
   end;
-  if ord(AN <> '') + ord(DN <> '')+ ord(UPN <> '') > 1 then
+  if ord(AN <> '') + ord(DN <> '') + ord(UPN <> '') > 1 then
     result := FormatUtf8('(|%)', [result]);
   result := FormatUtf8('(&(sAMAccountType=%)%%)', [AT, result, CustomFilter]);
 end;
@@ -3911,10 +3915,10 @@ function TLdapClient.GetIsMemberOf(const UserDN, CustomFilter: RawUtf8;
         exit;
   for i := 0 to high(GroupDN) do
     if GroupDN[i] <> '' then
-      if LdapEscapeName(GroupDN[i], grp) then
+      if LdapIsValidDistinguishedName(GroupDN[i]) then
       begin
-        filter := FormatUtf8('%(distinguishedName=%)', [filter, grp]);
-        inc(n);
+        filter := FormatUtf8('%(distinguishedName=%)', [filter, GroupDN[i]]);
+        inc(n); // no escape of the DN content
       end
       else
         exit;