Support backslash-escaped commas in LDAP CNs

theforeman · Oct 8, 2015 · 183e87b · 183e87b
1 parent 42f4c67
commit 183e87b
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/lib/ldap_fluff/generic_member_service.rb b/lib/ldap_fluff/generic_member_service.rb
@@ -22,8 +22,9 @@ def find_user(uid)
   end
 
   def find_by_dn(dn)
-    entry, base = dn.split(',', 2)
+    entry, base = dn.split(/(?<!\\),/, 2)
     entry_attr, entry_value = entry.split('=', 2)
+    entry_value = entry_value.gsub('\,', ',')
     user = @ldap.search(:filter => name_filter(entry_value, entry_attr), :base => base)
     raise self.class::UIDNotFoundException if (user.nil? || user.empty?)
     user

diff --git a/test/ad_member_services_test.rb b/test/ad_member_services_test.rb
@@ -120,6 +120,17 @@ def test_find_by_dn
     @ldap.verify
   end
 
+  def test_find_by_dn_comma_in_cn
+    # In at least one AD installation, users who have commas in their CNs are
+    # returned by the server in answer to a group membership query with
+    # backslashes before the commas in the CNs. Such escaped commas should not
+    # be used when splitting the DN.
+    @ldap.expect(:search, [:result], [:filter => Net::LDAP::Filter.eq('cn', 'Bar, Foo'), :base => 'dc=example,dc=com'])
+    @adms.ldap = @ldap
+    assert_equal([:result], @adms.find_by_dn('cn=Bar\, Foo,dc=example,dc=com'))
+    @ldap.verify
+  end
+
   def test_find_by_dn_missing_entry
     @ldap.expect(:search, nil, [:filter => Net::LDAP::Filter.eq('cn', 'Foo Bar'), :base => 'dc=example,dc=com'])
     @adms.ldap = @ldap