[Pki-devel] [PATCH] 0027..0029 support external authorization LDAP server
Endi Sukma Dewata
edewata at redhat.com
Fri Mar 13 13:10:11 UTC 2015
On 3/13/2015 2:00 PM, Fraser Tweedale wrote:
>>> 4. When constructing a DN the attribute values should be escaped with
>>> LDAPUtil.escapeRDNValue() to prevent problems with DN special characters.
>>>
>>> 5. When constructing LDAP filter the attribute values should be escaped
>>> with LDAPUtil.escapeFilter() to prevent problems with LDAP filter
>>> special characters.
>>>
> I have escaped end-user-supplied values, but not config values.
Do you mean these lines?
1. return mGroups + "," + mGroupsBaseDN;
2. "(&(objectclass=" + mGroupObjectClass + ")(" + filter + "))",
3. filter = k + "=" + userdn;
I think line #1 is fine because the values in those variables are
already in the DN format, not because they are config values.
Line #2 is fine too because the mGroupObjectClass is probably
filter-safe due to object class naming restrictions.
For line #3 I think the userdn still needs to be escaped. DNs and
filters have different sets of special characters (see LDAPUtil.java) so
a DN may not necessarily be filter-safe regardless how the value was
obtained.
>> 9. I see the "gid" attribute being set in TokenAuthentication. Probably it
>> should be changed to IAuthToken.GID so we know where it's set and used.
>> Alternatively we can replace it with IAuthToken.GROUPS that contains just a
>> single group, and remove IAuthToken.GID.
>>
> Good suggestion; implemented.
Just one more thing, the "no gid in authToken" message probably should
be replaced with "no groups in authToken".
Once these are addressed, ACK. Thanks!
--
Endi S. Dewata
More information about the Pki-devel
mailing list