search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.3k stars 1.29k forks source link

LDAP queries - Special characters backslashing #11317

Closed skocdopolet closed 1 year ago

skocdopolet commented 2 years ago

Code of Conduct

Is there an existing issue for this?

Version

9.5.7

Bug description

Hi,

I am trying to make batch import users from LDAP directory in Expert mode. Our customer has Active Directory on Microsoft Windows Server. All required users to import are stored in Organization Unit which name contains a comma character (i.e.: Customer, s.r.o.). Field BaseDN should contains OU=Customer\, s.r.o., DC=example, DC=com

When I click to Search backup, no results are found, but in BaseDN field, there are two backslashes OU=Customer\\, s.r.o., DC=example, DC=com

I try this variants, but any without success: OU="Customer, s.r.o.", DC=example, DC=com => OU=\ OU='Customer, s.r.o.', DC=example, DC=com => OU=\'Customer, s.r.o.\', DC=example, DC=com

Relevant log output

No response

Page URL

https://helpdesk..../front/ldap.import.php

Steps To reproduce

  1. Set up and LDAP Directory authentication server
  2. Go to Administration - Users, click on LDAP directory link, Select Import new users, Switch to Expert mode
  3. Type the same BaseDN from bug description

Your GLPI setup information


Operating system: FreeBSD web.ipp.local 13.0-RELEASE-p4 FreeBSD 13.0-RELEASE-p4 #0: Tue Aug 24 07:33:27 UTC 2021        root@amd64-builder.daemonology.net:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 PHP 7.4.25 apache2handler (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apcu, bcmath, bz2, ctype,    curl, date, dom, fileinfo, filter, gd, hash, iconv, imap, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre,    pdo_mysql, pdo_pgsql, pdo_sqlite, posix, session, soap, sockets, sqlite3, standard, tokenizer, xml, xmlreader, xmlrpc,  xmlwriter, zip, zlib) Setup: max_execution_time="300" memory_limit="8G" post_max_size="128M" safe_mode="" session.save_handler="files"    upload_max_filesize="128M"  Software: Apache/2.4.51 (FreeBSD) OpenSSL/1.1.1k-freebsd PHP/7.4.25 ()    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Server Software: FreeBSD Ports   Server Version: 10.4.22-MariaDB-log    Server SQL Mode:     Parameters: helpdesk.anonymize@localhost/helpdesk.anonymize  Host info: Localhost via UNIX socket    PHP version is at least 7.2.0 - Perfect! Sessions support is available - Perfect! Allocated memory > 64 Mio - Perfect! mysqli extension is installed ctype extension is installed fileinfo extension is installed json extension is installed mbstring extension is installed iconv extension is installed zlib extension is installed curl extension is installed gd extension is installed simplexml extension is installed intl extension is installed ldap extension is installed apcu extension is installed Zend OPcache extension is installed xmlrpc extension is installed exif extension is not present zip extension is installed bz2 extension is installed sodium extension is not present Database version seems correct (10.4.22) - Perfect!  The log file has been created successfully. Write access to /srv/web/anonymize/helpdesk/web/files/_cache has been validated. Write access to /srv/web/anonymize/helpdesk/web/config has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_cron has been validated. Write access to /srv/web/anonymize/helpdesk/web/files has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_dumps has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_graphs has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_lock has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_pictures has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_plugins has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_rss has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_sessions has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_tmp has been validated. Write access to /srv/web/anonymize/helpdesk/web/files/_uploads has been validated. Write access to /srv/web/anonymize/helpdesk/web/marketplace has been validated. Web access to files directory is protected

GLPI_ROOT: /srv/web/anonymize/helpdesk/web GLPI_CONFIG_DIR: /srv/web/anonymize/helpdesk/web/config GLPI_VAR_DIR: /srv/web/anonymize/helpdesk/web/files GLPI_MARKETPLACE_DIR: /srv/web/anonymize/helpdesk/web/marketplace GLPI_USE_CSRF_CHECK: 1 GLPI_CSRF_EXPIRES: 7200 GLPI_CSRF_MAX_TOKENS: 100 GLPI_USE_IDOR_CHECK: 1 GLPI_IDOR_EXPIRES: 7200 GLPI_ALLOW_IFRAME_IN_RICH_TEXT:  GLPI_TELEMETRY_URI: https://telemetry.glpi-project.org GLPI_INSTALL_MODE: TARBALL GLPI_NETWORK_MAIL: glpi@teclib.com GLPI_NETWORK_SERVICES: https://services.glpi-network.com GLPI_MARKETPLACE_PRERELEASES:  GLPI_MARKETPLACE_ALLOW_OVERRIDE: 1 GLPI_MARKETPLACE_MANUAL_DOWNLOADS: 1 GLPI_USER_AGENT_EXTRA_COMMENTS:  GLPI_AJAX_DASHBOARD: 1 GLPI_CALDAV_IMPORT_STATE: 0 GLPI_DEMO_MODE: 0 GLPI_FORCE_EMPTY_SQL_MODE: 1 GLPI_DOC_DIR: /srv/web/anonymize/helpdesk/web/files GLPI_CACHE_DIR: /srv/web/anonymize/helpdesk/web/files/_cache GLPI_CRON_DIR: /srv/web/anonymize/helpdesk/web/files/_cron GLPI_DUMP_DIR: /srv/web/anonymize/helpdesk/web/files/_dumps GLPI_GRAPH_DIR: /srv/web/anonymize/helpdesk/web/files/_graphs GLPI_LOCAL_I18N_DIR: /srv/web/anonymize/helpdesk/web/files/_locales GLPI_LOCK_DIR: /srv/web/anonymize/helpdesk/web/files/_lock GLPI_LOG_DIR: /srv/web/anonymize/helpdesk/web/files/_log GLPI_PICTURE_DIR: /srv/web/anonymize/helpdesk/web/files/_pictures GLPI_PLUGIN_DOC_DIR: /srv/web/anonymize/helpdesk/web/files/_plugins GLPI_RSS_DIR: /srv/web/anonymize/helpdesk/web/files/_rss GLPI_SESSION_DIR: /srv/web/anonymize/helpdesk/web/files/_sessions GLPI_TMP_DIR: /srv/web/anonymize/helpdesk/web/files/_tmp GLPI_UPLOAD_DIR: /srv/web/anonymize/helpdesk/web/files/_uploads GLPI_NETWORK_REGISTRATION_API_URL: https://services.glpi-network.com/api/registration/ GLPI_MARKETPLACE_PLUGINS_API_URI: https://services.glpi-network.com/api/glpi-plugins/ GLPI_I18N_DIR: /srv/web/anonymize/helpdesk/web/locales GLPI_VERSION: 9.5.7 GLPI_SCHEMA_VERSION: 9.5.7 GLPI_MIN_PHP: 7.2.0 GLPI_YEAR: 2022

htmlawed/htmlawed version 1.2.5 in (/srv/web/anonymize/helpdesk/web/vendor/htmlawed/htmlawed) phpmailer/phpmailer version 6.1.6 in (/srv/web/anonymize/helpdesk/web/vendor/phpmailer/phpmailer/src) simplepie/simplepie version 1.5.6 in (/srv/web/anonymize/helpdesk/web/vendor/simplepie/simplepie/library) tecnickcom/tcpdf version 6.3.5 in (/srv/web/anonymize/helpdesk/web/vendor/tecnickcom/tcpdf) michelf/php-markdown in (/srv/web/anonymize/helpdesk/web/vendor/michelf/php-markdown/Michelf) true/punycode in (/srv/web/anonymize/helpdesk/web/vendor/true/punycode/src) iamcal/lib_autolink in (/srv/web/anonymize/helpdesk/web/vendor/iamcal/lib_autolink) sabre/dav in (/srv/web/anonymize/helpdesk/web/vendor/sabre/dav/lib/DAV) sabre/http in (/srv/web/anonymize/helpdesk/web/vendor/sabre/http/lib) sabre/uri in (/srv/web/anonymize/helpdesk/web/vendor/sabre/uri/lib) sabre/vobject in (/srv/web/anonymize/helpdesk/web/vendor/sabre/vobject/lib) laminas/laminas-cache in (/srv/web/anonymize/helpdesk/web/vendor/laminas/laminas-cache/src) laminas/laminas-i18n in (/srv/web/anonymize/helpdesk/web/vendor/laminas/laminas-i18n/src) laminas/laminas-serializer in (/srv/web/anonymize/helpdesk/web/vendor/laminas/laminas-serializer/src) monolog/monolog in (/srv/web/anonymize/helpdesk/web/vendor/monolog/monolog/src/Monolog) sebastian/diff in (/srv/web/anonymize/helpdesk/web/vendor/sebastian/diff/src) elvanto/litemoji in (/srv/web/anonymize/helpdesk/web/vendor/elvanto/litemoji/src) symfony/console in (/srv/web/anonymize/helpdesk/web/vendor/symfony/console) scssphp/scssphp in (/srv/web/anonymize/helpdesk/web/vendor/scssphp/scssphp/src) laminas/laminas-mail in (/srv/web/anonymize/helpdesk/web/vendor/laminas/laminas-mail/src/Protocol) laminas/laminas-mime in (/srv/web/anonymize/helpdesk/web/vendor/laminas/laminas-mime/src) rlanvin/php-rrule in (/srv/web/anonymize/helpdesk/web/vendor/rlanvin/php-rrule/src) blueimp/jquery-file-upload in (/srv/web/anonymize/helpdesk/web/vendor/blueimp/jquery-file-upload/server/php) ramsey/uuid in (/srv/web/anonymize/helpdesk/web/vendor/ramsey/uuid/src) psr/log in (/srv/web/anonymize/helpdesk/web/vendor/psr/log/Psr/Log) psr/simple-cache in (/srv/web/anonymize/helpdesk/web/vendor/psr/simple-cache/src) mexitek/phpcolors in (/srv/web/anonymize/helpdesk/web/vendor/mexitek/phpcolors/src/Mexitek/PHPColors) guzzlehttp/guzzle in (/srv/web/anonymize/helpdesk/web/vendor/guzzlehttp/guzzle/src) guzzlehttp/psr7 in (/srv/web/anonymize/helpdesk/web/vendor/guzzlehttp/psr7/src) wapmorgan/unified-archive in (/srv/web/anonymize/helpdesk/web/vendor/wapmorgan/unified-archive/src) paragonie/sodium_compat in (/srv/web/anonymize/helpdesk/web/vendor/paragonie/sodium_compat/src)

Server: 'ldap://172.27.1.253', Port: '636', BaseDN: 'DC=ipp,DC=local', Connection filter:       '(&(objectClass=user)(objectCategory=person))', RootDN: 'CN=GLPI User,CN=Users,DC=ipp,DC=local', Use TLS: none

Not active

Way of sending emails: SMTP (anonymous@fw.anonymize)

Anything else?

No response

cconard96 commented 2 years ago

I cannot recreate in the latest version (v10). A lot was changed with escaping and sanitization it that version though.

skocdopolet commented 2 years ago

I have upgraded my GLPI installation to version 10.0.0. The behavior is the same. Now the page display this warning PHP Warning (2): ldap_search(): Search: Invalid DN syntax in src/AuthLDAP.php at line 1867

cconard96 commented 2 years ago

Did you remove the extra backslash? This base DN should work and remain unchanged after saving:

OU=Customer\, s.r.o., DC=example, DC=com
skocdopolet commented 2 years ago

I have this settings image When I push the Search (Hledat) button, I got no results and the form changes to this: image

When I remove extra backslash and send the form again, I got same results - extra backslash is added and no results...

StackAls commented 2 years ago

Hello! I have same problem with & in OU Example OU=Customer&Groups,DC=example,DC=com

skocdopolet commented 2 years ago

Could anyone help with this issue?

tomolimo commented 2 years ago

Hello @skocdopolet To partially solve this isue, you may add the following line in inc/authldap.class.php file in the searchForUsers() function: $values['basedn'] = Toolbox::stripslashes_deep($values['basedn']); Here: image

This will partially fix the issue: it will strip the double slash, and the DN will be OK for the search, but it will be NOK at next display of the form.

Thank you, Regards, Tomolimo

tomolimo commented 2 years ago

Hello @skocdopolet A better solution would be to keep inc/authldap.class.php as it was and to modify front/ldap_import.php file Replace content of front/ldap_import.php by following code:

<?php
/**
 * ---------------------------------------------------------------------
 * GLPI - Gestionnaire Libre de Parc Informatique
 * Copyright (C) 2015-2021 Teclib' and contributors.
 *
 * http://glpi-project.org
 *
 * based on GLPI - Gestionnaire Libre de Parc Informatique
 * Copyright (C) 2003-2014 by the INDEPNET Development Team.
 *
 * ---------------------------------------------------------------------
 *
 * LICENSE
 *
 * This file is part of GLPI.
 *
 * GLPI is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * GLPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with GLPI. If not, see <http://www.gnu.org/licenses/>.
 * ---------------------------------------------------------------------
 */

if (!defined('GLPI_ROOT')) {
   include ('../inc/includes.php');
}

Session::checkRight("user", User::IMPORTEXTAUTHUSERS);

// Need REQUEST to manage initial values and posted ones
if (isset($_REQUEST['basedn'])) {
   $_REQUEST['basedn'] = Toolbox::stripslashes_deep($_REQUEST['basedn']);
}
if (isset($_REQUEST['ldap_filter'])) {
   $_REQUEST['ldap_filter'] = Toolbox::stripslashes_deep($_REQUEST['ldap_filter']);
}

AuthLDAP::manageValuesInSession($_REQUEST);

if (isset($_SESSION['ldap_import']['_in_modal']) && $_SESSION['ldap_import']['_in_modal']) {
   $_REQUEST['_in_modal'] = 1;
}

Html::header(__('LDAP directory link'), $_SERVER['PHP_SELF'], "admin", "user", "ldap");

if (isset($_REQUEST['start'])) {
   $_SESSION['ldap_import']['start'] = $_REQUEST['start'];
}
if (isset($_REQUEST['order'])) {
   $_SESSION['ldap_import']['order'] = $_REQUEST['order'];
}
if ($_SESSION['ldap_import']['action'] == 'show') {

   $authldap = new AuthLDAP();
   $authldap->getFromDB($_SESSION['ldap_import']['authldaps_id']);

   AuthLDAP::showUserImportForm($authldap);

   if (isset($_SESSION['ldap_import']['authldaps_id'])
       && ($_SESSION['ldap_import']['authldaps_id'] != NOT_AVAILABLE)
       && (isset($_REQUEST['search']) || isset($_REQUEST['start']) || isset($_REQUEST['glpilist_limit']))) {

      echo "<br />";
      AuthLDAP::searchUser($authldap);
   }
}

Html::footer();

Thank you Regards, Tomolimo

skocdopolet commented 2 years ago

Hello @tomolimo,

Today, I upgraded GLPI to latest version 10.0.0.3. I can confirm that Your code is working!

What are the next steps?

Thank you! Regards Tomas

cedric-anne commented 1 year ago

@tomolimo

Can you check if this has been fixed in GLPI 10.0.5? If problem persist, could you open a pull request?

cedric-anne commented 1 year ago

Hi @skocdopolet @StackAls

Could you test patch proposed in #11317?