search

jupyterhub / ldapauthenticator

LDAP Authenticator Plugin for Jupyter
BSD 3-Clause "New" or "Revised" License
206 stars 178 forks source link

LDAPInvalidFilterError Username is not escaped #225

Closed hammadab closed 2 months ago

hammadab commented 1 year ago

https://github.com/jupyterhub/ldapauthenticator/blob/24f11eb5d2517d6a1bd9cc616653cc000a044811/ldapauthenticator/ldapauthenticator.py#L430

https://github.com/jupyterhub/ldapauthenticator/blob/1.3.2/ldapauthenticator/ldapauthenticator.py#L430:L448

When escape_userdn = True the ldapauthenticator escapes special chars in userdn but does not escapes special chars in username. This does not cause an issue when allowed_groups is null but it does cause an issue when allowed_groups is not null. I suggest that the username is also escaped when escape_userdn = True or add another parameter dedicated to escape username.

I am using:

z2jh | 2.0.0
jupyterhub | 3.0.0
ldapauthenticator | 1.3.2

z2jh hub-pod logs:

[D JupyterHub ldapauthenticator:256] Looking up user with:
        search_base = 'OU=AADDC Users,DC=xxxxxx,DC=com'
        search_filter = '(sAMAccountName=my_username)'
        attributes = 'sAMAccountName'
[D ldapauthenticator:379] Attempting to bind My Full Name **(**6B4563DA**)** with CN=My Full Name **\28**6B4563DA**\29**,OU=AADDC Users,DC=xxxxxx,DC=com
[D ldapauthenticator:392] Status of user bind My Full Name **(**6B4563DA**)** with CN=My Full Name **\28**6B4563DA**\29**,OU=AADDC Users,DC=xxxxxx,DC=com : True
[D ldapauthenticator:431] username:My Full Name **(**6B4563DA**)** Using dn CN=My Full Name **\28**6B4563DA**\29**,OU=AADDC Users,DC=xxxxxx,DC=com
[E JupyterHub web:1798] Uncaught exception POST /hub/login?next=%2Fhub%2F (::ffff:xx.xx.xx.xx)
    HTTPServerRequest(protocol='http', host='xxx.xxx.xxx.xxx:3xxxx', method='POST', uri='/hub/login?next=%2Fhub%2F', version='HTTP/1.1', remote_ip='::ffff:xx.xx.xx.xx')
    Traceback (most recent call last):
      File "/usr/local/lib/python3.9/site-packages/tornado/web.py", line 1713, in _execute
        result = await result
      File "/usr/local/lib/python3.9/site-packages/jupyterhub/handlers/login.py", line 153, in post
        user = await self.login_user(data)
      File "/usr/local/lib/python3.9/site-packages/jupyterhub/handlers/base.py", line 801, in login_user
        authenticated = await self.authenticate(data)
      File "/usr/local/lib/python3.9/site-packages/jupyterhub/auth.py", line 491, in get_authenticated_user
        authenticated = await maybe_future(self.authenticate(handler, data))
      File "/usr/local/lib/python3.9/site-packages/**ldapauthenticator/ldapauthenticator.py**", line **443**, in **authenticate**
        **found = conn.search(**
      File "/usr/local/lib/python3.9/site-packages/ldap3/core/connection.py", line 838, in search
        request = search_operation(search_base,
      File "/usr/local/lib/python3.9/site-packages/ldap3/operation/search.py", line 371, in search_operation
        request['filter'] = compile_filter(parse_filter(search_filter, schema, auto_escape, auto_encode, validator, check_names).elements[0])  # parse the searchFilter string and compile it starting from the root node
      File "/usr/local/lib/python3.9/site-packages/ldap3/operation/search.py", line 214, in parse_filter
        raise **LDAPInvalidFilterError('malformed filter')**
    **ldap3.core.exceptions.LDAPInvalidFilterError: malformed filter**
welcome[bot] commented 1 year ago

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! :hugs:
If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively. welcome You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! :wave:
Welcome to the Jupyter community! :tada: