Closed cakiwi closed 2 years ago
Just some notes because I can't work on this for the next two weeks.
So the issue is here: https://github.com/cs3org/reva/blob/0b65112600ccfd07504c8927d96c7a1e9ac85e7b/pkg/utils/ldap/identity.go#L534
We aren't escaping the memberName correctly which results in this error when parsing the filter:
LDAP Result Code 201 "Filter Compile Error": ldap: invalid characters for escape in filter: encoding/hex: invalid byte: U+002B '+' (&(objectclass=groupOfNames)(member=uid=corby\+,ou=users,o=libregraph-idm))
Our filter looks like this (&(objectclass=groupOfNames)(member=uid=corby\\5c+,ou=users,o=libregraph-idm))
but the parser expects (&(objectclass=groupOfNames)(member=uid=corby\\2B,ou=users,o=libregraph-idm))"
My temporary change to check the fix was this:
func (i *Identity) getGroupMemberFilter(memberName string) string {
return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
i.Group.Filter,
i.Group.Objectclass,
i.Group.Schema.Member,
~ strings.ReplaceAll(memberName, "+", "2B"),
)
}
With that change logging into oCIS was possible.
Our filter looks like this
(&(objectclass=groupOfNames)(member=uid=corby\\5c+,ou=users,o=libregraph-idm))
Actually I think that filter is correct. However, it seems there is a but in libregraph/idm that fails to correctly reescape the filter when decompiling it from BER to string. And the later for what ever reason tries to re-compile that string to BER, which fails because of wrong escaping :man_facepalming:
Somewhere here: https://github.com/libregraph/idm/blob/491c539a42bb90395ea23dcc11181891f244f2b4/pkg/ldapserver/search.go#L25
I think the is mainly caused by idm using it's own fliter compliation/de-compliation code instead of the stuff coming from go-ldap.
Should be fixed with: https://github.com/libregraph/idm/pull/68
Fix has been merged into ocis with: #4132
Actually it still doesn't fully work. :sob: let's reopen...
final fix was in idm https://github.com/libregraph/idm/pull/71 which was merged with #4200
Describe the bug
Usernames containing + cannot be autoprovisioned
Steps to reproduce
Steps to reproduce the behavior:
Expected behavior
Login to oCIS should occur.
Actual behavior
Login Error. Your user session is invalid or has expired. If you like to login with a different user please proceed to exit.
Setup
owncloud/ocis:2.0.0-beta.4
https://owncloud.dev/ocis/deployment/ocis_keycloak/ Originally changed realm login to use email as username.