search

wiltonsr / ldapAuth

An open source Traefik Middleware that enables authentication via LDAP in a similar way to Traefik Enterprise
https://plugins.traefik.io/plugins/628c9eb7ffc0cd18356a979c/ldap-auth
Apache License 2.0
117 stars 10 forks source link

Parsing errors with certain CN formats #26

Closed MrNova111 closed 2 years ago

MrNova111 commented 2 years ago

Have been getting plugin crashes when attempting to authenticate certain users against groups. I suspect this is caused by the format of the user's CN string. Some users in our LDAP look like this and work normally: CN=Firstname Lastname

Others look like this and crash the plugin: CN=Firstname Lastname (f.lastname)

Full logs:

DEBUG: ldapAuth: 2022/11/03 11:24:06 restricted.go:51: Search Filter: '(sAMAccountname=f.lastname)'
INFO: ldapAuth: 2022/11/03 11:24:06 restricted.go:51: Authenticating User: CN=Firstname Lastname,OU=USA,OU=Users,DC=orgname,DC=sys
DEBUG: ldapAuth: 2022/11/03 11:24:07 restricted.go:51: Searching Group: 'CN=User Group,OU=DistributionLists,DC=orgname,DC=sys' with User: 'CN=Firstname Lastname,OU=USA,OU=Users,DC=orgname,DC=sys'
DEBUG: ldapAuth: 2022/11/03 11:24:07 restricted.go:51: User: 'CN=Firstname Lastname,OU=USA,OU=Users,DC=orgname,DC=sys' found in Group: 'CN=User Group,OU=DistributionLists,DC=orgname,DC=sys'
INFO: ldapAuth: 2022/11/03 11:24:07 restricted.go:51: Authentication succeeded

DEBUG: ldapAuth: 2022/11/03 11:19:55 restricted.go:51: Search Filter: '(sAMAccountname=f.lastname)'
INFO: ldapAuth: 2022/11/03 11:19:55 restricted.go:51: Authenticating User: CN=Firstname Lastname (f.lastname),OU=ISR,OU=Users,DC=orgname,DC=sys
DEBUG: ldapAuth: 2022/11/03 11:19:55 restricted.go:51: Searching Group: 'CN=User Group,OU=DistributionLists,DC=orgname,DC=sys' with User: 'CN=Firstname Lastname (f.lastname),OU=ISR,OU=Users,DC=orgname,DC=sys'
time="2022-11-03T11:19:55Z" level=error msg="plugins-storage/sources/gop-2386433808/src/github.com/wiltonsr/ldapAuth/ldapauth.go:258:9: panic" plugin=plugin-ldapAuth module=github.com/wiltonsr/ldapAuth
time="2022-11-03T11:19:55Z" level=error msg="plugins-storage/sources/gop-2386433808/src/github.com/wiltonsr/ldapAuth/ldapauth.go:125:6: panic" module=github.com/wiltonsr/ldapAuth plugin=plugin-ldapAuth
time="2022-11-03T11:19:55Z" level=error msg="Recovered from panic in HTTP handler [192.168.5.26:50528 - /favicon.ico]: reflect: call of reflect.Value.Field on zero Value" middlewareName=traefik-internal-recovery middlewareType=Recovery
time="2022-11-03T11:19:55Z" level=error msg="Stack: goroutine 6633 [running]:\ngithub.com/traefik/traefik/v2/pkg/middlewares/recovery.recoverFunc({0x44b2cc0, 0xc002086690}, 0xc0005eab00)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/recovery/recovery.go:46 +0x225\npanic({0x323fc20, 0xc001b3e120})\n\truntime/panic.go:884 +0x212\ngithub.com/traefik/yaegi/interp.runCfg.func1()\n\tgithub.com/traefik/yaegi@v0.14.2/interp/run.go:192 +0x148\npanic({0x323fc20, 0xc001b3e120})\n\truntime/panic.go:884 +0x212\ngithub.com/traefik/yaegi/interp.runCfg.func1()\n\tgithub.com/traefik/yaegi@v0.14.2/interp/run.go:192 +0x148\npanic({0x323fc20, 0xc001b3e120})\n\truntime/panic.go:884 +0x212\nreflect.Value.Field({0x0?, 0x0?, 0x3337680?}, 0xc001fa28a0?)\n\treflect/value.go:1266 +0xe5\nreflect.Value.FieldByIndex({0x0?, 0x0?, 0x8cdf1a?}, {0xc0011a1c40?, 0xc001bc38e8?, 0x2?})\n\treflect/value.go:1299 +0x66\ngithub.com/traefik/yaegi/interp.getPtrIndexSeq.func2(0xc001a40a50?)\n\tgithub.com/traefik/yaegi@v0.14.2/interp/run.go:2062 +0xcb\ngithub.com/traefik/yaegi/interp.runCfg(0xc000d9b8c0, 0xc001a40a50, 0xc0010fab28?, 0x30bcb40?)\n\tgithub.com/traefik/yaegi@v0.14.2/interp/run.go:200 +0x29d\ngithub.com/traefik/yaegi/interp.call.func9(0xc00153d600)\n\tgithub.com/traefik/yaegi@v0.14.2/interp/run.go:1438 +0x965\ngithub.com/traefik/yaegi/interp.runCfg(0xc000d658c0, 0xc00153d600, 0x39?, 0x38ba800?)\n\tgithub.com/traefik/yaegi@v0.14.2/interp/run.go:200 +0x29d\ngithub.com/traefik/yaegi/interp.genFunctionWrapper.func2.1({0xc0021d1cb0, 0x2, 0x4?})\n\tgithub.com/traefik/yaegi@v0.14.2/interp/run.go:1022 +0x487\ngithub.com/traefik/yaegi/stdlib._net_http_Handler.ServeHTTP(...)\n\tgithub.com/traefik/yaegi@v0.14.2/stdlib/go1_19_net_http.go:290\ngithub.com/traefik/traefik/v2/pkg/middlewares/accesslog.(*FieldHandler).ServeHTTP(0xc001f425c0, {0x44b2cc0, 0xc002086690}, 0x32832e0?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/accesslog/field_middleware.go:31 +0x122\ngithub.com/gorilla/mux.(*Router).ServeHTTP(0xc002b35c20, {0x44b2cc0, 0xc002086690}, 0xc0005eab00)\n\tgithub.com/gorilla/mux@v1.8.0/mux.go:141 +0x24c\ngithub.com/traefik/traefik/v2/pkg/middlewares/recovery.(*recovery).ServeHTTP(0xc0013bd300?, {0x44b2cc0?, 0xc002086690?}, 0x30b68c0?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/recovery/recovery.go:32 +0x82\ngithub.com/traefik/traefik/v2/pkg/middlewares/accesslog.(*FieldHandler).ServeHTTP(0xc001f43e40, {0x44b2cc0, 0xc002086690}, 0x203000?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/accesslog/field_middleware.go:31 +0x122\ngithub.com/traefik/traefik/v2/pkg/middlewares/snicheck.SNICheck.ServeHTTP({{0x4494fc0?, 0xc001f43e40?}, 0xc002048b40?}, {0x44b2cc0, 0xc002086690}, 0xc0005eab00)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/snicheck/snicheck.go:49 +0x189\ngithub.com/traefik/traefik/v2/pkg/middlewares.(*HTTPHandlerSwitcher).ServeHTTP(0x4108c7?, {0x44b2cc0, 0xc002086690}, 0x448c301?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/handler_switcher.go:23 +0x62\ngithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator.(*RequestDecorator).ServeHTTP(0xc00011cea8, {0x44b2cc0, 0xc002086690}, 0xc0005eaa00, 0xc002286b80)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator/request_decorator.go:47 +0x30e\ngithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator.WrapHandler.func1.1({0x44b2cc0?, 0xc002086690?}, 0xc0021d1b60?)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/requestdecorator/request_decorator.go:89 +0x68\nnet/http.HandlerFunc.ServeHTTP(0xc000130e60?, {0x44b2cc0?, 0xc002086690?}, 0x9?)\n\tnet/http/server.go:2109 +0x2f\ngithub.com/traefik/traefik/v2/pkg/middlewares/forwardedheaders.(*XForwarded).ServeHTTP(0xc000130e60, {0x44b2cc0, 0xc002086690}, 0xc0005eaa00)\n\tgithub.com/traefik/traefik/v2/pkg/middlewares/forwardedheaders/forwarded_header.go:192 +0xca\nnet/http.AllowQuerySemicolons.func1({0x44b2cc0, 0xc002086690}, 0xc0005eaa00)\n\tnet/http/server.go:2974 +0x223\nnet/http.HandlerFunc.ServeHTTP(0x0?, {0x44b2cc0?, 0xc002086690?}, 0xc002916000?)\n\tnet/http/server.go:2109 +0x2f\nnet/http.serverHandler.ServeHTTP({0x120?}, {0x44b2cc0, 0xc002086690}, 0xc0005eaa00)\n\tnet/http/server.go:2947 +0x30c\nnet/http.initALPNRequest.ServeHTTP({{0x44bf310?, 0xc000a98120?}, 0xc0010ea700?, {0xc00025c4b0?}}, {0x44b2cc0, 0xc002086690}, 0xc0005eaa00)\n\tnet/http/server.go:3556 +0x245\ngolang.org/x/net/http2.(*serverConn).runHandler(0x44acfa0?, 0x63654c0?, 0x0?, 0x0?)\n\tgolang.org/x/net@v0.0.0-20220927171203-f486391704dc/http2/server.go:2248 +0x83\ncreated by golang.org/x/net/http2.(*serverConn).processHeaders\n\tgolang.org/x/net@v0.0.0-20220927171203-f486391704dc/http2/server.go:1958 +0x5b9\n" middlewareName=traefik-internal-recovery middlewareType=Recovery
wiltonsr commented 2 years ago

Hi, @MrNova111

Could you try with v0.0.19-beta?

I added ldap.EscapeFilter that:

EscapeFilter escapes from the provided LDAP filter string the special characters in the set ()*\ and those out of the range 0 < c < 0x80, as defined in RFC4515.

MrNova111 commented 2 years ago

That did the trick!