Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27320

Allow underscore character in LDAP queries

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 10.10
    • Fix Version/s: 10.10-HF08, 11.1, 2021.0
    • Component/s: Directory
    • Release Notes Summary:
      The underscore character is allowed in LDAP searches.
    • Tags:
    • Backlog priority:
      600
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      Starting with 11.1, the UserManager.searchUsers(pattern) and UserManager.searchGroups(pattern) APIs interpret the pattern as a generic string with arbitrary characters that will be matched exactly (depending on the directory substring match style).

      If compatibility with previous versions is needed, to use a pattern where % and _ are interpreted as LIKE escapes, the following must be set:

      <require>org.nuxeo.ecm.platform.usermanager.properties</require>
      <extension target="org.nuxeo.runtime.ConfigurationService" point="configuration">
        <property name="nuxeo.usermanager.search.escape.compat">true</property>
      </extension>
      

      For 10.10 HF this compatibility mode is activated by default, so behavior is not changed.

      (The other fix in this commit makes sure that even in compat mode an unescaped _ does not cause a problem for LDAP searches.)

      Show
      Starting with 11.1, the UserManager.searchUsers(pattern) and UserManager.searchGroups(pattern) APIs interpret the pattern as a generic string with arbitrary characters that will be matched exactly (depending on the directory substring match style). If compatibility with previous versions is needed, to use a pattern where % and _ are interpreted as LIKE escapes, the following must be set: <require> org.nuxeo.ecm.platform.usermanager.properties </require> <extension target= "org.nuxeo.runtime.ConfigurationService" point= "configuration" > <property name= "nuxeo.usermanager.search.escape.compat" > true </property> </extension> For 10.10 HF this compatibility mode is activated by default, so behavior is not changed. (The other fix in this commit makes sure that even in compat mode an unescaped _ does not cause a problem for LDAP searches.)
    • Sprint:
      nxFG 11.1.8, nxFG 11.1.9

      Description

       

      Nuxeo should accept the _ in LDAP queries, whereas it's not currently permitted : https://github.com/nuxeo/nuxeo/blob/master/nuxeo-services/nuxeo-platform-directory/nuxeo-platform-directory-ldap/src/main/java/org/nuxeo/ecm/directory/ldap/LDAPFilterBuilder.java#L330

      Currently it thows an exception

      Caused by: org.nuxeo.ecm.core.query.QueryParseException: Cannot use _ wildcard in LIKE for LDAP directory
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walkLikeWildcard(LDAPFilterBuilder.java:331)
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walkLike(LDAPFilterBuilder.java:300)
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walkExpression(LDAPFilterBuilder.java:122)
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walkOperand(LDAPFilterBuilder.java:356)
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walkMulti(LDAPFilterBuilder.java:201)
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walkOrMultiExpression(LDAPFilterBuilder.java:187)
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walkExpression(LDAPFilterBuilder.java:115)
               at org.nuxeo.ecm.directory.ldap.LDAPFilterBuilder.walk(LDAPFilterBuilder.java:71)
               at org.nuxeo.ecm.directory.ldap.LDAPSession.queryIds(LDAPSession.java:613)
               at org.nuxeo.ecm.directory.multi.MultiDirectoryExpressionEvaluator.evaluate(MultiDirectoryExpressionEvaluator.java:251)
               at org.nuxeo.ecm.directory.multi.MultiDirectoryExpressionEvaluator.evaluate(MultiDirectoryExpressionEvaluator.java:215)
               at org.nuxeo.ecm.directory.multi.MultiDirectoryExpressionEvaluator.eval(MultiDirectoryExpressionEvaluator.java:104)
               at org.nuxeo.ecm.directory.multi.MultiDirectorySession.query(MultiDirectorySession.java:773)
               at org.nuxeo.ecm.platform.usermanager.UserManagerImpl.searchGroups(UserManagerImpl.java:1192)
               at org.nuxeo.ecm.platform.computedgroups.UserManagerWithComputedGroups.searchGroups(UserManagerWithComputedGroups.java:210)
               at org.nuxeo.ecm.platform.usermanager.UserManagerImpl.searchGroups(UserManagerImpl.java:1289)
               at org.nuxeo.ecm.platform.usermanager.UserManagerImpl.searchGroups(UserManagerImpl.java:750)
               at org.nuxeo.ecm.platform.usermanager.providers.AbstractGroupsPageProvider.searchGroups(AbstractGroupsPageProvider.java:116) 

      LDAP module should be updated accordingly.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 4 hours
                4h

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.