Handle escaped comma in LDAP DN string

Closes #326
2025-07-19 05:09:42 +02:00 · 2019-10-28 15:03:53 +00:00 · 2019-10-28 15:03:53 +00:00 · 8fa8a3657c
commit 8fa8a3657c
parent a64a219ce8
1 changed files with 41 additions and 2 deletions
--- a/domain/auth/ldap/ldap.go
+++ b/domain/auth/ldap/ldap.go
@ -172,9 +172,9 @@ func executeGroupFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
 			continue
 		}

+		// Get CN element from DN.
 		for _, entry := range rawMembers {
-			// get CN element from DN
-			parts := strings.Split(entry, ",")
+			parts := splitDN(entry)
 			if len(parts) == 0 {
 				continue
 			}
@ -204,6 +204,45 @@ func executeGroupFilter(c lm.LDAPConfig) (u []lm.LDAPUser, err error) {
 	return
 }

+// splitDN handles splitting of DN string whilst respecting
+// escaped comma characters.
+//
+// DN values can contain escaped commas like in two ways:
+//
+// 		\,
+// 		\\5c,
+//
+// Relevant notes:
+
+// 		https://docs.oracle.com/cd/E19424-01/820-4811/gdxpo/index.html#6ng8i269q
+// 		https://devblogs.microsoft.com/scripting/how-can-i-work-with-a-cn-that-has-a-comma-in-it/
+//
+// Example:
+
+//		CN=Surname\, Name,OU=Something,OU=AD-Example,OU=Examaple,DC=example,DC=example,DC=com
+//
+// When we split on comma, here is our logic:
+//
+// 1. We replace any escaped comma values with a special character sequence, in this case !?!
+// 2. We string.split on comma as per usual.
+// 3. We put back the original escaped comma values.
+func splitDN(dn string) []string {
+	var r string
+	r = strings.ReplaceAll(dn, "\\5c,", "!!1!!")
+	r = strings.ReplaceAll(dn, "\\,", "!!2!!")
+
+	sp := strings.Split(r, ",")
+
+	for i := range sp {
+		val := sp[i]
+		r2 := strings.ReplaceAll(val, "!!1!!", "\\5c,")
+		r2 = strings.ReplaceAll(val, "!!2!!", "\\,")
+		sp[i] = r2
+	}
+
+	return sp
+}
+
 // extractUser build user record from LDAP result attributes.
 func extractUser(c lm.LDAPConfig, e *ld.Entry) (u lm.LDAPUser) {
 	u.Firstname = e.GetAttributeValue(c.AttributeUserFirstname)