escape special LDAP chars

ahaenggli · Mar 19, 2022 · 1e49434 · 1e49434
1 parent db8ca1a
commit 1e49434
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased] (in 'dev')
 
+## [1.7.0] - 2022-03-19
+
 ### Changed
 
 - to support #ext#-users the following changes were necessary:
@@ -34,6 +36,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - converted schema csv files from utf-16 to utf-8
 - handle cn=subschema like any other ldap entries instead of fixed search attributes
 - register an error handler for the server (EventEmitter)
+- escape LDAP special chars `,=+<>#;\` with an additional backslash
 
 ## [1.6.0] - 2021-12-19
 

diff --git a/graph_azuread.js b/graph_azuread.js
@@ -40,6 +40,7 @@ const cca = new msal.ConfidentialClientApplication({
         clientSecret: config.AZURE_APP_SECRET,
     }
 });
+
 /**
  * Acquires token with client credentials.
  * @param {object} tokenRequest
@@ -98,7 +99,7 @@ graph.loginWithUsernamePassword = async function loginWithUsernamePassword(usern
     let credential = new aIdentity.UsernamePasswordCredential(
         config.AZURE_TENANTID,
         config.AZURE_APP_ID,
-        username,
+        encodeURIComponent(username),
         encodeURIComponent(password)
     );
 

diff --git a/helper.js b/helper.js
@@ -69,5 +69,11 @@ helper.ReadFile = function (file, encoding = 'utf8') {
     else return "";
 };
 
+helper.escapeLDAPspecialChars = function escapeLDAPspecialChars(str) {
+    return str.replace(/[,=+<>#;\\]/g, '\\$&');    
+};
 
+helper.unescapeLDAPspecialChars = function escapeLDAPspecialChars(str) {
+    return str.replace(/\\([,=+<>#;\\])/g, '$1');
+};
 module.exports = helper;
diff --git a/ldapwrapper.js b/ldapwrapper.js
@@ -18,10 +18,6 @@ function removeSpecialChars(str) {
   return diacritic.clean(str).replace(/[^A-Za-z0-9._\s]+/g, '-');
 }
 
-function escapeLDAPspecialChars(str) {
-  return str.replace(/[,=+<>#;\\]/g, '\\$&');
-}
-
 ldapwrapper.do = async function () {
   helper.log("ldapwrapper.js", "start");
 
@@ -375,14 +371,13 @@ ldapwrapper.do = async function () {
           user.userPrincipalName = user.mail;
 
           if (userPrincipalName.indexOf("#EXT#") > -1) {
-            userPrincipalName = escapeLDAPspecialChars(userPrincipalName.substring(0, userPrincipalName.indexOf("#EXT#")));
+            userPrincipalName = userPrincipalName.substring(0, userPrincipalName.indexOf("#EXT#"));
           } else {
 
             let issuers = user.identities.filter(x => x.hasOwnProperty('issuer') && x.signInType == 'userPrincipalName');
             helper.warn(issuers);
             issuers.forEach(issuer => userPrincipalName = userPrincipalName.replace('@' + issuer.issuer, ''));
-            userPrincipalName = userPrincipalName.replace('#EXT#', '');
-            userPrincipalName = escapeLDAPspecialChars(userPrincipalName);
+            userPrincipalName = userPrincipalName.replace('#EXT#', '');            
           }
 
           AzureADuserExternal = 1;
@@ -412,6 +407,8 @@ ldapwrapper.do = async function () {
           // userPrincipalName = userPrincipalNameClean;
         }
 
+        userPrincipalName = helper.escapeLDAPspecialChars(userPrincipalName);
+
         let upName = config.LDAP_USERRDN + "=" + userPrincipalName + "," + config.LDAP_USERSDN;
         upName = upName.toLowerCase();
 
@@ -521,8 +518,6 @@ ldapwrapper.do = async function () {
           });
 
         db[upName] = customizer.ModifyLDAPUser(db[upName], user);
-
-
       }
     }
 

diff --git a/server.js b/server.js
@@ -172,7 +172,7 @@ server.bind(SUFFIX, async (req, res, next) => {
         helper.log("server.js", "server.bind", dn);
 
         // dn bind
-        var username = dn.replace(config.LDAP_USERRDN + "=", '').replace("," + config.LDAP_USERSDN, '');
+        var username = helper.unescapeLDAPspecialChars(dn.replace(config.LDAP_USERRDN + "=", '').replace("," + config.LDAP_USERSDN, ''));
         var pass = req.credentials;
 
         if (config.LDAP_BINDUSER && config.LDAP_BINDUSER.toString().split("||").indexOf(username + '|' + pass) > -1) {
@@ -192,7 +192,7 @@ server.bind(SUFFIX, async (req, res, next) => {
 
             var userAttributes = db[dn]; // removeSensitiveAttributes(req.dn, dn, db[dn]);//
 
-            if (!userAttributes || !userAttributes.hasOwnProperty("sambaNTPassword") || !userAttributes.hasOwnProperty("AzureADuserPrincipalName")) {
+            if (!userAttributes || !userAttributes.hasOwnProperty("sambaNTPassword") || !userAttributes.hasOwnProperty("AzureADuserPrincipalName")) {                
                 helper.log("server.js", "server.bind", username, "Failed login -> mybe not synced yet?");
                 return next(new ldap.InvalidCredentialsError());
             } else {
@@ -238,7 +238,6 @@ server.bind(SUFFIX, async (req, res, next) => {
                     helper.error("server.js", "server.bind", username, " -> Failed login");
                     return next(new ldap.InvalidCredentialsError());
                 }
-
             }
         }
     }