fix #4609: allow valid DN in ldap/ad realm config

[pve-access-control.git] / src / PVE / Auth / LDAP.pm

diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm
index 4792586673ec815a1945d6f40437dc8f1d0cadea..fc82a17ad3baa26e1c5cc1a4fd71d3af105f0c15 100755 (executable)
--- a/src/PVE/Auth/LDAP.pm
+++ b/src/PVE/Auth/LDAP.pm
@@ -10,6 +10,9 @@ use PVE::Tools;
 
 use base qw(PVE::Auth::Plugin);
 
+my  $dn_part_regex = qr!("[^"]+"|[^ ,+"/<>;=#][^,+"/<>;=]*[^ ,+"/<>;=]|[^ ,+"/<>;=#])!;
+our $dn_regex = qr!\w+=${dn_part_regex}(,\s*\w+=${dn_part_regex})*!;
+
 sub type {
     return 'ldap';
 }
@@ -19,7 +22,7 @@ sub properties {
        base_dn => {
            description => "LDAP base domain name",
            type => 'string',
-           pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+           pattern => $dn_regex,
            optional => 1,
            maxLength => 256,
        },
@@ -33,7 +36,7 @@ sub properties {
        bind_dn => {
            description => "LDAP bind domain name",
            type => 'string',
-           pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+           pattern => $dn_regex,
            optional => 1,
            maxLength => 256,
        },
@@ -91,7 +94,7 @@ sub properties {
            description => "LDAP base domain name for group sync. If not set, the"
                ." base_dn will be used.",
            type => 'string',
-           pattern => '\w+=[^,]+(,\s*\w+=[^,]+)*',
+           pattern => $dn_regex,
            optional => 1,
            maxLength => 256,
        },