From 931e5bc19f98d4ce1654d39fa0b2ae4a4723b528 Mon Sep 17 00:00:00 2001 From: Stoiko Ivanov Date: Mon, 29 Aug 2022 18:07:55 +0200 Subject: [PATCH] auth ldap/ad: compare group member dn case-insensitively currently we add a user to a group if it's DN is listed in the member-attributes of a group. The comparison for this is done via existence check of a hash key, which is case-sensitive. The equality for DNs is defined in a not straight forward way [0]: (roughly translating to you need to honor the equality rules for each 'component' (RDN) of the DN) and is implementation-specific (Microsoft AD is case-insensitive). While this patch does not address the complete complexity of comparing DNs it should work fine in practice. issue with case-sensitive mismatches was reported in our community forum: https://forum.proxmox.com/threads/.113387 tested against a local test-vm used for reproducing the issue. [0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity Signed-off-by: Stoiko Ivanov --- src/PVE/Auth/LDAP.pm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/PVE/Auth/LDAP.pm b/src/PVE/Auth/LDAP.pm index 97d0778..4792586 100755 --- a/src/PVE/Auth/LDAP.pm +++ b/src/PVE/Auth/LDAP.pm @@ -310,7 +310,7 @@ sub get_users { if (wantarray) { my $dn = $user->{dn}; - $dnmap->{$dn} = $username; + $dnmap->{lc($dn)} = $username; } } @@ -351,7 +351,7 @@ sub get_groups { $ret->{$name} = { users => {} }; foreach my $member (@{$group->{members}}) { - if (my $user = $dnmap->{$member}) { + if (my $user = $dnmap->{lc($member)}) { $ret->{$name}->{users}->{$user} = 1; } } -- 2.39.2