auth ldap/ad: compare group member dn case-insensitively master
authorStoiko Ivanov <s.ivanov@proxmox.com>
Mon, 29 Aug 2022 16:07:55 +0000 (18:07 +0200)
committerThomas Lamprecht <t.lamprecht@proxmox.com>
Tue, 30 Aug 2022 10:44:28 +0000 (12:44 +0200)
commit931e5bc19f98d4ce1654d39fa0b2ae4a4723b528
tree615aa682fe053d2bb9d903bb4afcc43ab46ee48d
parent28ec897247698cf3a1c1db5d4e3c5a0f2c5706bb
auth ldap/ad: compare group member dn case-insensitively

currently we add a user to a group if it's DN is listed in the
member-attributes of a group. The comparison for this is done via
existence check of a hash key, which is case-sensitive.

The equality for DNs is defined in a not straight forward way [0]:
(roughly translating to you need to honor the equality rules for each
'component' (RDN) of the DN) and is implementation-specific (Microsoft
AD is case-insensitive).

While this patch does not address the complete complexity of comparing
DNs it should work fine in practice.

issue with case-sensitive mismatches was reported in our community
forum:
https://forum.proxmox.com/threads/.113387

tested against a local test-vm used for reproducing the issue.

[0] https://ldapwiki.com/wiki/Distinguished%20Name%20Case%20Sensitivity

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
src/PVE/Auth/LDAP.pm