Skip to content

update ldap strings #21764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
CL-Andrew wants to merge 1 commit into
base: develop
Choose a base branch
from
+2 −2
Open

update ldap strings #21764

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions core/sessions/ldapauth/ldap.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -403,7 +403,7 @@ func (l *ldapAuthenticator) CreateSession(ctx context.Context, sr sessions.Sessi
var returnErr error

// Attempt to LDAP Bind with user provided credentials
escapedEmail := ldap.EscapeFilter(strings.ToLower(sr.Email))
escapedEmail := ldap.EscapeDN(strings.ToLower(sr.Email))
searchBaseDN := fmt.Sprintf("%s=%s,%s,%s", l.config.BaseUserAttr(), escapedEmail, l.config.UsersDN(), l.config.BaseDN())
if err = conn.Bind(searchBaseDN, sr.Password); err != nil {
l.lggr.Infof("Error binding user authentication request in LDAP Bind: %v", err)
Comment on lines 405 to 409
Copy link

Copilot AI Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

escapedEmail is now produced via ldap.EscapeDN(...) for use in the bind DN. Ensure this DN-escaped value is not reused later as the logical user email (e.g., passed into FindUser / used for local DB lookups), because DN escaping can change valid emails (notably + in plus-addressing) and will cause user/group lookup to fail. Keep separate variables: normalized email for identity/DB and DN-escaped value solely for building the bind DN.

Copilot uses AI. Check for mistakes.
Expand Down Expand Up @@ -505,7 +505,7 @@ func (l *ldapAuthenticator) TestPassword(ctx context.Context, email string, pass
defer conn.Close()

// Attempt to LDAP Bind with user provided credentials
escapedEmail := ldap.EscapeFilter(strings.ToLower(email))
escapedEmail := ldap.EscapeDN(strings.ToLower(email))
searchBaseDN := fmt.Sprintf("%s=%s,%s,%s", l.config.BaseUserAttr(), escapedEmail, l.config.UsersDN(), l.config.BaseDN())
err = conn.Bind(searchBaseDN, password)
if err == nil {
Expand Down
Loading