ejabberd development
  1. ejabberd development
  2. EJAB-1395

Show meaningful error when ldap_filter contains space

    Details

      Description

      First reported in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611229

      ejabberd 2.1.3 accepted an option like this:

      {ldap_filter, "(&(|(objectClass=exampleUser)(objectClass=exampleIT)) (|(accountStatus=active)(accountStatus=migrate)) )"}.

      But ejabberd 2.1.5 instead silently refuses to login users, or shows this error when using webadmin:

      =ERROR REPORT==== 2011-01-26 22:36:38 ===
      E(<0.519.0>:ejabberd_auth:256) : The authentication module ejabberd_auth_ldap returned an error
      when checking user "ian" in server "example.com"
      Error message: {{case_clause,
                       {'EXIT',
                        {function_clause,
                         [{eldap,'and',
                           [{'or',
                             [{equalityMatch,
                               {'AttributeValueAssertion',"objectClass",
                                "exampleUser"}},
                              {equalityMatch,
                               {'AttributeValueAssertion',"objectClass",
                                "exampleIT"}}]}]},
                          {eldap_filter_yecc,yeccpars2_30,7},
                          {eldap_filter_yecc,yeccpars0,5},
                          {eldap_filter,parse,2},
                          {ejabberd_auth_ldap,find_user_dn,2},
                          {ejabberd_auth_ldap,is_user_exists_ldap,2},
                          {ejabberd_auth_ldap,is_user_exists,2},
                          {ejabberd_auth,'-is_user_exists/2-fun-0-',3}]}}},
                      [{eldap_filter,parse,2},
                       {ejabberd_auth_ldap,find_user_dn,2},
                       {ejabberd_auth_ldap,is_user_exists_ldap,2},
                       {ejabberd_auth_ldap,is_user_exists,2},
                       {ejabberd_auth,'-is_user_exists/2-fun-0-',3},
                       {lists,any,2},
                       {ejabberd_web_admin,get_auth_account,5},
                       {ejabberd_web_admin,process,2}]}
      

      Removing the blankspace in the option solves the problem.

      Explanation by Konstantin Khomoutov:

      The idea is that according to my cursory reading through RFC 4515 [1],
      it does not allow whitespace before/between/after assertions in the
      "filter compositions" (in fact, anywhere except in the values, it seems),
      and LDAP parser has been changed in 2.1.5 (or 2.1.4, I can't recall) to
      allow usage of the so-called extensible matching rules in the filter.
      That change could, in principle, fix LDAP filter parsing rules as a
      byproduct invalidating your ldap_filter.
      
      1. http://tools.ietf.org/html/rfc4515
      

      So, ejabberd 2.1.5 behaves strictly correctly, but it would be more admin-friendly if it reports a meaningful error.

        Activity

        Hide
        Badlop
        added a comment -

        Ok, ported to master and committed.

        Show
        Badlop
        added a comment - Ok, ported to master and committed.
        Hide
        ekhramtsov
        added a comment -

        Done in 2.1.x (sha 6cc6c04c), should be ported to master.

        Show
        ekhramtsov
        added a comment - Done in 2.1.x (sha 6cc6c04c), should be ported to master.

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              2 years, 45 weeks ago

              Issue deployment