From 92f4d60a06c64ad07f6fbe261a37a232115143ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dani=C3=ABl=20Franke?= Date: Thu, 16 Feb 2023 11:42:36 +0100 Subject: [PATCH] Properly generate new DN. This fixes issue #5581 by properly parsing the old DN and replacing the first part with the new DN. --- services/graph/pkg/identity/ldap.go | 28 +++++++++++++++++++++++- services/graph/pkg/identity/ldap_test.go | 24 +++++++++++--------- 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/services/graph/pkg/identity/ldap.go b/services/graph/pkg/identity/ldap.go index 3673d3e7fc..e54a6034af 100644 --- a/services/graph/pkg/identity/ldap.go +++ b/services/graph/pkg/identity/ldap.go @@ -493,7 +493,17 @@ func (i *LDAP) changeUserName(ctx context.Context, dn, originalUserName, newUser return nil, err } - u, err := i.getUserByDN(fmt.Sprintf("%s,%s", newDN, i.userBaseDN)) + parsed, err := ldap.ParseDN(dn) + if err != nil { + return nil, err + } + + newFullDN, err := replaceDN(parsed, newDN) + if err != nil { + return nil, err + } + + u, err := i.getUserByDN(newFullDN) if err != nil { return nil, err } @@ -730,3 +740,19 @@ func (i *LDAP) expandLDAPAttributeEntries(ctx context.Context, e *ldap.Entry, at return result, nil } + +func replaceDN(fullDN *ldap.DN, newDN string) (string, error) { + if len(fullDN.RDNs) == 0 { + return "", fmt.Errorf("Can't operate on an empty dn") + } + + if len(fullDN.RDNs) == 1 { + return newDN, nil + } + + for _, part := range fullDN.RDNs[1:] { + newDN += "," + part.String() + } + + return newDN, nil +} diff --git a/services/graph/pkg/identity/ldap_test.go b/services/graph/pkg/identity/ldap_test.go index f55702cb9e..93cfe52ad7 100644 --- a/services/graph/pkg/identity/ldap_test.go +++ b/services/graph/pkg/identity/ldap_test.go @@ -634,20 +634,24 @@ func TestUpdateUser(t *testing.T) { &ldap.SearchResult{ Entries: []*ldap.Entry{ { - DN: "uid=oldName", + DN: "uid=oldName,ou=people,dc=test,dc=net", Attributes: []*ldap.EntryAttribute{ { - Name: "displayname", + Name: lconfig.UserDisplayNameAttribute, Values: []string{"testUser"}, }, { - Name: "entryUUID", + Name: lconfig.UserIDAttribute, Values: []string{"testUser"}, }, { - Name: "mail", + Name: lconfig.UserEmailAttribute, Values: []string{"testuser@example.org"}, }, + { + Name: lconfig.UserNameAttribute, + Values: []string{"oldName"}, + }, }, }, }, @@ -662,7 +666,7 @@ func TestUpdateUser(t *testing.T) { BaseDN: "ou=groups,dc=test", Scope: 2, DerefAliases: 0, SizeLimit: 0, TimeLimit: 0, TypesOnly: false, - Filter: "(&(objectClass=groupOfNames)(member=uid=oldName))", + Filter: "(&(objectClass=groupOfNames)(member=uid=oldName,ou=people,dc=test,dc=net))", Attributes: []string{"cn", "entryUUID"}, Controls: []ldap.Control(nil), }, @@ -692,7 +696,7 @@ func TestUpdateUser(t *testing.T) { funcName: "ModifyDN", args: []interface{}{ &ldap.ModifyDNRequest{ - DN: "uid=oldName", + DN: "uid=oldName,ou=people,dc=test,dc=net", NewRDN: "uid=newName", DeleteOldRDN: true, NewSuperior: "", @@ -707,7 +711,7 @@ func TestUpdateUser(t *testing.T) { funcName: "Search", args: []interface{}{ &ldap.SearchRequest{ - BaseDN: "uid=newName,ou=people,dc=test", + BaseDN: "uid=newName,ou=people,dc=test,dc=net", Scope: 0, DerefAliases: 0, SizeLimit: 1, @@ -722,7 +726,7 @@ func TestUpdateUser(t *testing.T) { &ldap.SearchResult{ Entries: []*ldap.Entry{ { - DN: "uid=newName,ou=people,dc=test", + DN: "uid=newName,ou=people,dc=test,dc=net", Attributes: []*ldap.EntryAttribute{ { Name: lconfig.UserIDAttribute, @@ -757,14 +761,14 @@ func TestUpdateUser(t *testing.T) { Operation: 0x1, Modification: ldap.PartialAttribute{ Type: "member", - Vals: []string{"uid=oldName"}, + Vals: []string{"uid=oldName,ou=people,dc=test,dc=net"}, }, }, { Operation: 0x0, Modification: ldap.PartialAttribute{ Type: "member", - Vals: []string{"uid=newName,ou=people,dc=test"}, + Vals: []string{"uid=newName,ou=people,dc=test,dc=net"}, }, }, },