Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-6881

comma in group membership attribute value breaks static LDAP group mapping

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.9.1
    • Fix Version/s: 2.11, 3.0.0-m3
    • Component/s: LDAP
    • Labels:
      None
    • Story Points:
      1
    • Sprint:
      Sprint 27, Sprint 28

      Description

      If you have an LDAP group mapping where the user's CN has a comma in it then static group mapping in Nexus will not work.

      So if your user's common names are entered as "Lastname,Firstname" and distinguished names are used in the group membership attribute you end up with a query like this one being issued by Nexus:

      '(&(objectClass=group)(&(cn=*)(member=CN=Lastname\,Firstname,CN=Users,DC=some,DC=corp,DC=com)))'
      

      This doesn't work because the backslash needs to be escaped:

      '(&(objectClass=group)(&(cn=*)(member=CN=Lastname\\,Firstname,CN=Users,DC=some,DC=corp,DC=com)))'
      

      The following code change seems to resolve this issue:

      --- a/components/nexus-ldap-common/src/main/java/org/sonatype/security/ldap/dao/DefaultLdapGroupDAO.java
      +++ b/components/nexus-ldap-common/src/main/java/org/sonatype/security/ldap/dao/DefaultLdapGroupDAO.java
      @@ -225,9 +225,11 @@ public class DefaultLdapGroupDAO
               member = StringUtils.replace(member, "${dn}", user.getDn());
             }
       
      +      member = StringUtils.replace(member, "\\", "\\\\");
             filter += groupMemberAttribute + "=" + member + ")))";
           }
           else {
      +      username = StringUtils.replace(username, "\\", "\\\\");
             filter += groupMemberAttribute + "=" + username + ")))";
           }
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              rseddon Rich Seddon
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title