Escape ldap filter
Brought to you by:
jberanek
Menu
▾
▴
1 Attachments
#84 Escape ldap filter
I am using ldap authentication to check users are members of a group in Active Directory. The group is contained in an OU, the name of which contains a comma. This needs to be escaped using a backslash. In order for the escaping backslash to be passed to ldap it needs escaping again.
I have attached a patch to auth_ldap.inc that passes $filter through ldap_escape which will achieve this.
^apologies, did not intend to post this anonymously :-)
Thanks. I've now (56dda0 and 223b5b) committed this patch to the mrbs_17_branch and default branches - with a minor modification to check that ldap_escape() exists as its's PHP >= 5.6.0.
We probably should also escape dn's - another change that should be made sometime.
I've now reverted this patch as it was causing "Bad search filter" errors on some systems. I think the problem is that the escaping should be done on the individual values that go up to make the filter, as on the email address in the example at https://www.php.net/manual/en/function.ldap-escape.php, and not on the whole filter. I agree that the filter values need to be escaped, but I'm not quite sure of the best way to do this at the moment.
Last edit: Campbell Morrison 2019-08-22