Problem with LDAP autoimport and groupmapping with comma in CN

[itsul]

---

BUG REPORT INFORMATION

Centreon Web version: 2.8.2

Centreon Engine version: 1.6.2

Centreon Broker version: 3.0.3

OS: CES 3.4

Steps to reproduce the issue:
1.Create a user with a comma in the CN in LDAP/ActiveDirectory
2.Configure LDAP connector with autoimport
3.Map LDAP-Group to an ACL
4.Try to login

Describe the results you received:
When you try to login the following error shows up in sql-error.log:

syntax error QUERY : INSERT INTO contactgroup_contact_relation
    	            						(contactgroup_cg_id, contact_contact_id)
    	            					VALUES (18, )

It seems that this code in centreonAuth.LDAP.class.php is at least one of the problems:

307                 /*
308                  * Insert user in database
309                  */
310                 $query = "INSERT INTO contact
311                     (contact_template_id, contact_alias, contact_name, contact_auth_type, contact_ldap_dn, ar_id,
312                     contact_email, contact_pager, contact_oreon, contact_activate, contact_register,
313                     contact_enable_notifications)
314                                 VALUES (" . $tmplId . ", '" .
315                     htmlentities($this->contactInfos['contact_alias'], ENT_QUOTES, 'UTF-8') . "', '" .
316                     htmlentities($userDisplay, ENT_QUOTES, 'UTF-8') . "', 'ldap', '" . $userDn . "', " . $this->arId .
317                     ", " . $userEmail . ", " . $userPager . ", '1', '1', '1', '2')";

322                     /*
323                      * Get the contact_id
324                      */
325                     $query = "SELECT contact_id FROM contact
326                         WHERE contact_ldap_dn = '" . $this->pearDB->escape($userDn, false) . "'";
327                     $res = $this->pearDB->query($query);
328                     $row = $res->fetchRow();
329                     $contact_id = $row['contact_id'];
330                     $listGroup = $this->ldap->listGroupsForUser($userDn);
331                     $listGroupStr = "";
332                     foreach ($listGroup as $gName) {
333                         if ($listGroupStr != "") {
334                             $listGroupStr .= ",";
335                         }
336                         $listGroupStr .= "'" . $gName . "'";
337                     }
338                     if ($listGroupStr == "") {
339                         $listGroupStr = "''";
340                     }

The first $userDn variable is not escaped, but the second is.
This results in different values in both queries:

'CN=Lastname\, Firstname (S&L) Admin,OU=yyy,OU=xxx,DC=domain,DC=local'
'CN=Lastname\\, Firstname (S&L) Admin,OU=yyy,OU=xxx,DC=domain,DC=local'

So the secondary query will not get a contact_id and there is no entry in contactgroup_contact_relation table written (later in the code).
At first we tested with Centreon 2.7.x. The error is the same, but after a while the group mapping is written to the table (the ACL Cronjob I think).
With Centreon 2.8.2:
-We can only login one time, after that we get "doesn't match with password" in login.log. Login is possible if we activate "Store LDAP password" in the LDAP connector
-The group mapping will not get written, doesn't matter how long we wait

We tried to fix it by removing the escaping in the second query. The mapping is written, but will be deleted again by the ACL Cronjob or a new login.

Describe the results you expected:
Successful login and mapping of ldap contactgroup to the user.

[Guillaume28]

About your problem with LDAP, we can help you with a patch but we cant implement it in the master branch.
We give you here the patch but some side effects may appear about the security.
We are sorry not to be able to fully respond to your request but if you have any questions or suggestions feel free to contact us.

LDAP.patch.zip

[zd14a]

Same problem here... We have the problem, that users which contains a comma do not work properly.

I had a look into the patch, but it just removed the escaping inside the database queries which is not optimal. I can unterstand why you don't want to add it to the master branch ;-) Isn't there a way to add a suitable fix to the master branch? Otherwise every update will override it.

Thanks in advance :)

[lpinsivy]

Hi,

We don't want to include this patch because the comma is a reserved character for distinguished names.

This patch is a workaround and not a correct solution.

https://msdn.microsoft.com/en-us/library/aa366101(v=vs.85).aspx

[itsul]

Hi,

thanks for the patch and the MSDN URL.
Now I understand the issue.
I didn't know that it is a reserved char. Thought it was just "bad style".
Unfortunately I know quite a few Microsoft ActiveDirectory environments where there are
unescaped chars in CN. Seems they need to cleanup their directory service...

[itsul]

Hi,

I gave the problem some thought and further debugging. I'm a bit uncertain about the results:

At first I did a ldapsearch with standard ldap utilities on the user:

dn: CN=Lastname\, Firstname (foo),OU=ou2,OU=ou1,DC=example,DC=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Lastname, Firstname (foo)
sn: Lastname
c: DE
l: bar
st: foo
description: Lastname Firstname (foo)
postalCode: 12345
physicalDeliveryOfficeName: 000
telephoneNumber: (01234) 1234-1234
facsimileTelephoneNumber: (01234) 1234-1234
givenName: Firstname
distinguishedName: CN=Lastname\, Firstname (foo),OU=ou2,OU=ou1,DC=example,DC=org

Mmh the comma in the DN is escaped.
Then I tried the manuel ldap importer.
In the search list the comma is escaped, so I imported the user and a look at the database:
MariaDB [centreon]> select contact_ldap_dn from contact where contact_alias="user123"; +-------------------------------------------------------------------------+ | contact_ldap_dn | +-------------------------------------------------------------------------+ | CN=Lastname\, Firstname (foo),OU=ou2,OU=ou1,DC=example,DC=org | +-------------------------------------------------------------------------+ 1 row in set (0.00 sec)

Ok I deleted the user and let create it with the autoimporter. Same login problems as expected, so again I looked into the database:
MariaDB [centreon]> select contact_ldap_dn from contact where contact_alias="user123"; +------------------------------------------------------------------------+ | contact_ldap_dn | +------------------------------------------------------------------------+ | CN=Lastname, Firstname (foo),OU=ou2,OU=ou1,DC=example,DC=org | +------------------------------------------------------------------------+ 1 row in set (0.00 sec)

So the manual ldap importer and the "auto magic" have different behaviour. Might still be a bug in the auto importer?
If I understand the implementation correctly, the function "findUserDn" get the DN for the auto importer.
Perhaps there is some escaping missing? I don't found the code yet where you get the DN for the manual importer to check if there are any differents in the handling.

If you need more information or access to a testing system let me know.

[lpinsivy]

Thank you for your feedback, we will correct auto-import to add \

[thiuyendang]

SQL error reproduced in 2.8.12-6.
Updgraded from 2.8.12-6 to 2.8.13-1 : no more error in SQL-error.log file.