LDAP extern_uids are not normalized when updated via API
Summary
When updating the extern_uid
for an LDAP provider, the supplied DN is not normalized, though it is when searching by DN/extern_uid
(see app/models/identity.rb:22
). This makes it possible for accounts to become unfindable via API search by DN/extern_uid
by setting it to a non-normalized value.
Steps to reproduce
- Create LDAP mapped user which might have the (normalized) DN
uid=user,ou=people,dc=example,dc=com
. - Search for the user via API
/users?extern_uid=uid=user,ou=People,dc=example,dc=com&provider=ldapmain
to confirm the account can be found. - Update
extern_uid
to the valueuid=user,ou=People,dc=example,dc=com
via the API (note the upper case P). - Search for the user via API
/users?extern_uid=uid=user,ou=People,dc=example,dc=com&provider=ldapmain
and notice how the account can not be found.
What is the current bug behavior?
extern_uid
can be set to a non-normalized value, making accounts impossible to be found via extern_uid
search.
What is the expected correct behavior?
It should be impossible to set extern_uid
to a non-normalized DN, so users can always be found by extern_uid
search.
Possible fixes
Normalize extern_uid
values for LDAP providers before writing them to the database the same as app/models/identity.rb:22
.