Bug #7654
Can't use a LDAP search filter containing an accent
100%
Description
Hi,
I use a virtual machine with pfSense 2.3.4 (amd64) with Squid package v0.4.37 (including squid 3.5.26).
I have to bind to an active directory, so in Services > Squid Proxy Server > Authentication I choose :- LDAP
- IP of the DC
- Port 389
- LDAP version : 3
- LDAP Server User DN : CN=pfsensead,CN=Users,DC=corp,DC=lan
- LDAP Password : ****
- LDAP Base Domain : DC=corp,DC=lan
- LDAP Username DN Attribute : sAMAccountName
- LDAP Search Filter : (&(memberOf=CN=proxy-allow,OU=Service testé,DC=corp,DC=lan)(sAMAccountName=%s))
With this configuration an active directory user must be member of the group "proxy-allow" to be authenticated by Squid.
The issue is the accent "é" in the OU name.
I tried with no space in OU, it does not work.
I tried with space and no accent : it works.
I tried with no group and LDAP Search filter : "((sAMAccountName=%s)" : it work.
When I click on Save pfSense ignore modification.
I don't know if it's an encoding issue in the web interface or in the config file. And... I know it's a very bad idea to have an accent (or a space) in LDAP path, but I am not at the origin of this.
Regards
Associated revisions
CDATA encode Squid LDAP options. Issue #7654
(cherry picked from commit f14c90586d33493951debc977244f83dcd095b83)
History
#1
Updated by Viktor Gurov 10 months ago
CDATA encode Squid LDAP options:
https://github.com/pfsense/pfsense/pull/4265
#2
Updated by Viktor Gurov 10 months ago
TODO:
CDATA encode FreeRADIUS LDAP options
#3
Updated by Jim Pingle 10 months ago
- Status changed from New to Pull Request Review
#4
Updated by Jim Pingle 10 months ago
- Target version set to 2.5.0
#5
Updated by Renato Botelho 10 months ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
#6
Updated by Viktor Gurov 10 months ago
- Status changed from Feedback to Resolved
works as expected on 2.5.0.a.20200409.0657:
# grep ldap /usr/local/etc/squid/squid.conf auth_param basic program /usr/local/libexec/squid/basic_ldap_auth -v 3 -b 'DC=corp,DC=lan' -D 'CN=pfsensead,CN=Users,DC=corp,DC=lan' -w '123' -f '(&(memberOf=CN=proxy-allow,OU=Service testé,DC=corp,DC=lan) (sAMAccountName=%s))' -u 'sAMAccountName' -P -H 'ldap://192.168.1.10:389'
#7
Updated by Jim Pingle 9 months ago
- Status changed from Resolved to Feedback
- Target version changed from 2.5.0 to 2.4.5-p1
#8
Updated by Jim Pingle 9 months ago
- Status changed from Feedback to Resolved
Supplied string is saved as expected and without error.
CDATA encode Squid LDAP options. Issue #7654