Uploaded image for project: 'PicketLink'
  1. PicketLink
  2. PLINK-555

LDAPIdentityStore.getBindingDN returns incorrect value if there are commas in the bindingAttribute


    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • PLINK_2.7.0.Beta1
    • IDM
    • None

      In some LDAP environments when they have comma in the value of bindingAttribute, the LDAPIdentityStore.getBindingDN doesn't work correctly. This means that functionalities which relies on it (like authentication or updating of user) doesn't work.

      It's caused by the fact that commas are escaped in DN but not in CN (or uid or whatever is used as bindingAttribute).

      Some more info from customer:
      In our AD, the distinguished name (dn) is
      “CN=Doe\, John (MyCompany\, Contractor),OU=Users,OU=MyCompany,DC=company,DC=net”

      But the picketlink idm-impl api code uses the CN attribute + baseDN to populate the dn attribute. And in this case it returns

      “CN=Doe, John (MyCompany, Contractor),OU=Users,OU=MyCompany,DC=company,DC=net”

      This value doesn’t have the “\” and hence the authentication fails.

            psilva@redhat.com Pedro Igor Craveiro
            mposolda@redhat.com Marek Posolda
            0 Vote for this issue
            1 Start watching this issue