Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap_attrs does not escape attribute values #5434

Closed
1 task done
rekup opened this issue Oct 28, 2022 · 2 comments · Fixed by #5435
Closed
1 task done

ldap_attrs does not escape attribute values #5434

rekup opened this issue Oct 28, 2022 · 2 comments · Fixed by #5435
Labels
bug This issue/PR relates to a bug has_pr module module net_tools plugins plugin (any type) traceback

Comments

@rekup
Copy link
Contributor

rekup commented Oct 28, 2022

Summary

using the ldap_attrs module with an attribute value containing a special character (e.g. ( or * etc.) will cause the module to fail with an Bad search filter ldap error.

This bug was introduced in #5385. The reason is, that the filterstr parameter passed to search_s is not escaped.

Issue Type

Bug Report

Component Name

ldap_attrs

Ansible Version

$ ansible --version
ansible [core 2.13.5]

Community.general Version

$ ansible-galaxy collection list community.general
Collection        Version
----------------- -------
community.general 5.8.0

Configuration

$ ansible-config dump --only-changed

OS / Environment

Centos 7

Steps to Reproduce

- name: configure olcSyncRepl peers
  community.general.ldap_attrs:
    dn: "olcDatabase={3}mdb,cn=config"
    attributes:
      olcSyncRepl: "{0}rid=008 provider=ldaps://ldap10.exampple.com:636 bindmethod=simple timeout=0 network-timeout=0 keepalive=0:0:0 starttls=no filter="(objectclass=*)" searchbase="dc=example,dc=com" scope=sub schemachecking=off type=refreshAndPersist retry="10 +" binddn="cn=syncrepl,dc=example,dc=com" credentials="secret""
    state: present

Expected Results

I expect that the ldap_attrs configures the defined ldap attributes.

Actual Results

TASK [openldap : configure olcSyncRepl peers *********************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ldap.FILTER_ERROR: {'desc': 'Bad search filter'}
fatal: [ldap11.example.com]: FAILED! => changed=false 
  module_stderr: |-
    Traceback (most recent call last):
      File "<stdin>", line 107, in <module>
      File "<stdin>", line 99, in _ansiballz_main
      File "<stdin>", line 48, in invoke_module
      File "/usr/lib64/python2.7/runpy.py", line 176, in run_module
        fname, loader, pkg_name)
      File "/usr/lib64/python2.7/runpy.py", line 82, in _run_module_code
        mod_name, mod_fname, mod_loader, pkg_name)
      File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code
        exec code in run_globals
      File "/tmp/ansible_community.general.ldap_attrs_payload_GFEEAq/ansible_community.general.ldap_attrs_payload.zip/ansible_collections/community/general/plugins/modules/net_tools/ldap/ldap_attrs.py", line 324, in <module>
      File "/tmp/ansible_community.general.ldap_attrs_payload_GFEEAq/ansible_community.general.ldap_attrs_payload.zip/ansible_collections/community/general/plugins/modules/net_tools/ldap/ldap_attrs.py", line 303, in main
      File "/tmp/ansible_community.general.ldap_attrs_payload_GFEEAq/ansible_community.general.ldap_attrs_payload.zip/ansible_collections/community/general/plugins/modules/net_tools/ldap/ldap_attrs.py", line 228, in add
      File "/tmp/ansible_community.general.ldap_attrs_payload_GFEEAq/ansible_community.general.ldap_attrs_payload.zip/ansible_collections/community/general/plugins/modules/net_tools/ldap/ldap_attrs.py", line 279, in _is_value_absent
      File "/tmp/ansible_community.general.ldap_attrs_payload_GFEEAq/ansible_community.general.ldap_attrs_payload.zip/ansible_collections/community/general/plugins/modules/net_tools/ldap/ldap_attrs.py", line 270, in _is_value_present
      File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 552, in search_s
        return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)
      File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 545, in search_ext_s
        msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)
      File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 541, in search_ext
        timeout,sizelimit,
      File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line 99, in _ldap_call
        result = func(*args,**kwargs)
    ldap.FILTER_ERROR: {'desc': 'Bad search filter'}
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@rekup rekup mentioned this issue Oct 28, 2022
Merged
@ansibullbot
Copy link
Collaborator

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot
Copy link
Collaborator

cc @drybjed @jtyr @Noles
click here for bot help

@ansibullbot ansibullbot added bug This issue/PR relates to a bug has_pr module module net_tools plugins plugin (any type) traceback labels Oct 28, 2022
@patchback patchback bot mentioned this issue Nov 4, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug has_pr module module net_tools plugins plugin (any type) traceback
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ldap_attrs: escape ldap search filter rekup/community.general
2 participants
@rekup @ansibullbot