Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LdapAdapter: Keep track of already processed groups to account for circular references #38817

Merged
merged 1 commit into from
Dec 9, 2021
Merged

LdapAdapter: Keep track of already processed groups to account for circular references #38817

merged 1 commit into from
Dec 9, 2021

Conversation

RoadTrain
Copy link
Contributor

@RoadTrain RoadTrain commented Dec 3, 2021
edited
Loading

Description

This PR fixes a particular corner case which is possible in real-world AD deployments, namely circular group references.
That is, e.g. GroupA -> GroupB -> GroupC -> GroupA. This is a problematic scenario for any software working with AD.

The fix is basically to keep track of groups that we already processed by recursively passing a HashSet containing already processed entries.

Fixes #37225
Fixes #38769

@RoadTrain RoadTrain requested a review from Tratcher as a code owner December 3, 2021 19:54
@ghost ghost added area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer community-contribution Indicates that the PR has been added by a community member labels Dec 3, 2021
RoadTrain
RoadTrain commented Dec 3, 2021
View reviewed changes
src/Security/Authentication/Negotiate/src/Internal/LdapAdapter.cs
@@ -109,18 +111,26 @@ private static void GetNestedGroups(LdapConnection connection, ClaimsIdentity pr
logger.LogWarning($"More than one response received for query: {filter} with distinguished name: {distinguishedName}");
}

var group = searchResponse.Entries[0]; //Get the object that was found on ldap
string name = group.DistinguishedName;
retrievedClaims.Add(name);
Copy link
Contributor Author

@RoadTrain RoadTrain Dec 3, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, we use a group Common Name (CN, like SomeGroup) as a claim name. In this particular instance, a Distinguished Name (DN, like CN=SomeGroup,DC=domain,DC=com) was used instead, which I think is incorrect.
Possibly a typo, was introduced in #25075

@RoadTrain RoadTrain mentioned this pull request Dec 3, 2021
Closed
1 task
@Tratcher Tratcher merged commit 7ea9341 into dotnet:main Dec 9, 2021
@ghost ghost added this to the 7.0-preview1 milestone Dec 9, 2021
@Tratcher
Copy link
Member

Tratcher commented Dec 9, 2021

@RoadTrain @macsux, this should show up in our 7.0 rolling builds by next week. Can you download and verify the fix from there?
https://github.com/dotnet/installer#installers-and-binaries

@RoadTrain RoadTrain deleted the linux-ldap-recursion-fix branch December 13, 2021 13:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tratcher Tratcher Tratcher approved these changes

Assignees

@Tratcher Tratcher

Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer community-contribution Indicates that the PR has been added by a community member
Projects
None yet
Milestone
7.0-preview1
3 participants
@RoadTrain @Tratcher @adityamandaleeka