From 2477439ecc3297216c5a0641555fbc305f1eb0e2 Mon Sep 17 00:00:00 2001 From: Valentin Tolmer Date: Wed, 19 Oct 2022 17:28:37 +0200 Subject: [PATCH] server: Improve rootDSE Matches the case-insensitive "objectclass" filter, fix the reported version, and declares the name context and some other attributes. Potential fix to #330. --- server/src/infra/ldap_handler.rs | 43 ++++++++++++++++++++++++-------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/server/src/infra/ldap_handler.rs b/server/src/infra/ldap_handler.rs index bd1b27b..34ec1a5 100644 --- a/server/src/infra/ldap_handler.rs +++ b/server/src/infra/ldap_handler.rs @@ -109,7 +109,9 @@ fn root_dse_response(base_dn: &str) -> LdapOp { }, LdapPartialAttribute { atype: "vendorVersion".to_string(), - vals: vec![b"lldap_0.2.0".to_vec()], + vals: vec![concat!("lldap_", env!("CARGO_PKG_VERSION")) + .to_string() + .into_bytes()], }, LdapPartialAttribute { atype: "supportedLDAPVersion".to_string(), @@ -117,12 +119,30 @@ fn root_dse_response(base_dn: &str) -> LdapOp { }, LdapPartialAttribute { atype: "supportedExtension".to_string(), + // Password modification extension. vals: vec![b"1.3.6.1.4.1.4203.1.11.1".to_vec()], }, LdapPartialAttribute { - atype: "defaultnamingcontext".to_string(), + atype: "supportedControl".to_string(), + vals: vec![], + }, + LdapPartialAttribute { + atype: "supportedFeatures".to_string(), + // Attribute "+" + vals: vec![b"1.3.6.1.4.1.4203.1.5.1".to_vec()], + }, + LdapPartialAttribute { + atype: "defaultNamingContext".to_string(), vals: vec![base_dn.to_string().into_bytes()], }, + LdapPartialAttribute { + atype: "namingContexts".to_string(), + vals: vec![base_dn.to_string().into_bytes()], + }, + LdapPartialAttribute { + atype: "isGlobalCatalogReady".to_string(), + vals: vec![b"false".to_vec()], + }, ], }) } @@ -307,15 +327,16 @@ impl LdapHandler LdapResult> { - if request.base.is_empty() - && request.scope == LdapSearchScope::Base - && request.filter == LdapFilter::Present("objectClass".to_string()) - { - debug!("rootDSE request"); - return Ok(vec![ - root_dse_response(&self.ldap_info.base_dn_str), - make_search_success(), - ]); + if request.base.is_empty() && request.scope == LdapSearchScope::Base { + if let LdapFilter::Present(attribute) = &request.filter { + if attribute.to_ascii_lowercase() == "objectclass" { + debug!("rootDSE request"); + return Ok(vec![ + root_dse_response(&self.ldap_info.base_dn_str), + make_search_success(), + ]); + } + } } let user_info = self.user_info.as_ref().ok_or_else(|| LdapError { code: LdapResultCode::InsufficentAccessRights,