diff --git a/pkg/security/ldapquery/query.go b/pkg/security/ldapquery/query.go index 19f276f3e9..33a9dc6e44 100644 --- a/pkg/security/ldapquery/query.go +++ b/pkg/security/ldapquery/query.go @@ -112,7 +112,7 @@ func (o *LDAPQueryOnAttribute) NewSearchRequest(attributeValue string, attribute if err != nil { return nil, fmt.Errorf("could not search by dn, invalid dn value: %v", err) } - if !baseDN.AncestorOf(dn) && !baseDN.Equal(dn) { + if !baseDN.AncestorOfFold(dn) && !baseDN.EqualFold(dn) { return nil, NewQueryOutOfBoundsError(attributeValue, o.BaseDN) } return o.buildDNQuery(attributeValue, attributes), nil diff --git a/pkg/security/ldapquery/query_test.go b/pkg/security/ldapquery/query_test.go index e43a935b25..e74c667be2 100644 --- a/pkg/security/ldapquery/query_test.go +++ b/pkg/security/ldapquery/query_test.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "reflect" + "strings" "testing" "github.com/go-ldap/ldap/v3" @@ -178,6 +179,33 @@ func TestNewSearchRequest(t *testing.T) { expectedRequest: nil, expectedError: true, }, + { + name: "dn query should not be out of bounds", + options: LDAPQueryOnAttribute{ + LDAPQuery: LDAPQuery{ + BaseDN: strings.ToUpper(DefaultBaseDN), + Scope: DefaultScope, + DerefAliases: DefaultDerefAliases, + TimeLimit: DefaultTimeLimit, + Filter: DefaultFilter, + }, + QueryAttribute: "DN", + }, + attributeValue: "uid=john,o=users,dc=example,dc=com", + attributes: DefaultAttributes, + expectedRequest: &ldap.SearchRequest{ + BaseDN: "uid=john,o=users,dc=example,dc=com", + Scope: ldap.ScopeBaseObject, + DerefAliases: int(DefaultDerefAliases), + SizeLimit: DefaultSizeLimit, + TimeLimit: DefaultTimeLimit, + TypesOnly: DefaultTypesOnly, + Filter: "(objectClass=*)", + Attributes: DefaultAttributes, + Controls: DefaultControls, + }, + expectedError: false, + }, { name: "attribute query no attributes with paging", options: LDAPQueryOnAttribute{