Grouper Developers Forum

[Tom Barton <>]

dan wrote:
> And while I'm at it - does anyone else consider it a security flaw that 
> Grouper naively interpolates the string into a query? In my experience 
> this has been one of the BIG no-nos of web application development.
>
> One could easily type a query that closes the open brace around a search 
> term and inserts additional terms into queries that expose additional 
> information or breaks the system in other ways.

Information exposure should be managed by the access controls in the 
ldap server. Likewise, administrative limits configured in the ldap 
server should protect it from other potential breakage. But it's still a 
good question. I haven't heard of issues of this sort arising 
specifically in relation to accessing info in an ldap server - anyone else?

> Isn't there a more standardised way to template JNDI queries without 
> exposing security problems, just like PrepareStatement in JDBC?

I leave this to java developers to respond to.

> Just stoking the fires of controversy ;-)
>
> Dan
>
> On 1/24/07, *dan* < <mailto:>> 
> wrote:
>
>     Hi there,
>
>     I'm using the JNDISourceAdapter to connect Grouper to our OpenLDAP
>     users directory. There was a time when searching worked fine, but
>     now all of a sudden it doesn't, but just for searches other than
>     uidNumber.
>
>     That is to say, if I click "Search Subjects" in the interface, and
>     type "joe", knowing full well there IS a user with uid=joe, I don't
>     get anything back. If I type "1000" (joe has a uidNumber of 1000),
>     it works.

Your config looks ok. Has the access control policy for the ldap server 
changed? Or have you changed the security principal that the 
JNDISourceAdapter BINDs as?

>     Our search entry looks like this:
>
>      <search>
>            <searchType>search</searchType>
>              <param>
>                 <param-name>filter</param-name>
>                 <param-value>
>                     (&amp;
>     (|(uid=%TERM%)(uidNumber=%TERM%)(cn=*%TERM%*))(objectclass=posixAccount))
>                 </param-value>
>             </param>
>             <param>
>                 <param-name>scope</param-name>
>                 <param-value>
>                     SUBTREE_SCOPE           
>                 </param-value>
>             </param>
>              <param>
>                 <param-name>base</param-name>
>                 <param-value>
>                     ou=People,dc=research,dc=editure,dc=com
>                 </param-value>
>             </param>
>         </search>
>
>
>     Help! Does anyone know what's going on? This is with Grouper 1.1.
>
>     Thanks,
>     Dan