Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Re: Grouper search not working

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Re: Grouper search not working


Chronological Thread 
  • From: Tom Barton <>
  • To: dan <>
  • Cc: "" <>
  • Subject: Re: [grouper-dev] Re: Grouper search not working
  • Date: Tue, 23 Jan 2007 21:37:09 -0600



dan wrote:
And while I'm at it - does anyone else consider it a security flaw that Grouper naively interpolates the string into a query? In my experience this has been one of the BIG no-nos of web application development.

One could easily type a query that closes the open brace around a search term and inserts additional terms into queries that expose additional information or breaks the system in other ways.

Information exposure should be managed by the access controls in the ldap server. Likewise, administrative limits configured in the ldap server should protect it from other potential breakage. But it's still a good question. I haven't heard of issues of this sort arising specifically in relation to accessing info in an ldap server - anyone else?

Isn't there a more standardised way to template JNDI queries without exposing security problems, just like PrepareStatement in JDBC?

I leave this to java developers to respond to.

Just stoking the fires of controversy ;-)

Dan

On 1/24/07, *dan* < <mailto:>> wrote:

Hi there,

I'm using the JNDISourceAdapter to connect Grouper to our OpenLDAP
users directory. There was a time when searching worked fine, but
now all of a sudden it doesn't, but just for searches other than
uidNumber.

That is to say, if I click "Search Subjects" in the interface, and
type "joe", knowing full well there IS a user with uid=joe, I don't
get anything back. If I type "1000" (joe has a uidNumber of 1000),
it works.

Your config looks ok. Has the access control policy for the ldap server changed? Or have you changed the security principal that the JNDISourceAdapter BINDs as?

Our search entry looks like this:

<search>
<searchType>search</searchType>
<param>
<param-name>filter</param-name>
<param-value>
(&amp;
(|(uid=%TERM%)(uidNumber=%TERM%)(cn=*%TERM%*))(objectclass=posixAccount))
</param-value>
</param>
<param>
<param-name>scope</param-name>
<param-value>
SUBTREE_SCOPE </param-value>
</param>
<param>
<param-name>base</param-name>
<param-value>
ou=People,dc=research,dc=editure,dc=com
</param-value>
</param>
</search>


Help! Does anyone know what's going on? This is with Grouper 1.1.

Thanks,
Dan





Archive powered by MHonArc 2.6.16.

Top of Page