Ldap password bindpw cannot contain #

Question

Ldap password bindpw cannot contain #

Opened this issue 5 years ago · 3 comments

Hi,

I have a ldap password that contains "#". In this case, I have a

Error: Invalid credentials for XXX

Analysis:
The code https://github.com/jirutka/ssh-ldap-pubkey/blob/master/ssh_ldap_pubkey/config.py transforms the config /etc/ldap.conf into a dict. This convenient method:
re.match(r'^(\w+)\s+([^#]+)', line)
reject all comments after "#". Eg:
binddn cn=XXX # exemple of comment to ignore

However this also make impossible to use a password with "#" inside. Eg:
bindpw abcd#efg
will set a bindpw to abcd.

If we want both the ability to add comment at the end of a configuration line, and the ability to add "#" in password, we should make the bindpw a special parsing. I do not see another way.

Answer 1 · 2020-06-09T13:24:53.000Z

Hi,
we may do similar to what the POSIX shell does – interpret # as the start of comment only when it’s preceded by whitespace.

However, it seems that ldap.conf(5) does not permit trailing comments, so perhaps the right way is to interpret # as a comment only when /^\s*#/.

Answer 2 · 2020-06-09T13:27:27.000Z

Can Ldap contain space as password? Is "password #" a valid password?

Answer 3 · 2020-06-09T14:30:31.000Z

Most likely it can.