Linux: RBAC claims resolution fails if user has group with brackets in name

[teh13th]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Real-world AD deployments can have groups with brackets in name (example: Some resource access (rw)). In this case, when nested claims resolution is enabled, Linux clients will get LdapException: The search filter is invalid.

Expected Behavior

In case, when nested claims resolution is enabled, expected that each user's group will parse correctly, even if it contains brackets.

Steps To Reproduce

1. Set up any AD server (contoso.com in the example).
2. Add AD group with brackets in name (Some resource access (rw)).
3. Add user to that group.
4. Create a simple API project, set up RBAC claims resolution:

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate(options =>
{
    if (!RuntimeInformation.IsOSPlatform(OSPlatform.Linux))
    {
        return;
    }
    
    options.EnableLdap(settings =>
    {
        settings.Domain = "contoso.com";
        settings.MachineAccountName = "someuser";
        settings.MachineAccountPassword = "somepassword";
    });
});

services.AddAuthorization();

[ApiController]
[Route("api/[controller]")]
[Authorize(Roles = "GroupA")]
public class SomeController : Controller
{
    [HttpGet]
    [Route("someMethod")]
    public async Task<ActionResult<int>> SomeMethod()
    {
        return 1;
    }
 }

Exceptions (if any)

System.DirectoryServices.Protocols.LdapException: The search filter is invalid. 
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout) 
   at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request) 
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateEvents.RetrieveLdapClaims(LdapContext context) 
   at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleAuthenticateAsync() 
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync() 
   at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) 
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) 
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context) 

.NET Version

8.0.204

Anything else?

The problem is that class LdapAdapter does not escape group name when place it in query to LDAP here:

var filter = $"(&(objectClass=group)(sAMAccountName={groupCN}))"; // This is using ldap search query language, it is looking on the server for someUser

It seems that you can use one of existing tool here:

1. System.DirectoryServices.ActiveDirectory.Utils.GetEscapedFilterValue()
2. System.DirectoryServices.AccountManagement.ADUtils.EscapeRFC2254SpecialChars().

Also, you can use mentioned tools to get the common name (CN) from the distinguished name (DN) here:

var groupCN = DistinguishedNameSeparator().Split(groupDN)[0].Substring("CN=".Length);

Method: System.DirectoryServices.ActiveDirectory.Utils.GetDNComponents().

[SteveSandersonMS]

@joperezr Who would be the best person to look at this? We transferred it to runtime because as we understand, the implementation is in that repo, and it does look like a possible bug.

[joperezr]

Tagging @dotnet/area-system-directoryservices team and @buyaa-n.

[buyaa-n]

The problem is that class LdapAdapter does not escape group name when place it in query to LDAP here:

var filter = $"(&(objectClass=group)(sAMAccountName={groupCN}))"; // This is using ldap search query language, it is looking on the server for someUser

I do not have an AD server for testing, tested with open LDAP server, a filter with works with or without escaping, though according to the doc you shared escaping might needed for active directory.

Given that the escaping was optional for OpenLdap and System.DirectoryServices.Protocols.SearchRequest will accept the entire filter string that contains many brackets that is not supposed to be escaped it will be not easy to determine which brackets (and other special characters) need to be escaped, I don't think we should try to escape the filter in DirectoryServices.Protocols.SearchRequest library level.

@teh13th I would suggest you escape the groupCN yourself, if possible, you might could not do that because the value comes from the controller annotations, in that case I would say ASPNetCore implementation should escape it CC @SteveSandersonMS

[teh13th]

@buyaa-n, we don't pass problem values directly, they are came from Microsoft.AspNetCore.Authentication.Negotiate package internals (package reads current user roles (groups) and tries to get nested groups). So we can't escape it ourselves.

[buyaa-n]

Well then, I believe it should be fixed in AspNetCore side not runtime, maybe file an issue there?

[teh13th]

@buyaa-n, initially, I created a request in ASP.NET repo, but @SteveSandersonMS transferred it here. Maybe, one of you can transfer it back?

[FANAT--]

I have the same problem while interacting with Microsoft Active Directory server.

.NET clients, being built for Windows, work correctly, but Linux clients get the same error LdapException: The search filter is invalid, if any groups' name (the user is in) contains brackets.

Escaping values in ldap queries solves the problem.