Moderate severityNVD Advisory· Published Jun 11, 2025· Updated Jun 11, 2025
LDAP Injection in Mattermost Enterprise Edition When Using Active Directory
CVE-2025-4573
Description
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/mattermost/mattermost/server/v8Go | < 8.0.0-20250414112942-77892234944b | 8.0.0-20250414112942-77892234944b |
github.com/mattermost/mattermost-serverGo | >= 10.7.0, < 10.7.2 | 10.7.2 |
github.com/mattermost/mattermost-serverGo | >= 10.6.0, < 10.6.4 | 10.6.4 |
github.com/mattermost/mattermost-serverGo | >= 10.5.0, < 10.5.5 | 10.5.5 |
github.com/mattermost/mattermost-serverGo | >= 9.11.0, < 9.11.14 | 9.11.14 |
Affected products
1- Range: 10.7.0
Patches
5b47e89c4f98cMM-62930: Add validation of LDAP attribute values. (#30419) (#30821)
7 files changed · +76 −1
e2e-tests/.ci/server.prepare.sh+1 −0 modified@@ -55,6 +55,7 @@ for SERVICE in $ENABLED_DOCKER_SERVICES; do continue fi mme2e_log "Configuring the $SERVICE container" + ${MME2E_DC_SERVER} exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true' <../../server/tests/custom-schema-objectID.ldif ${MME2E_DC_SERVER} exec -T -- openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest' <../../server/tests/test-data.ldif ;; minio)
.github/workflows/mmctl-test-template.yml+1 −0 modified@@ -49,6 +49,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
.github/workflows/server-test-template.yml+1 −0 modified@@ -41,6 +41,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
server/i18n/en.json+8 −0 modified@@ -8028,6 +8028,10 @@ "id": "ent.ldap.do_login.certificate.app_error", "translation": "Error loading LDAP TLS Certificate file." }, + { + "id": "ent.ldap.do_login.invalid_id", + "translation": "Invalid AD/LDAP Id" + }, { "id": "ent.ldap.do_login.invalid_password.app_error", "translation": "Invalid Password." @@ -8120,6 +8124,10 @@ "id": "ent.ldap_groups.groups_search_error", "translation": "error retrieving ldap groups" }, + { + "id": "ent.ldap_groups.invalid_ldap_id", + "translation": "Invalid AD/LDAP id" + }, { "id": "ent.ldap_groups.members_of_group_error", "translation": "error retrieving members of group"
server/Makefile+2 −1 modified@@ -232,7 +232,8 @@ else docker compose rm start_dependencies $(GO) run ./build/docker-compose-generator/main.go $(ENABLED_DOCKER_SERVICES) | docker compose -f docker-compose.makefile.yml -f /dev/stdin $(DOCKER_COMPOSE_OVERRIDE) run -T --rm start_dependencies ifneq (,$(findstring openldap,$(ENABLED_DOCKER_SERVICES))) - cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; + cat tests/custom-schema-objectID.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; + cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml ${DOCKER_COMPOSE_OVERRIDE} exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; endif ifneq (,$(findstring mysql-read-replica,$(ENABLED_DOCKER_SERVICES))) ./scripts/replica-mysql-config.sh
server/tests/custom-schema-objectID.ldif+14 −0 added@@ -0,0 +1,14 @@ +dn: cn=schema,cn=config +changetype: modify +add: olcAttributeTypes +olcAttributeTypes: ( 1.2.840.113556.1.4.2 NAME 'objectGUID' + DESC 'AD object GUID' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +- +add: olcObjectClasses +olcObjectClasses: ( 1.2.840.113556.1.5.256 NAME 'activeDSObject' + DESC 'Active Directory Schema Object' + SUP top AUXILIARY + MAY ( objectGUID ) ) \ No newline at end of file
server/tests/test-data.ldif+49 −0 modified@@ -6,6 +6,7 @@ objectclass: organizationalunit dn: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test1 title: Test1 Title @@ -15,6 +16,7 @@ userPassword: Password1 dn: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test2 title: Test2 Title @@ -24,6 +26,7 @@ userPassword: Password1 dn: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test3 title: Test3 Title @@ -33,6 +36,7 @@ userPassword: Password1 dn: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test4 title: Test4 Title @@ -42,6 +46,7 @@ userPassword: Password1 dn: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test5 # No title to allow testing that path @@ -53,6 +58,7 @@ userPassword: Password1 dn: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: DevOps Engineer @@ -62,6 +68,7 @@ userPassword: Password1 dn: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev1 title: Senior Software Design Engineer @@ -71,6 +78,7 @@ userPassword: Password1 dn: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev2 title: Software Design Engineer || @@ -80,6 +88,7 @@ userPassword: Password1 dn: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: Software Design Engineer @@ -89,6 +98,7 @@ userPassword: Password1 dn: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev4 title: Staff Software Design Engineer @@ -100,6 +110,7 @@ userPassword: Password1 dn: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec1 title: CEO @@ -109,6 +120,7 @@ userPassword: Password1 dn: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec2 title: CTO @@ -120,6 +132,7 @@ userPassword: Password1 dn: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board1 title: Director @@ -129,6 +142,7 @@ userPassword: Password1 dn: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board2 title: Inside Director @@ -138,6 +152,7 @@ userPassword: Password1 dn: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board3 title: Outside Director @@ -147,6 +162,7 @@ userPassword: Password1 dn: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin1 mail: success+firstloginuser.one@simulator.amazonses.com @@ -155,6 +171,7 @@ userPassword: Password1 dn: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin2 mail: success+firstloginuser.two@simulator.amazonses.com @@ -165,85 +182,117 @@ changetype: add objectclass: organizationalunit # groupOfNames + +# groupOfNames with Base64 Encoded ObjectGUID dn: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: UcVUS/HonkGbqAAAAAAAAA== member: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com +# groupOfNames with Hex Separated ObjectGUID dn: cn=board,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID: \56\6d\95\5b\a8\9a\9c\42\a4\61\00\00\00\00\00\00 member: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com +# groupOfNames with Binary Encoded ObjectGUID dn: cn=executive,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: EBYPDQ4NDAsKCQgHBgUEAwIBAA== member: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=board,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-84,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: YB4aM/vJn0CfhQAAAAAAAA== member: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com member: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com dn: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: ZA9bHYy+n0KVlgAAAAAAAA== member: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: aS77A+eDnke+7AAAAAAAAA== member: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com # groupOfUniqueNames dn: cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: bThfVKmRn0S5mQAAAAAAAA== uniqueMember: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com dn: cn=ugroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: cEdgf5/JnkCZtQAAAAAAAA== uniqueMember: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=vgroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: dUvgN8VXnkC9EQAAAAAAAAA== uniqueMember: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com # Adds a group with a cycle dn: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: eXyMRG3BnUCJsQAAAAAAAA== uniqueMember: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: fM8fdh6MnUGsYQAAAAAAAA== uniqueMember: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: gI9GHKjnn0G7LQAAAAAAAAA== uniqueMember: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: hKDpuRd+nECFKwAAAAAAAA== uniqueMember: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com uniqueMember: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=firstlogingroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: iS3dxTuwnkC2MQAAAAAAAAA== uniqueMember: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com \ No newline at end of file
b33926709b95MM-62930: Add validation of LDAP attribute values. (#30419) (#30822)
7 files changed · +76 −1
e2e-tests/.ci/server.prepare.sh+1 −0 modified@@ -55,6 +55,7 @@ for SERVICE in $ENABLED_DOCKER_SERVICES; do continue fi mme2e_log "Configuring the $SERVICE container" + ${MME2E_DC_SERVER} exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true' <../../server/tests/custom-schema-objectID.ldif ${MME2E_DC_SERVER} exec -T -- openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest' <../../server/tests/test-data.ldif ;; minio)
.github/workflows/mmctl-test-template.yml+1 −0 modified@@ -49,6 +49,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
.github/workflows/server-test-template.yml+1 −0 modified@@ -41,6 +41,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
server/i18n/en.json+8 −0 modified@@ -8020,6 +8020,10 @@ "id": "ent.ldap.do_login.certificate.app_error", "translation": "Error loading LDAP TLS Certificate file." }, + { + "id": "ent.ldap.do_login.invalid_id", + "translation": "Invalid AD/LDAP Id" + }, { "id": "ent.ldap.do_login.invalid_password.app_error", "translation": "Invalid Password." @@ -8112,6 +8116,10 @@ "id": "ent.ldap_groups.groups_search_error", "translation": "error retrieving ldap groups" }, + { + "id": "ent.ldap_groups.invalid_ldap_id", + "translation": "Invalid AD/LDAP id" + }, { "id": "ent.ldap_groups.members_of_group_error", "translation": "error retrieving members of group"
server/Makefile+2 −1 modified@@ -232,7 +232,8 @@ else docker compose rm start_dependencies $(GO) run ./build/docker-compose-generator/main.go $(ENABLED_DOCKER_SERVICES) | docker compose -f docker-compose.makefile.yml -f /dev/stdin $(DOCKER_COMPOSE_OVERRIDE) run -T --rm start_dependencies ifneq (,$(findstring openldap,$(ENABLED_DOCKER_SERVICES))) - cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; + cat tests/custom-schema-objectID.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; + cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml ${DOCKER_COMPOSE_OVERRIDE} exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; endif ifneq (,$(findstring mysql-read-replica,$(ENABLED_DOCKER_SERVICES))) ./scripts/replica-mysql-config.sh
server/tests/custom-schema-objectID.ldif+14 −0 added@@ -0,0 +1,14 @@ +dn: cn=schema,cn=config +changetype: modify +add: olcAttributeTypes +olcAttributeTypes: ( 1.2.840.113556.1.4.2 NAME 'objectGUID' + DESC 'AD object GUID' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +- +add: olcObjectClasses +olcObjectClasses: ( 1.2.840.113556.1.5.256 NAME 'activeDSObject' + DESC 'Active Directory Schema Object' + SUP top AUXILIARY + MAY ( objectGUID ) ) \ No newline at end of file
server/tests/test-data.ldif+49 −0 modified@@ -6,6 +6,7 @@ objectclass: organizationalunit dn: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test1 title: Test1 Title @@ -15,6 +16,7 @@ userPassword: Password1 dn: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test2 title: Test2 Title @@ -24,6 +26,7 @@ userPassword: Password1 dn: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test3 title: Test3 Title @@ -33,6 +36,7 @@ userPassword: Password1 dn: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test4 title: Test4 Title @@ -42,6 +46,7 @@ userPassword: Password1 dn: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test5 # No title to allow testing that path @@ -53,6 +58,7 @@ userPassword: Password1 dn: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: DevOps Engineer @@ -62,6 +68,7 @@ userPassword: Password1 dn: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev1 title: Senior Software Design Engineer @@ -71,6 +78,7 @@ userPassword: Password1 dn: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev2 title: Software Design Engineer || @@ -80,6 +88,7 @@ userPassword: Password1 dn: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: Software Design Engineer @@ -89,6 +98,7 @@ userPassword: Password1 dn: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev4 title: Staff Software Design Engineer @@ -100,6 +110,7 @@ userPassword: Password1 dn: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec1 title: CEO @@ -109,6 +120,7 @@ userPassword: Password1 dn: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec2 title: CTO @@ -120,6 +132,7 @@ userPassword: Password1 dn: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board1 title: Director @@ -129,6 +142,7 @@ userPassword: Password1 dn: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board2 title: Inside Director @@ -138,6 +152,7 @@ userPassword: Password1 dn: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board3 title: Outside Director @@ -147,6 +162,7 @@ userPassword: Password1 dn: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin1 mail: success+firstloginuser.one@simulator.amazonses.com @@ -155,6 +171,7 @@ userPassword: Password1 dn: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin2 mail: success+firstloginuser.two@simulator.amazonses.com @@ -165,85 +182,117 @@ changetype: add objectclass: organizationalunit # groupOfNames + +# groupOfNames with Base64 Encoded ObjectGUID dn: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: UcVUS/HonkGbqAAAAAAAAA== member: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com +# groupOfNames with Hex Separated ObjectGUID dn: cn=board,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID: \56\6d\95\5b\a8\9a\9c\42\a4\61\00\00\00\00\00\00 member: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com +# groupOfNames with Binary Encoded ObjectGUID dn: cn=executive,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: EBYPDQ4NDAsKCQgHBgUEAwIBAA== member: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=board,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-84,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: YB4aM/vJn0CfhQAAAAAAAA== member: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com member: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com dn: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: ZA9bHYy+n0KVlgAAAAAAAA== member: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: aS77A+eDnke+7AAAAAAAAA== member: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com # groupOfUniqueNames dn: cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: bThfVKmRn0S5mQAAAAAAAA== uniqueMember: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com dn: cn=ugroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: cEdgf5/JnkCZtQAAAAAAAA== uniqueMember: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=vgroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: dUvgN8VXnkC9EQAAAAAAAAA== uniqueMember: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com # Adds a group with a cycle dn: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: eXyMRG3BnUCJsQAAAAAAAA== uniqueMember: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: fM8fdh6MnUGsYQAAAAAAAA== uniqueMember: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: gI9GHKjnn0G7LQAAAAAAAAA== uniqueMember: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: hKDpuRd+nECFKwAAAAAAAA== uniqueMember: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com uniqueMember: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=firstlogingroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: iS3dxTuwnkC2MQAAAAAAAAA== uniqueMember: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com \ No newline at end of file
64a65c610787MM-62930: Add validation of LDAP attribute values. (#30419) (#30823)
7 files changed · +76 −1
e2e-tests/.ci/server.prepare.sh+1 −0 modified@@ -55,6 +55,7 @@ for SERVICE in $ENABLED_DOCKER_SERVICES; do continue fi mme2e_log "Configuring the $SERVICE container" + ${MME2E_DC_SERVER} exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true' <../../server/tests/custom-schema-objectID.ldif ${MME2E_DC_SERVER} exec -T -- openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest' <../../server/tests/test-data.ldif ;; minio)
.github/workflows/mmctl-test-template.yml+1 −0 modified@@ -46,6 +46,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
.github/workflows/server-test-template.yml+1 −0 modified@@ -37,6 +37,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
server/i18n/en.json+8 −0 modified@@ -7750,6 +7750,10 @@ "id": "ent.ldap.do_login.certificate.app_error", "translation": "Error loading LDAP TLS Certificate file." }, + { + "id": "ent.ldap.do_login.invalid_id", + "translation": "Invalid AD/LDAP Id" + }, { "id": "ent.ldap.do_login.invalid_password.app_error", "translation": "Invalid Password." @@ -7842,6 +7846,10 @@ "id": "ent.ldap_groups.groups_search_error", "translation": "error retrieving ldap groups" }, + { + "id": "ent.ldap_groups.invalid_ldap_id", + "translation": "Invalid AD/LDAP id" + }, { "id": "ent.ldap_groups.members_of_group_error", "translation": "error retrieving members of group"
server/Makefile+2 −1 modified@@ -226,7 +226,8 @@ else docker compose rm start_dependencies $(GO) run ./build/docker-compose-generator/main.go $(ENABLED_DOCKER_SERVICES) | docker compose -f docker-compose.makefile.yml -f /dev/stdin $(DOCKER_COMPOSE_OVERRIDE) run -T --rm start_dependencies ifneq (,$(findstring openldap,$(ENABLED_DOCKER_SERVICES))) - cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; + cat tests/custom-schema-objectID.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; + cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml ${DOCKER_COMPOSE_OVERRIDE} exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; endif ifneq (,$(findstring mysql-read-replica,$(ENABLED_DOCKER_SERVICES))) ./scripts/replica-mysql-config.sh
server/tests/custom-schema-objectID.ldif+14 −0 added@@ -0,0 +1,14 @@ +dn: cn=schema,cn=config +changetype: modify +add: olcAttributeTypes +olcAttributeTypes: ( 1.2.840.113556.1.4.2 NAME 'objectGUID' + DESC 'AD object GUID' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +- +add: olcObjectClasses +olcObjectClasses: ( 1.2.840.113556.1.5.256 NAME 'activeDSObject' + DESC 'Active Directory Schema Object' + SUP top AUXILIARY + MAY ( objectGUID ) ) \ No newline at end of file
server/tests/test-data.ldif+49 −0 modified@@ -6,6 +6,7 @@ objectclass: organizationalunit dn: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test1 title: Test1 Title @@ -15,6 +16,7 @@ userPassword: Password1 dn: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test2 title: Test2 Title @@ -24,6 +26,7 @@ userPassword: Password1 dn: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test3 title: Test3 Title @@ -33,6 +36,7 @@ userPassword: Password1 dn: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test4 title: Test4 Title @@ -42,6 +46,7 @@ userPassword: Password1 dn: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test5 # No title to allow testing that path @@ -53,6 +58,7 @@ userPassword: Password1 dn: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: DevOps Engineer @@ -62,6 +68,7 @@ userPassword: Password1 dn: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev1 title: Senior Software Design Engineer @@ -71,6 +78,7 @@ userPassword: Password1 dn: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev2 title: Software Design Engineer || @@ -80,6 +88,7 @@ userPassword: Password1 dn: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: Software Design Engineer @@ -89,6 +98,7 @@ userPassword: Password1 dn: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev4 title: Staff Software Design Engineer @@ -100,6 +110,7 @@ userPassword: Password1 dn: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec1 title: CEO @@ -109,6 +120,7 @@ userPassword: Password1 dn: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec2 title: CTO @@ -120,6 +132,7 @@ userPassword: Password1 dn: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board1 title: Director @@ -129,6 +142,7 @@ userPassword: Password1 dn: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board2 title: Inside Director @@ -138,6 +152,7 @@ userPassword: Password1 dn: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board3 title: Outside Director @@ -147,6 +162,7 @@ userPassword: Password1 dn: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin1 mail: success+firstloginuser.one@simulator.amazonses.com @@ -155,6 +171,7 @@ userPassword: Password1 dn: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin2 mail: success+firstloginuser.two@simulator.amazonses.com @@ -165,85 +182,117 @@ changetype: add objectclass: organizationalunit # groupOfNames + +# groupOfNames with Base64 Encoded ObjectGUID dn: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: UcVUS/HonkGbqAAAAAAAAA== member: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com +# groupOfNames with Hex Separated ObjectGUID dn: cn=board,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID: \56\6d\95\5b\a8\9a\9c\42\a4\61\00\00\00\00\00\00 member: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com +# groupOfNames with Binary Encoded ObjectGUID dn: cn=executive,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: EBYPDQ4NDAsKCQgHBgUEAwIBAA== member: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=board,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-84,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: YB4aM/vJn0CfhQAAAAAAAA== member: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com member: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com dn: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: ZA9bHYy+n0KVlgAAAAAAAA== member: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: aS77A+eDnke+7AAAAAAAAA== member: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com # groupOfUniqueNames dn: cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: bThfVKmRn0S5mQAAAAAAAA== uniqueMember: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com dn: cn=ugroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: cEdgf5/JnkCZtQAAAAAAAA== uniqueMember: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=vgroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: dUvgN8VXnkC9EQAAAAAAAAA== uniqueMember: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com # Adds a group with a cycle dn: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: eXyMRG3BnUCJsQAAAAAAAA== uniqueMember: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: fM8fdh6MnUGsYQAAAAAAAA== uniqueMember: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: gI9GHKjnn0G7LQAAAAAAAAA== uniqueMember: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: hKDpuRd+nECFKwAAAAAAAA== uniqueMember: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com uniqueMember: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=firstlogingroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: iS3dxTuwnkC2MQAAAAAAAAA== uniqueMember: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com \ No newline at end of file
1f9c688a3084MM-62930: Add validation of LDAP attribute values. (#30419) (#30820)
7 files changed · +76 −1
e2e-tests/.ci/server.prepare.sh+1 −0 modified@@ -55,6 +55,7 @@ for SERVICE in $ENABLED_DOCKER_SERVICES; do continue fi mme2e_log "Configuring the $SERVICE container" + ${MME2E_DC_SERVER} exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true' <../../server/tests/custom-schema-objectID.ldif ${MME2E_DC_SERVER} exec -T -- openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest' <../../server/tests/test-data.ldif ;; minio)
.github/workflows/mmctl-test-template.yml+1 −0 modified@@ -49,6 +49,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
.github/workflows/server-test-template.yml+1 −0 modified@@ -41,6 +41,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test'; docker compose --ansi never ps
server/i18n/en.json+8 −0 modified@@ -8032,6 +8032,10 @@ "id": "ent.ldap.do_login.certificate.app_error", "translation": "Error loading LDAP TLS Certificate file." }, + { + "id": "ent.ldap.do_login.invalid_id", + "translation": "Invalid AD/LDAP Id" + }, { "id": "ent.ldap.do_login.invalid_password.app_error", "translation": "Invalid Password." @@ -8124,6 +8128,10 @@ "id": "ent.ldap_groups.groups_search_error", "translation": "error retrieving ldap groups" }, + { + "id": "ent.ldap_groups.invalid_ldap_id", + "translation": "Invalid AD/LDAP id" + }, { "id": "ent.ldap_groups.members_of_group_error", "translation": "error retrieving members of group"
server/Makefile+2 −1 modified@@ -224,7 +224,8 @@ else docker compose rm start_dependencies $(GO) run ./build/docker-compose-generator/main.go $(ENABLED_DOCKER_SERVICES) | docker compose -f docker-compose.makefile.yml -f /dev/stdin $(DOCKER_COMPOSE_OVERRIDE) run -T --rm start_dependencies ifneq (,$(findstring openldap,$(ENABLED_DOCKER_SERVICES))) - cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; + cat tests/custom-schema-objectID.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; + cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml ${DOCKER_COMPOSE_OVERRIDE} exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; endif ifneq (,$(findstring mysql-read-replica,$(ENABLED_DOCKER_SERVICES))) ./scripts/replica-mysql-config.sh
server/tests/custom-schema-objectID.ldif+14 −0 added@@ -0,0 +1,14 @@ +dn: cn=schema,cn=config +changetype: modify +add: olcAttributeTypes +olcAttributeTypes: ( 1.2.840.113556.1.4.2 NAME 'objectGUID' + DESC 'AD object GUID' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +- +add: olcObjectClasses +olcObjectClasses: ( 1.2.840.113556.1.5.256 NAME 'activeDSObject' + DESC 'Active Directory Schema Object' + SUP top AUXILIARY + MAY ( objectGUID ) ) \ No newline at end of file
server/tests/test-data.ldif+49 −0 modified@@ -6,6 +6,7 @@ objectclass: organizationalunit dn: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test1 title: Test1 Title @@ -15,6 +16,7 @@ userPassword: Password1 dn: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test2 title: Test2 Title @@ -24,6 +26,7 @@ userPassword: Password1 dn: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test3 title: Test3 Title @@ -33,6 +36,7 @@ userPassword: Password1 dn: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test4 title: Test4 Title @@ -42,6 +46,7 @@ userPassword: Password1 dn: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Test5 # No title to allow testing that path @@ -53,6 +58,7 @@ userPassword: Password1 dn: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: DevOps Engineer @@ -62,6 +68,7 @@ userPassword: Password1 dn: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev1 title: Senior Software Design Engineer @@ -71,6 +78,7 @@ userPassword: Password1 dn: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev2 title: Software Design Engineer || @@ -80,6 +88,7 @@ userPassword: Password1 dn: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev3 title: Software Design Engineer @@ -89,6 +98,7 @@ userPassword: Password1 dn: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Dev4 title: Staff Software Design Engineer @@ -100,6 +110,7 @@ userPassword: Password1 dn: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec1 title: CEO @@ -109,6 +120,7 @@ userPassword: Password1 dn: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Exec2 title: CTO @@ -120,6 +132,7 @@ userPassword: Password1 dn: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board1 title: Director @@ -129,6 +142,7 @@ userPassword: Password1 dn: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board2 title: Inside Director @@ -138,6 +152,7 @@ userPassword: Password1 dn: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: Board3 title: Outside Director @@ -147,6 +162,7 @@ userPassword: Password1 dn: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin1 mail: success+firstloginuser.one@simulator.amazonses.com @@ -155,6 +171,7 @@ userPassword: Password1 dn: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin2 mail: success+firstloginuser.two@simulator.amazonses.com @@ -165,85 +182,117 @@ changetype: add objectclass: organizationalunit # groupOfNames + +# groupOfNames with Base64 Encoded ObjectGUID dn: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: UcVUS/HonkGbqAAAAAAAAA== member: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com +# groupOfNames with Hex Separated ObjectGUID dn: cn=board,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID: \56\6d\95\5b\a8\9a\9c\42\a4\61\00\00\00\00\00\00 member: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com +# groupOfNames with Binary Encoded ObjectGUID dn: cn=executive,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: EBYPDQ4NDAsKCQgHBgUEAwIBAA== member: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=board,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-84,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: YB4aM/vJn0CfhQAAAAAAAA== member: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com member: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com dn: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: ZA9bHYy+n0KVlgAAAAAAAA== member: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: aS77A+eDnke+7AAAAAAAAA== member: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com # groupOfUniqueNames dn: cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: bThfVKmRn0S5mQAAAAAAAA== uniqueMember: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com dn: cn=ugroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: cEdgf5/JnkCZtQAAAAAAAA== uniqueMember: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=vgroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: dUvgN8VXnkC9EQAAAAAAAAA== uniqueMember: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com # Adds a group with a cycle dn: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: eXyMRG3BnUCJsQAAAAAAAA== uniqueMember: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: fM8fdh6MnUGsYQAAAAAAAA== uniqueMember: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: gI9GHKjnn0G7LQAAAAAAAAA== uniqueMember: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: hKDpuRd+nECFKwAAAAAAAA== uniqueMember: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com uniqueMember: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=firstlogingroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: iS3dxTuwnkC2MQAAAAAAAAA== uniqueMember: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com \ No newline at end of file
77892234944bMM-62930: Add validation of LDAP attribute values. (#30419)
7 files changed · +75 −0
e2e-tests/.ci/server.prepare.sh+1 −0 modified@@ -55,6 +55,7 @@ for SERVICE in $ENABLED_DOCKER_SERVICES; do continue fi mme2e_log "Configuring the $SERVICE container" + ${MME2E_DC_SERVER} exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true' <../../server/tests/custom-schema-objectID.ldif ${MME2E_DC_SERVER} exec -T -- openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true' < ../../server/tests/custom-schema-cpa.ldif ${MME2E_DC_SERVER} exec -T -- openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest' <../../server/tests/test-data.ldif ;;
.github/workflows/mmctl-test-template.yml+1 −0 modified@@ -49,6 +49,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/custom-schema-cpa.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test';
.github/workflows/server-test-template.yml+1 −0 modified@@ -41,6 +41,7 @@ jobs: run: | cd server/build docker compose --ansi never run --rm start_dependencies + cat ../tests/custom-schema-objectID.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/custom-schema-cpa.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat ../tests/test-data.ldif | docker compose --ansi never exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest'; docker compose --ansi never exec -T minio sh -c 'mkdir -p /data/mattermost-test';
server/i18n/en.json+8 −0 modified@@ -8056,6 +8056,10 @@ "id": "ent.ldap.do_login.certificate.app_error", "translation": "Error loading LDAP TLS Certificate file." }, + { + "id": "ent.ldap.do_login.invalid_id", + "translation": "Invalid AD/LDAP Id" + }, { "id": "ent.ldap.do_login.invalid_password.app_error", "translation": "Invalid Password." @@ -8156,6 +8160,10 @@ "id": "ent.ldap_groups.groups_search_error", "translation": "error retrieving ldap groups" }, + { + "id": "ent.ldap_groups.invalid_ldap_id", + "translation": "Invalid AD/LDAP id" + }, { "id": "ent.ldap_groups.members_of_group_error", "translation": "error retrieving members of group"
server/Makefile+1 −0 modified@@ -224,6 +224,7 @@ else docker compose rm start_dependencies $(GO) run ./build/docker-compose-generator/main.go $(ENABLED_DOCKER_SERVICES) | docker compose -f docker-compose.makefile.yml -f /dev/stdin $(DOCKER_COMPOSE_OVERRIDE) run -T --rm start_dependencies ifneq (,$(findstring openldap,$(ENABLED_DOCKER_SERVICES))) + cat tests/custom-schema-objectID.ldif | docker compose -f docker-compose.makefile.yml $(DOCKER_COMPOSE_OVERRIDE) exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat tests/custom-schema-cpa.ldif | docker compose -f docker-compose.makefile.yml ${DOCKER_COMPOSE_OVERRIDE} exec -T openldap bash -c 'ldapadd -Y EXTERNAL -H ldapi:/// -w mostest || true'; cat tests/${LDAP_DATA}-data.ldif | docker compose -f docker-compose.makefile.yml ${DOCKER_COMPOSE_OVERRIDE} exec -T openldap bash -c 'ldapadd -x -D "cn=admin,dc=mm,dc=test,dc=com" -w mostest || true'; endif
server/tests/custom-schema-objectID.ldif+14 −0 added@@ -0,0 +1,14 @@ +dn: cn=schema,cn=config +changetype: modify +add: olcAttributeTypes +olcAttributeTypes: ( 1.2.840.113556.1.4.2 NAME 'objectGUID' + DESC 'AD object GUID' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 + SINGLE-VALUE ) +- +add: olcObjectClasses +olcObjectClasses: ( 1.2.840.113556.1.5.256 NAME 'activeDSObject' + DESC 'Active Directory Schema Object' + SUP top AUXILIARY + MAY ( objectGUID ) ) \ No newline at end of file
server/tests/test-data.ldif+49 −0 modified@@ -6,6 +6,7 @@ objectclass: organizationalunit dn: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Test1 @@ -24,6 +25,7 @@ multiUserReferenceCustomAttribute: uid=test.four,ou=testusers,dc=mm,dc=test,dc=c dn: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Test2 @@ -42,6 +44,7 @@ multiUserReferenceCustomAttribute: uid=test.five,ou=testusers,dc=mm,dc=test,dc=c dn: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Test3 @@ -60,6 +63,7 @@ multiUserReferenceCustomAttribute: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc dn: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Test4 @@ -78,6 +82,7 @@ multiUserReferenceCustomAttribute: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com dn: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Test5 @@ -97,6 +102,7 @@ multiUserReferenceCustomAttribute: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com dn: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Dev3 @@ -115,6 +121,7 @@ multiUserReferenceCustomAttribute: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=c dn: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Dev1 @@ -133,6 +140,7 @@ multiUserReferenceCustomAttribute: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=co dn: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Dev2 @@ -151,6 +159,7 @@ multiUserReferenceCustomAttribute: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=co dn: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Dev3 @@ -169,6 +178,7 @@ multiUserReferenceCustomAttribute: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=co dn: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Dev4 @@ -188,6 +198,7 @@ multiUserReferenceCustomAttribute: uid=board.one,ou=testusers,dc=mm,dc=test,dc=c dn: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Exec1 @@ -206,6 +217,7 @@ multiUserReferenceCustomAttribute: uid=board.two,ou=testusers,dc=mm,dc=test,dc=c dn: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Exec2 @@ -225,6 +237,7 @@ multiUserReferenceCustomAttribute: uid=board.three,ou=testusers,dc=mm,dc=test,dc dn: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Board1 @@ -243,6 +256,7 @@ multiUserReferenceCustomAttribute: uid=firstloginuser.one,ou=testusers,dc=mm,dc= dn: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Board2 @@ -261,6 +275,7 @@ multiUserReferenceCustomAttribute: uid=firstloginuser.two,ou=testusers,dc=mm,dc= dn: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject objectclass: customInetOrgPerson sn: User cn: Board3 @@ -273,6 +288,7 @@ dateCustomAttribute: 20240218020000Z dn: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin1 mail: success+firstloginuser.one@simulator.amazonses.com @@ -281,6 +297,7 @@ userPassword: Password1 dn: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com changetype: add objectclass: iNetOrgPerson +objectclass: activeDSObject sn: User cn: FirstLogin2 mail: success+firstloginuser.two@simulator.amazonses.com @@ -291,85 +308,117 @@ changetype: add objectclass: organizationalunit # groupOfNames + +# groupOfNames with Base64 Encoded ObjectGUID dn: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: UcVUS/HonkGbqAAAAAAAAA== member: uid=board.three,ou=testusers,dc=mm,dc=test,dc=com +# groupOfNames with Hex Separated ObjectGUID dn: cn=board,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID: \56\6d\95\5b\a8\9a\9c\42\a4\61\00\00\00\00\00\00 member: uid=board.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=board.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=outsiders,ou=testgroups,dc=mm,dc=test,dc=com +# groupOfNames with Binary Encoded ObjectGUID dn: cn=executive,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: EBYPDQ4NDAsKCQgHBgUEAwIBAA== member: uid=exec.one,ou=testusers,dc=mm,dc=test,dc=com member: uid=exec.two,ou=testusers,dc=mm,dc=test,dc=com member: cn=board,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-84,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: YB4aM/vJn0CfhQAAAAAAAA== member: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com member: uid=test.five,ou=testusers,dc=mm,dc=test,dc=com dn: cn=tgroup-9,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: ZA9bHYy+n0KVlgAAAAAAAA== member: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=tgroup-97,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfNames +objectclass: activeDSObject +objectGUID:: aS77A+eDnke+7AAAAAAAAA== member: uid=test.four,ou=testusers,dc=mm,dc=test,dc=com # groupOfUniqueNames dn: cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: bThfVKmRn0S5mQAAAAAAAA== uniqueMember: uid=test.one,ou=testusers,dc=mm,dc=test,dc=com dn: cn=ugroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: cEdgf5/JnkCZtQAAAAAAAA== uniqueMember: uid=test.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=vgroup,cn=tgroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: dUvgN8VXnkC9EQAAAAAAAAA== uniqueMember: uid=test.three,ou=testusers,dc=mm,dc=test,dc=com # Adds a group with a cycle dn: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: eXyMRG3BnUCJsQAAAAAAAA== uniqueMember: uid=dev.four,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: fM8fdh6MnUGsYQAAAAAAAA== uniqueMember: uid=dev.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=dev.three,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one-a,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: gI9GHKjnn0G7LQAAAAAAAAA== uniqueMember: uid=dev.two,ou=testusers,dc=mm,dc=test,dc=com dn: cn=developers,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: hKDpuRd+nECFKwAAAAAAAA== uniqueMember: uid=dev-ops.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: cn=team-one,ou=testgroups,dc=mm,dc=test,dc=com uniqueMember: cn=team-two,ou=testgroups,dc=mm,dc=test,dc=com dn: cn=firstlogingroup,ou=testgroups,dc=mm,dc=test,dc=com changetype: add objectclass: groupOfUniqueNames +objectclass: activeDSObject +objectGUID:: iS3dxTuwnkC2MQAAAAAAAAA== uniqueMember: uid=firstloginuser.one,ou=testusers,dc=mm,dc=test,dc=com uniqueMember: uid=firstloginuser.two,ou=testusers,dc=mm,dc=test,dc=com \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-4r67-4x4p-fprgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4573ghsaADVISORY
- github.com/mattermost/mattermost/commit/1f9c688a30847eeb7bfb1574dc7bbb9f011afbf7ghsaWEB
- github.com/mattermost/mattermost/commit/64a65c6107877382040297b3ef215c689caaed74ghsaWEB
- github.com/mattermost/mattermost/commit/77892234944bc7476b20794e516538bcac717de9ghsaWEB
- github.com/mattermost/mattermost/commit/b33926709b956a59558cc7fef80c0e75a769ce81ghsaWEB
- github.com/mattermost/mattermost/commit/b47e89c4f98cb6ad9f1dceb79325aa94e80f963aghsaWEB
- mattermost.com/security-updatesghsaWEB
News mentions
0No linked articles in our index yet.