KEYCLOAK-2507 All LDAP special DN characters should be escaped in LDAPDn

federation/ldap/src/main/java/org/keycloak/federation/ldap/idm/model/LDAPDn.java

@@ -23,6 +23,8 @@ import java.util.LinkedList;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import javax.naming.ldap.Rdn;
+
 /**
  * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
  */
@@ -127,7 +129,7 @@ public class LDAPDn {
     }
 
     public void addFirst(String rdnName, String rdnValue) {
-        rdnValue = escape(rdnValue);
+        rdnValue = Rdn.escapeValue(rdnValue);
         entries.addFirst(new Entry(rdnName, rdnValue));
     }
 
@@ -135,26 +137,6 @@ public class LDAPDn {
         entries.addLast(new Entry(rdnName, rdnValue));
     }
 
-    // Need to escape "john,dot" to be "john\,dot"
-    private String escape(String rdnValue) {
-        if (rdnValue.contains(",")) {
-            StringBuilder result = new StringBuilder();
-            boolean first = true;
-            for (String split : rdnValue.split(",")) {
-                if (!first) {
-                    result.append("\\,");
-                } else {
-                    first = false;
-                }
-                result.append(split);
-            }
-            return result.toString();
-        } else {
-            return rdnValue;
-        }
-    }
-
-
     private static class Entry {
         private final String attrName;
         private final String attrValue;

federation/ldap/src/test/java/org/keycloak/federation/ldap/idm/model/LDAPDnTest.java

@@ -31,9 +31,9 @@ public class LDAPDnTest {
         dn.addFirst("ou", "People");
         Assert.assertEquals("ou=People,dc=keycloak,dc=org", dn.toString());
 
-        dn.addFirst("uid", "Johny,Depp");
-        Assert.assertEquals("uid=Johny\\,Depp,ou=People,dc=keycloak,dc=org", dn.toString());
-        Assert.assertEquals(LDAPDn.fromString("uid=Johny\\,Depp,ou=People,dc=keycloak,dc=org"), dn);
+        dn.addFirst("uid", "Johny,Depp+Pepp");
+        Assert.assertEquals("uid=Johny\\,Depp\\+Pepp,ou=People,dc=keycloak,dc=org", dn.toString());
+        Assert.assertEquals(LDAPDn.fromString("uid=Johny\\,Depp\\+Pepp,ou=People,dc=keycloak,dc=org"), dn);
 
         Assert.assertEquals("ou=People,dc=keycloak,dc=org", dn.getParentDn());
 
@@ -44,6 +44,6 @@ public class LDAPDnTest {
         Assert.assertFalse(dn.isDescendantOf(dn));
 
         Assert.assertEquals("uid", dn.getFirstRdnAttrName());
-        Assert.assertEquals("Johny\\,Depp", dn.getFirstRdnAttrValue());
+        Assert.assertEquals("Johny\\,Depp\\+Pepp", dn.getFirstRdnAttrValue());
     }
 }

testsuite/integration/src/test/java/org/keycloak/testsuite/federation/ldap/base/FederationProvidersIntegrationTest.java

@@ -405,6 +405,9 @@ public class FederationProvidersIntegrationTest {
             if (!skip) {
                 LDAPObject johnComma = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "john,comma", "John", "Comma", "johncomma@email.org", null, "12387");
                 FederationTestUtils.updateLDAPPassword(ldapFedProvider, johnComma, "Password1");
+
+                LDAPObject johnPlus = FederationTestUtils.addLDAPUser(ldapFedProvider, appRealm, "john+plus,comma", "John", "Plus", "johnplus@email.org", null, "12387");
+                FederationTestUtils.updateLDAPPassword(ldapFedProvider, johnPlus, "Password1");
             }
         } finally {
             keycloakRule.stopSession(session, false);
@@ -413,6 +416,7 @@ public class FederationProvidersIntegrationTest {
         if (!skip) {
             // Try to import the user with comma in username into Keycloak
             loginSuccessAndLogout("john,comma", "Password1");
+            loginSuccessAndLogout("john+plus,comma", "Password1");
         }
     }