fix: authenticate LDAP via actual DN instead of normalized DN (#19805)

fix: authenticate LDAP via actual DN instead of normalized DN Normalized DN is only for internal representation, not for external communication, any communication to LDAP must be based on actual user DN. LDAP servers do not understand normalized DN. fixes #19757
2025-11-07 12:52:58 -05:00 · 2024-05-25 06:43:06 -07:00
parent 7d75b1e758
commit 597a785253
11 changed files with 118 additions and 20 deletions
--- a/cmd/sftp-server.go
+++ b/cmd/sftp-server.go
@@ -248,8 +248,9 @@ func startSFTPServer(args []string) {
 						return nil, errAuthentication
 					}
 					criticalOptions := map[string]string{
-						ldapUser:  targetUser,
-						ldapUserN: c.User(),
+						ldapUser:       targetUser,
+						ldapActualUser: lookupResult.ActualDN,
+						ldapUserN:      c.User(),
 					}
 					for attribKey, attribValue := range lookupResult.Attributes {
 						// we skip multi-value attributes here, as they cannot