Ldap password bindpw cannot contain #

[antoinetran]

Hi,

I have a ldap password that contains "#". In this case, I have a

Error: Invalid credentials for XXX

Analysis:
The code https://github.com/jirutka/ssh-ldap-pubkey/blob/master/ssh_ldap_pubkey/config.py transforms the config /etc/ldap.conf into a dict. This convenient method:
re.match(r'^(\w+)\s+([^#]+)', line)
reject all comments after "#". Eg:
binddn cn=XXX # exemple of comment to ignore

However this also make impossible to use a password with "#" inside. Eg:
bindpw abcd#efg
will set a bindpw to abcd.

If we want both the ability to add comment at the end of a configuration line, and the ability to add "#" in password, we should make the bindpw a special parsing. I do not see another way.

[jirutka]

Hi,
we may do similar to what the POSIX shell does – interpret # as the start of comment only when it’s preceded by whitespace.

However, it seems that ldap.conf(5) does not permit trailing comments, so perhaps the right way is to interpret # as a comment only when /^\s*#/.

[antoinetran]

Can Ldap contain space as password? Is "password #" a valid password?

[jirutka]

Most likely it can.