github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[PR #20159] [CLOSED] fix(ldap): enable placeholder substitution in LDAP search filters #25484

New Issue
Closed
opened 2026-04-20 05:57:26 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-20 05:57:26 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/20159
Author: @polaz
Created: 12/24/2025
Status: Closed

Base: mainHead: fix/ldap-search-filter-placeholder

📝 Commits (1)

  • 9192b34 fix(ldap): enable placeholder substitution in LDAP search filters

📊 Changes

1 file changed (+13 additions, -1 deletions)

View changed files

📝 backend/open_webui/routers/auths.py (+13 -1)

📄 Description

Summary

This PR fixes the LDAP search filter placeholder substitution issue discussed in #16760.

The LDAP search filter configuration now properly supports placeholder variables that get substituted with the actual username during authentication:

  • %s - replaced with the escaped username
  • %(user)s - replaced with the escaped username

Problem

Previously, if a user configured the LDAP search filter to use placeholders like (uid=%s), these placeholders were never substituted with the actual username. The filter was concatenated as-is, resulting in malformed LDAP queries and "User not found" errors.

Solution

Added placeholder substitution logic before constructing the LDAP search filter:

  1. Extract and escape the username using escape_filter_chars() (already done but now reused)
  2. Replace %(user)s placeholders with the escaped username
  3. Replace %s placeholders with the escaped username
  4. Use the processed filter in the LDAP search

Examples

Now users can create complex LDAP filters like:

  • (uid=%s) - simple user lookup
  • (&(objectClass=person)(memberOf=cn=allowed-users,ou=groups,dc=example,dc=com)(uid=%s)) - lookup with group membership restriction

Security

The username is properly escaped using escape_filter_chars() before substitution to prevent LDAP injection attacks.

Testing

  • Tested with %s placeholder
  • Tested with %(user)s placeholder
  • Tested without any placeholders (backward compatibility)
  • Verified LDAP injection prevention with special characters

Fixes #16760

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/20159 **Author:** [@polaz](https://github.com/polaz) **Created:** 12/24/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/ldap-search-filter-placeholder` --- ### 📝 Commits (1) - [`9192b34`](https://github.com/open-webui/open-webui/commit/9192b34659ed3d92208bca96b8548ba3933162a7) fix(ldap): enable placeholder substitution in LDAP search filters ### 📊 Changes **1 file changed** (+13 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/auths.py` (+13 -1) </details> ### 📄 Description ## Summary This PR fixes the LDAP search filter placeholder substitution issue discussed in #16760. The LDAP search filter configuration now properly supports placeholder variables that get substituted with the actual username during authentication: - `%s` - replaced with the escaped username - `%(user)s` - replaced with the escaped username ## Problem Previously, if a user configured the LDAP search filter to use placeholders like `(uid=%s)`, these placeholders were never substituted with the actual username. The filter was concatenated as-is, resulting in malformed LDAP queries and "User not found" errors. ## Solution Added placeholder substitution logic before constructing the LDAP search filter: 1. Extract and escape the username using `escape_filter_chars()` (already done but now reused) 2. Replace `%(user)s` placeholders with the escaped username 3. Replace `%s` placeholders with the escaped username 4. Use the processed filter in the LDAP search ## Examples Now users can create complex LDAP filters like: - `(uid=%s)` - simple user lookup - `(&(objectClass=person)(memberOf=cn=allowed-users,ou=groups,dc=example,dc=com)(uid=%s))` - lookup with group membership restriction ## Security The username is properly escaped using `escape_filter_chars()` before substitution to prevent LDAP injection attacks. ## Testing - [ ] Tested with `%s` placeholder - [ ] Tested with `%(user)s` placeholder - [ ] Tested without any placeholders (backward compatibility) - [ ] Verified LDAP injection prevention with special characters Fixes #16760 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-20 05:57:26 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#25484
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?