continuwuation/continuwuity
continuwuation/continuwuity
11
32
Fork 29
Code Issues 93 Pull requests 17 Releases 19 Packages 4 Activity Actions

LDAP users can have broken MXIDs #1129

New issue
Open
opened 2025-10-17 22:00:51 +00:00 by Clubs · 2 comments
Clubs commented 2025-10-17 22:00:51 +00:00
Copy link

When using an LDAP provider, which supplies Continuwuity with a name that contains unusable characters, they are added to the database and the user can somewhat use their client, until the point that it conflicts with other users and servers trying to interact with that user.

Example setup:

  • A server running Authentik, which connects to Continuwuity to provide LDAP services
  • The Authentik server allows a user to have the display name !$%^&*# @ (including the space between the # and the @)
  • A Continuwuity server running with these LDAP configurations:
[global.ldap]
enable = true
ldap_only = true
uri = "ldap://<address and port>"
base_dn = "dc=ldap,dc=goauthentik,dc=io"
bind_dn = "cn=<ldap user>,ou=users,dc=ldap,dc=goauthentik,dc=io"
bind_password_file = "<password path>"
uid_attribute = "name"
name_attribute = "displayName"
  • An unmodified version of the Cinny client

With that setup, that user can log in with their password, and once logged in will be shown that they have the following handle: @!$%^&*# @:bearware.dev (including the space).

So far I've found that users containing invalid characters can still do most of the basic tasks if a client can parse it. Cinny's autocomplete will allow the user to send invites and receive invites (though they show up as unknown instead of their username). It will also try to autocomplete for things like @s, but attempting to mention a user with those characters in their username tends to result in it appearing like a clickable link, with results depending on where the characters are in the game. While most chat functions work, if you dont have a client's autocomplete or search functions, it makes it almost impossible to properly invite a user, including with the use of chat commands. The user can also federate (at least, with other continuwuity servers) without extra issue. Neither log from the Continuwuity server shows any output from any of these actions

When using an LDAP provider, which supplies Continuwuity with a name that contains unusable characters, they are added to the database and the user can somewhat use their client, until the point that it conflicts with other users and servers trying to interact with that user. Example setup: - A server running Authentik, which connects to Continuwuity to provide LDAP services - The Authentik server allows a user to have the display name `!$%^&*# @` (including the space between the # and the @) - A Continuwuity server running with these LDAP configurations: ``` [global.ldap] enable = true ldap_only = true uri = "ldap://<address and port>" base_dn = "dc=ldap,dc=goauthentik,dc=io" bind_dn = "cn=<ldap user>,ou=users,dc=ldap,dc=goauthentik,dc=io" bind_password_file = "<password path>" uid_attribute = "name" name_attribute = "displayName" ``` - An unmodified version of the Cinny client With that setup, that user can log in with their password, and once logged in will be shown that they have the following handle: `@!$%^&*# @:bearware.dev` (including the space). So far I've found that users containing invalid characters can still do most of the basic tasks if a client can parse it. Cinny's autocomplete will allow the user to send invites and receive invites (though they show up as unknown instead of their username). It will also try to autocomplete for things like @s, but attempting to mention a user with those characters in their username tends to result in it appearing like a clickable link, with results depending on where the characters are in the game. While most chat functions work, if you dont have a client's autocomplete or search functions, it makes it almost impossible to properly invite a user, including with the use of chat commands. The user can also federate (at least, with other continuwuity servers) without extra issue. Neither log from the Continuwuity server shows any output from any of these actions
nex commented 2025-10-17 22:03:17 +00:00
Owner
Copy link

Those are technically legal user IDs, although I'm not sure the check that is normally run should be allowed to bypass for LDAP registrations

Those are [technically legal user IDs](https://spec.matrix.org/v1.16/appendices/#historical-user-ids), although I'm not sure the check that is normally run should be allowed to bypass for LDAP registrations
Clubs commented 2025-10-17 22:08:13 +00:00
Author
Copy link

Ah gotcha, I didn't see that the section for historic IDs, good to know. From my perspective using LDAP here, it definitely feels unexpected that the check doesnt run like it would otherwise if you use LDAP, though my usage of LDAP is pretty limited

Ah gotcha, I didn't see that the section for historic IDs, good to know. From my perspective using LDAP here, it definitely feels unexpected that the check doesnt run like it would otherwise if you use LDAP, though my usage of LDAP is pretty limited
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/lock-file-maintenance
renovate/rand-0.x
renovate/opentelemetry-rust-monorepo
renovate/axum-monorepo
jade/flake-clone
nex/fix/event-auth
renovate/rust-patch-updates
ginger/upload-rpms-on-schedule
nex/fix/incoming-fetch
nex/fix/upgrade
tom/ci-fedora-rpm
nex/fed-improvements
jade/ci-release-fix
jade/rocksdb-10-5
illegal-car-mods
ginger/fix-msc4133-migration
ginger/migrate-busted-tz
hydra/public
tom/max-perf-docs
nex/feat/manual-extremities
nex/feat/async-media
nex/feat/fast-joins-hack-do-not-use-DO-NOT-USE
nex/feat/better-logging
trigger-ci-so-latest-isnt-on-illegal-car-mods
nex/feat/pins-backfill
jade/tuwunel-2025-06-old
jade/ai-slop-db-docs
nex/fix-create-auth
jade/version-stats
jade/read-receipts
dahsa_uwu/axum-0.8
jade/rust-toolchain-no-targets
jade/logging-features
jade/syncv5-typing
jade/msc2815
jade/relations
jade/purge-sync-tokens
morguldir/see-eye
jade/css-small-screen
nex/wip-751
tuwunel-rebase
test
oddlid/rename-admin-room-bot
strawberry/nix-ci-stuff
strawberry/valgrind
strawberry/morgs-snake-sync-jason-main
newer-media-endpoints
folly-coroutines-async-io
federation-retry-timer-port
bad-attempt-at-extracting-homeserver-signing-key
room-deletion-attempt-do-not-use
v0.5.0-rc.8
v0.5.0-rc.7
v0.5.0-rc.6
v0.5.0-rc.5
v0.5.0-rc4
v0.5.0-rc3
v0.5.0-rc2
v0.5.0-rc
v0.4.7-rc
v0.4.6
v0.4.6-rc
v0.4.5-rc
v0.4.5
v0.4.4
v0.4.3
v0.4.2
v0.4.1
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
Labels
Clear labels   
Bug

Something isn't working as intended

  
Cherry-picking

Commits picked from other conduit projects

  
Database

This requires or includes changes to the database

  
Dependencies

Something dependency related

  
Dependencies/Renovate

Automatic dependency upgrades by Renovate

  
Difficulty
Easy
Low difficulty to implement - touches few parts of the codebase, low complexity

  
Difficulty
Hard
High difficulty to implement - touches many parts of the codebase, high complexity

  
Difficulty
Medium
Medium difficulty to implement - touches more parts of the codebase, higher complexity

  
Documentation

Improvements or additions to documentation

  
Enhancement

New feature or request

  
Good first issue

Good for newcomers

  
Help wanted

Additional eyes and keyboards are required for this one

  
Inherited

Issues that have been inhereted from the project pre-fork

  
Matrix/Administration

Features pertaining to homeserver administration

  
Matrix/Appservices

Features pertaining to the appservice API

  
Matrix/Auth

Features pertaining to authentication

  
Matrix/Client

Features pertaining to client-to-server interactions

  
Matrix/Core

Issues relating to core matrix functionality, such as state resolution and PDU formats

  
Matrix/Federation

Features pertaining to server-to-server interactions

  
Matrix/Hydra

Issues related to room version 12 and related changes (temporary label)

  
Matrix/MSC

Features pertaining to unstable matrix features

  
Matrix/Media

Features pertaining to media interactions

  
Meta

Related to housekeeping, maintenance, or other repo-meta.

  
Meta/CI

Issues related to CI changes

  
Meta/Packaging

Packaging

  
Priority
Blocking
This issue is blocking the next release

  
Priority
High
This issue is very important

  
Priority
Low
This issue is of a rather low priority

  
Security

This item is related to general security

  
Status/Blocked

This pull request or issue is currently blocked from being merged/closed

  
Status
Confirmed
This issue has enough information and is confirmed

  
Status
Duplicate
This issue or pull request already exists

  
Status
Invalid
This issue doesn't seem right

  
Status
Needs Investigation
This issue needs further investigation

  
To-Merge

   
Wont fix

This will not be worked on

  
old/ci/cd

Ci/CD

Archived

  
old/rust

Pull requests that update Rust code

Archived

No labels
Bug
Cherry-picking
Database
Dependencies
Dependencies/Renovate
Difficulty
Easy
Difficulty
Hard
Difficulty
Medium
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/Federation
Matrix/Hydra
Matrix/MSC
Matrix/Media
Meta
Meta/CI
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status/Blocked
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
To-Merge
Wont fix
old/ci/cd
old/rust
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
continuwuation/continuwuity#1129
No description provided.