commit 6a093f405d5a7821bc3535913e8b65db87356238
Author: Florian Best <best@univention.de>
Date:   Tue Jan 8 19:16:11 2019 +0100

    Bug #39345: quote ldap base in URIs

diff --git a/base/univention-lib/python/misc.py b/base/univention-lib/python/misc.py
index 4ba8f0bbb2..6617bc4900 100644
--- a/base/univention-lib/python/misc.py
+++ b/base/univention-lib/python/misc.py
@@ -32,6 +32,7 @@ Univention Common Python Library
 
 import univention.config_registry
 import subprocess
+from urllib import quote
 
 
 def createMachinePassword():
@@ -80,7 +81,7 @@ def getLDAPURIs(configRegistryInstance=None):
 	if ldap_server_addition:
 		ldaphosts.extend(ldap_server_addition.split())
 	if ldaphosts:
-		urilist = ["ldap://%s:%s" % (host, port) for host in ldaphosts]
+		urilist = ["ldap://%s:%s" % (quote(host), quote(port)) for host in ldaphosts]
 		uri_string = ' '.join(urilist)
 
 	return uri_string
diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
index 3d7aecd147..9849ba080e 100644
--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
@@ -1,5 +1,6 @@
 @!@
 from univention.lib.misc import custom_username, custom_groupname
+from urllib import quote
 
 ldap_base = configRegistry['ldap/base']
 ldap_port = configRegistry['slapd/port']
@@ -10,7 +11,7 @@ users_default_administrator = custom_username('Administrator')
 
 print 'authz-regexp'
 print '    uid=([^,]*),cn=(gssapi|saml),cn=auth'
-print '    ldap:///%s??sub?uid=$1' % (ldap_base,)
+print '    ldap:///%s??sub?uid=$1' % (quote(ldap_base),)
 print
 
 print 'access to attrs=uid value=root by * none stop'
diff --git a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave
index 40bb6e3d7c..bfaef0a837 100644
--- a/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave
+++ b/management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-slave
@@ -1,6 +1,9 @@
 authz-regexp
     uid=([^,]*),cn=(gssapi|saml),cn=auth
-    ldap:///@%@ldap/base@%@??sub?uid=$1
+@!@
+from urllib import quote
+print '\tldap:///%s??sub?uid=$1' % (quote(configRegistry['ldap/base']),)
+@!@
 
 # allow authentication
 access to attrs=userPassword