build(deps): bump github.com/go-ldap/ldap/v3 from 3.4.6 to 3.4.7

Bumps [github.com/go-ldap/ldap/v3](https://github.com/go-ldap/ldap) from 3.4.6 to 3.4.7.
- [Release notes](https://github.com/go-ldap/ldap/releases)
- [Commits](https://github.com/go-ldap/ldap/compare/v3.4.6...v3.4.7)

---
updated-dependencies:
- dependency-name: github.com/go-ldap/ldap/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.12
 	github.com/go-chi/cors v1.2.1
 	github.com/go-chi/render v1.0.3
-	github.com/go-ldap/ldap/v3 v3.4.6
+	github.com/go-ldap/ldap/v3 v3.4.7
 	github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3
 	github.com/go-micro/plugins/v4/client/grpc v1.2.1
 	github.com/go-micro/plugins/v4/logger/zerolog v1.2.0

go.sum

@@ -842,8 +842,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRF
 github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
 github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8VM1Kc9e19TLln2VL61YJF0x1XFtfdL4JdbSyE=
-github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 h1:Kk6a4nehpJ3UuJRqlA3JxYxBZEqCeOmATOvrbT4p9RA=
-github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
+github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/alexedwards/argon2id v1.0.0 h1:wJzDx66hqWX7siL/SRUmgz3F8YMrd/nfX/xHHcQQP0w=
 github.com/alexedwards/argon2id v1.0.0/go.mod h1:tYKkqIjzXvZdzPvADMWOEZ+l6+BD6CtBXMj5fnJppiw=
 github.com/aliyun/alibaba-cloud-sdk-go v1.61.976/go.mod h1:pUKYbK5JQ+1Dfxk80P0qxGqe5dkxDoabbZS7zOcouyA=
@@ -1179,8 +1179,8 @@ github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBj
 github.com/go-latex/latex v0.0.0-20210118124228-b3d85cf34e07/go.mod h1:CO1AlKB2CSIqUrmQPqA0gdRIlnLEY0gK5JGjh37zN5U=
 github.com/go-latex/latex v0.0.0-20210823091927-c0d11ff05a81/go.mod h1:SX0U8uGpxhq9o2S/CELCSUxEWWAuoCUcVCQWv7G2OCk=
 github.com/go-ldap/ldap/v3 v3.1.7/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
-github.com/go-ldap/ldap/v3 v3.4.6 h1:ert95MdbiG7aWo/oPYp9btL3KJlMPKnP58r09rI8T+A=
-github.com/go-ldap/ldap/v3 v3.4.6/go.mod h1:IGMQANNtxpsOzj7uUAMjpGBaOVTC4DYyIy8VsTdxmtc=
+github.com/go-ldap/ldap/v3 v3.4.7 h1:3Hbd7mIB1qjd3Ra59fI3JYea/t5kykFu2CVHBca9koE=
+github.com/go-ldap/ldap/v3 v3.4.7/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
 github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3 h1:sfz1YppV05y4sYaW7kXZtrocU/+vimnIWt4cxAYh7+o=
 github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3/go.mod h1:ZXFhGda43Z2TVbfGZefXyMJzsDHhCh0go3bZUcwTx7o=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
@@ -1403,7 +1403,6 @@ github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
@@ -1451,6 +1450,8 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/schema v1.2.0 h1:YufUaxZYCKGFuAq3c96BOhjgd5nmXiOY9NGzF247Tsc=
 github.com/gorilla/schema v1.2.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
@@ -1543,6 +1544,18 @@ github.com/infobloxopen/infoblox-go-client v1.1.1/go.mod h1:BXiw7S2b9qJoM8MS40vf
 github.com/jarcoal/httpmock v1.0.6/go.mod h1:ATjnClrvW/3tijVmpL/va5Z3aAyGvqU3gCT8nX0Txik=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jellydator/ttlcache/v2 v2.11.1 h1:AZGME43Eh2Vv3giG6GeqeLeFXxwxn1/qHItqWZl6U64=
 github.com/jellydator/ttlcache/v2 v2.11.1/go.mod h1:RtE5Snf0/57e+2cLWFYWCCsLas2Hy3c5Z4n14XmSvTI=
 github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE=
@@ -2161,13 +2174,14 @@ golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
+golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
 golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45I=
 golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -2312,6 +2326,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@@ -2494,6 +2510,8 @@ golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@@ -2510,8 +2528,9 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
 golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.19.0 h1:+ThwsDv+tYfnJFhF4L8jITxu1tdTWRTZpdsWgEgjL6Q=
 golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

vendor/github.com/go-ldap/ldap/v3/conn.go

@@ -143,7 +143,8 @@ func DialWithTLSConfig(tc *tls.Config) DialOpt {
 
 // DialWithTLSDialer is a wrapper for DialWithTLSConfig with the option to
 // specify a net.Dialer to for example define a timeout or a custom resolver.
-// @deprecated Use DialWithDialer and DialWithTLSConfig instead
+//
+// Deprecated:  Use DialWithDialer and DialWithTLSConfig instead
 func DialWithTLSDialer(tlsConfig *tls.Config, dialer *net.Dialer) DialOpt {
 	return func(dc *DialContext) {
 		dc.tlsConfig = tlsConfig
@@ -195,7 +196,8 @@ func (dc *DialContext) dial(u *url.URL) (net.Conn, error) {
 
 // Dial connects to the given address on the given network using net.Dial
 // and then returns a new Conn for the connection.
-// @deprecated Use DialURL instead.
+//
+// Deprecated:  Use DialURL instead.
 func Dial(network, addr string) (*Conn, error) {
 	c, err := net.DialTimeout(network, addr, DefaultTimeout)
 	if err != nil {
@@ -208,7 +210,8 @@ func Dial(network, addr string) (*Conn, error) {
 
 // DialTLS connects to the given address on the given network using tls.Dial
 // and then returns a new Conn for the connection.
-// @deprecated Use DialURL instead.
+//
+// Deprecated:  Use DialURL instead.
 func DialTLS(network, addr string, config *tls.Config) (*Conn, error) {
 	c, err := tls.DialWithDialer(&net.Dialer{Timeout: DefaultTimeout}, network, addr, config)
 	if err != nil {
@@ -262,7 +265,12 @@ func NewConn(conn net.Conn, isTLS bool) *Conn {
 	return l
 }
 
-// Start initializes goroutines to read responses and process messages
+// Start initialises goroutines to read replies and process messages.
+//
+// Deprecated: It is usually not necessary to call this function
+// manually. It is public for compatibility reasons and may
+// cause a race condition when processing messages.
+// See: https://github.com/go-ldap/ldap/issues/356
 func (l *Conn) Start() {
 	go l.reader()
 	go l.processMessages()

vendor/github.com/go-ldap/ldap/v3/control.go

@@ -635,7 +635,7 @@ type ControlDirSync struct {
 	Cookie       []byte
 }
 
-// @deprecated Use NewRequestControlDirSync instead
+// Deprecated:  Use NewRequestControlDirSync instead
 func NewControlDirSync(flags int64, maxAttrCount int64, cookie []byte) *ControlDirSync {
 	return NewRequestControlDirSync(flags, maxAttrCount, cookie)
 }

vendor/github.com/go-ldap/ldap/v3/dn.go

@@ -1,14 +1,14 @@
 package ldap
 
 import (
-	"bytes"
-	enchex "encoding/hex"
+	"encoding/hex"
 	"errors"
 	"fmt"
+	ber "github.com/go-asn1-ber/asn1-ber"
 	"sort"
 	"strings"
-
-	ber "github.com/go-asn1-ber/asn1-ber"
+	"unicode"
+	"unicode/utf8"
 )
 
 // AttributeTypeAndValue represents an attributeTypeAndValue from https://tools.ietf.org/html/rfc4514
@@ -19,62 +19,45 @@ type AttributeTypeAndValue struct {
 	Value string
 }
 
-// String returns a normalized string representation of this attribute type and
-// value pair which is the a lowercased join of the Type and Value with a "=".
-func (a *AttributeTypeAndValue) String() string {
-	return strings.ToLower(a.Type) + "=" + a.encodeValue()
+func (a *AttributeTypeAndValue) setType(str string) error {
+	result, err := decodeString(str)
+	if err != nil {
+		return err
+	}
+	a.Type = result
+
+	return nil
 }
 
-func (a *AttributeTypeAndValue) encodeValue() string {
-	// Normalize the value first.
-	// value := strings.ToLower(a.Value)
-	value := a.Value
+func (a *AttributeTypeAndValue) setValue(s string) error {
+	// https://www.ietf.org/rfc/rfc4514.html#section-2.4
+	// If the AttributeType is of the dotted-decimal form, the
+	// AttributeValue is represented by an number sign ('#' U+0023)
+	// character followed by the hexadecimal encoding of each of the octets
+	// of the BER encoding of the X.500 AttributeValue.
+	if len(s) > 0 && s[0] == '#' {
+		decodedString, err := decodeEncodedString(s[1:])
+		if err != nil {
+			return err
+		}
 
-	encodedBuf := bytes.Buffer{}
+		a.Value = decodedString
+		return nil
+	} else {
+		decodedString, err := decodeString(s)
+		if err != nil {
+			return err
+		}
 
-	escapeChar := func(c byte) {
-		encodedBuf.WriteByte('\\')
-		encodedBuf.WriteByte(c)
+		a.Value = decodedString
+		return nil
 	}
+}
 
-	escapeHex := func(c byte) {
-		encodedBuf.WriteByte('\\')
-		encodedBuf.WriteString(enchex.EncodeToString([]byte{c}))
-	}
-
-	for i := 0; i < len(value); i++ {
-		char := value[i]
-		if i == 0 && char == ' ' || char == '#' {
-			// Special case leading space or number sign.
-			escapeChar(char)
-			continue
-		}
-		if i == len(value)-1 && char == ' ' {
-			// Special case trailing space.
-			escapeChar(char)
-			continue
-		}
-
-		switch char {
-		case '"', '+', ',', ';', '<', '>', '\\':
-			// Each of these special characters must be escaped.
-			escapeChar(char)
-			continue
-		}
-
-		if char < ' ' || char > '~' {
-			// All special character escapes are handled first
-			// above. All bytes less than ASCII SPACE and all bytes
-			// greater than ASCII TILDE must be hex-escaped.
-			escapeHex(char)
-			continue
-		}
-
-		// Any other character does not require escaping.
-		encodedBuf.WriteByte(char)
-	}
-
-	return encodedBuf.String()
+// String returns a normalized string representation of this attribute type and
+// value pair which is the lowercase join of the Type and Value with a "=".
+func (a *AttributeTypeAndValue) String() string {
+	return encodeString(foldString(a.Type), false) + "=" + encodeString(a.Value, true)
 }
 
 // RelativeDN represents a relativeDistinguishedName from https://tools.ietf.org/html/rfc4514
@@ -108,114 +91,218 @@ func (d *DN) String() string {
 	return strings.Join(rdns, ",")
 }
 
+func stripLeadingAndTrailingSpaces(inVal string) string {
+	noSpaces := strings.Trim(inVal, " ")
+
+	// Re-add the trailing space if it was an escaped space
+	if len(noSpaces) > 0 && noSpaces[len(noSpaces)-1] == '\\' && inVal[len(inVal)-1] == ' ' {
+		noSpaces = noSpaces + " "
+	}
+
+	return noSpaces
+}
+
+// Remove leading and trailing spaces from the attribute type and value
+// and unescape any escaped characters in these fields
+//
+// decodeString is based on https://github.com/inteon/cert-manager/blob/ed280d28cd02b262c5db46054d88e70ab518299c/pkg/util/pki/internal/dn.go#L170
+func decodeString(str string) (string, error) {
+	s := []rune(stripLeadingAndTrailingSpaces(str))
+
+	builder := strings.Builder{}
+	for i := 0; i < len(s); i++ {
+		char := s[i]
+
+		// If the character is not an escape character, just add it to the
+		// builder and continue
+		if char != '\\' {
+			builder.WriteRune(char)
+			continue
+		}
+
+		// If the escape character is the last character, it's a corrupted
+		// escaped character
+		if i+1 >= len(s) {
+			return "", fmt.Errorf("got corrupted escaped character: '%s'", string(s))
+		}
+
+		// If the escaped character is a special character, just add it to
+		// the builder and continue
+		switch s[i+1] {
+		case ' ', '"', '#', '+', ',', ';', '<', '=', '>', '\\':
+			builder.WriteRune(s[i+1])
+			i++
+			continue
+		}
+
+		// If the escaped character is not a special character, it should
+		// be a hex-encoded character of the form \XX if it's not at least
+		// two characters long, it's a corrupted escaped character
+		if i+2 >= len(s) {
+			return "", errors.New("failed to decode escaped character: encoding/hex: invalid byte: " + string(s[i+1]))
+		}
+
+		// Get the runes for the two characters after the escape character
+		// and convert them to a byte slice
+		xx := []byte(string(s[i+1 : i+3]))
+
+		// If the two runes are not hex characters and result in more than
+		// two bytes when converted to a byte slice, it's a corrupted
+		// escaped character
+		if len(xx) != 2 {
+			return "", errors.New("failed to decode escaped character: invalid byte: " + string(xx))
+		}
+
+		// Decode the hex-encoded character and add it to the builder
+		dst := []byte{0}
+		if n, err := hex.Decode(dst, xx); err != nil {
+			return "", errors.New("failed to decode escaped character: " + err.Error())
+		} else if n != 1 {
+			return "", fmt.Errorf("failed to decode escaped character: encoding/hex: expected 1 byte when un-escaping, got %d", n)
+		}
+
+		builder.WriteByte(dst[0])
+		i += 2
+	}
+
+	return builder.String(), nil
+}
+
+// Escape a string according to RFC 4514
+func encodeString(value string, isValue bool) string {
+	builder := strings.Builder{}
+
+	escapeChar := func(c byte) {
+		builder.WriteByte('\\')
+		builder.WriteByte(c)
+	}
+
+	escapeHex := func(c byte) {
+		builder.WriteByte('\\')
+		builder.WriteString(hex.EncodeToString([]byte{c}))
+	}
+
+	// Loop through each byte and escape as necessary.
+	// Runes that take up more than one byte are escaped
+	// byte by byte (since both bytes are non-ASCII).
+	for i := 0; i < len(value); i++ {
+		char := value[i]
+		if i == 0 && (char == ' ' || char == '#') {
+			// Special case leading space or number sign.
+			escapeChar(char)
+			continue
+		}
+		if i == len(value)-1 && char == ' ' {
+			// Special case trailing space.
+			escapeChar(char)
+			continue
+		}
+
+		switch char {
+		case '"', '+', ',', ';', '<', '>', '\\':
+			// Each of these special characters must be escaped.
+			escapeChar(char)
+			continue
+		}
+
+		if !isValue && char == '=' {
+			// Equal signs have to be escaped only in the type part of
+			// the attribute type and value pair.
+			escapeChar(char)
+			continue
+		}
+
+		if char < ' ' || char > '~' {
+			// All special character escapes are handled first
+			// above. All bytes less than ASCII SPACE and all bytes
+			// greater than ASCII TILDE must be hex-escaped.
+			escapeHex(char)
+			continue
+		}
+
+		// Any other character does not require escaping.
+		builder.WriteByte(char)
+	}
+
+	return builder.String()
+}
+
+func decodeEncodedString(str string) (string, error) {
+	decoded, err := hex.DecodeString(str)
+	if err != nil {
+		return "", fmt.Errorf("failed to decode BER encoding: %w", err)
+	}
+
+	packet, err := ber.DecodePacketErr(decoded)
+	if err != nil {
+		return "", fmt.Errorf("failed to decode BER encoding: %w", err)
+	}
+
+	return packet.Data.String(), nil
+}
+
 // ParseDN returns a distinguishedName or an error.
 // The function respects https://tools.ietf.org/html/rfc4514
 func ParseDN(str string) (*DN, error) {
-	dn := new(DN)
-	dn.RDNs = make([]*RelativeDN, 0)
-	rdn := new(RelativeDN)
-	rdn.Attributes = make([]*AttributeTypeAndValue, 0)
-	buffer := bytes.Buffer{}
-	attribute := new(AttributeTypeAndValue)
-	escaping := false
-
-	unescapedTrailingSpaces := 0
-	stringFromBuffer := func() string {
-		s := buffer.String()
-		s = s[0 : len(s)-unescapedTrailingSpaces]
-		buffer.Reset()
-		unescapedTrailingSpaces = 0
-		return s
+	var dn = &DN{RDNs: make([]*RelativeDN, 0)}
+	if strings.TrimSpace(str) == "" {
+		return dn, nil
 	}
 
+	var (
+		rdn                   = &RelativeDN{}
+		attr                  = &AttributeTypeAndValue{}
+		escaping              bool
+		startPos              int
+		appendAttributesToRDN = func(end bool) {
+			rdn.Attributes = append(rdn.Attributes, attr)
+			attr = &AttributeTypeAndValue{}
+			if end {
+				dn.RDNs = append(dn.RDNs, rdn)
+				rdn = &RelativeDN{}
+			}
+		}
+	)
+
+	// Loop through each character in the string and
+	// build up the attribute type and value pairs.
+	// We only check for ascii characters here, which
+	// allows us to iterate over the string byte by byte.
 	for i := 0; i < len(str); i++ {
 		char := str[i]
 		switch {
 		case escaping:
-			unescapedTrailingSpaces = 0
 			escaping = false
-			switch char {
-			case ' ', '"', '#', '+', ',', ';', '<', '=', '>', '\\':
-				buffer.WriteByte(char)
-				continue
+		case char == '\\':
+			escaping = true
+		case char == '=' && len(attr.Type) == 0:
+			if err := attr.setType(str[startPos:i]); err != nil {
+				return nil, err
 			}
-			// Not a special character, assume hex encoded octet
-			if len(str) == i+1 {
-				return nil, errors.New("got corrupted escaped character")
+			startPos = i + 1
+		case char == ',' || char == '+' || char == ';':
+			if len(attr.Type) == 0 {
+				return dn, errors.New("incomplete type, value pair")
+			}
+			if err := attr.setValue(str[startPos:i]); err != nil {
+				return nil, err
 			}
 
-			dst := []byte{0}
-			n, err := enchex.Decode([]byte(dst), []byte(str[i:i+2]))
-			if err != nil {
-				return nil, fmt.Errorf("failed to decode escaped character: %s", err)
-			} else if n != 1 {
-				return nil, fmt.Errorf("expected 1 byte when un-escaping, got %d", n)
-			}
-			buffer.WriteByte(dst[0])
-			i++
-		case char == '\\':
-			unescapedTrailingSpaces = 0
-			escaping = true
-		case char == '=' && attribute.Type == "":
-			attribute.Type = stringFromBuffer()
-			// Special case: If the first character in the value is # the
-			// following data is BER encoded so we can just fast forward
-			// and decode.
-			if len(str) > i+1 && str[i+1] == '#' {
-				i += 2
-				index := strings.IndexAny(str[i:], ",+")
-				var data string
-				if index > 0 {
-					data = str[i : i+index]
-				} else {
-					data = str[i:]
-				}
-				rawBER, err := enchex.DecodeString(data)
-				if err != nil {
-					return nil, fmt.Errorf("failed to decode BER encoding: %s", err)
-				}
-				packet, err := ber.DecodePacketErr(rawBER)
-				if err != nil {
-					return nil, fmt.Errorf("failed to decode BER packet: %s", err)
-				}
-				buffer.WriteString(packet.Data.String())
-				i += len(data) - 1
-			}
-		case char == ',' || char == '+' || char == ';':
-			// We're done with this RDN or value, push it
-			if len(attribute.Type) == 0 {
-				return nil, errors.New("incomplete type, value pair")
-			}
-			attribute.Value = stringFromBuffer()
-			rdn.Attributes = append(rdn.Attributes, attribute)
-			attribute = new(AttributeTypeAndValue)
-			if char == ',' || char == ';' {
-				dn.RDNs = append(dn.RDNs, rdn)
-				rdn = new(RelativeDN)
-				rdn.Attributes = make([]*AttributeTypeAndValue, 0)
-			}
-		case char == ' ' && buffer.Len() == 0:
-			// ignore unescaped leading spaces
-			continue
-		default:
-			if char == ' ' {
-				// Track unescaped spaces in case they are trailing and we need to remove them
-				unescapedTrailingSpaces++
-			} else {
-				// Reset if we see a non-space char
-				unescapedTrailingSpaces = 0
-			}
-			buffer.WriteByte(char)
+			startPos = i + 1
+			last := char == ',' || char == ';'
+			appendAttributesToRDN(last)
 		}
 	}
-	if buffer.Len() > 0 {
-		if len(attribute.Type) == 0 {
-			return nil, errors.New("DN ended with incomplete type, value pair")
-		}
-		attribute.Value = stringFromBuffer()
-		rdn.Attributes = append(rdn.Attributes, attribute)
-		dn.RDNs = append(dn.RDNs, rdn)
+
+	if len(attr.Type) == 0 {
+		return dn, errors.New("DN ended with incomplete type, value pair")
 	}
+
+	if err := attr.setValue(str[startPos:]); err != nil {
+		return dn, err
+	}
+	appendAttributesToRDN(true)
+
 	return dn, nil
 }
 
@@ -348,3 +435,34 @@ func (r *RelativeDN) hasAllAttributesFold(attrs []*AttributeTypeAndValue) bool {
 func (a *AttributeTypeAndValue) EqualFold(other *AttributeTypeAndValue) bool {
 	return strings.EqualFold(a.Type, other.Type) && strings.EqualFold(a.Value, other.Value)
 }
+
+// foldString returns a folded string such that foldString(x) == foldString(y)
+// is identical to bytes.EqualFold(x, y).
+// based on https://go.dev/src/encoding/json/fold.go
+func foldString(s string) string {
+	builder := strings.Builder{}
+	for _, char := range s {
+		// Handle single-byte ASCII.
+		if char < utf8.RuneSelf {
+			if 'A' <= char && char <= 'Z' {
+				char += 'a' - 'A'
+			}
+			builder.WriteRune(char)
+			continue
+		}
+
+		builder.WriteRune(foldRune(char))
+	}
+	return builder.String()
+}
+
+// foldRune is returns the smallest rune for all runes in the same fold set.
+func foldRune(r rune) rune {
+	for {
+		r2 := unicode.SimpleFold(r)
+		if r2 <= r {
+			return r
+		}
+		r = r2
+	}
+}

vendor/github.com/go-ldap/ldap/v3/error.go

@@ -1,6 +1,7 @@
 package ldap
 
 import (
+	"errors"
 	"fmt"
 
 	ber "github.com/go-asn1-ber/asn1-ber"
@@ -241,8 +242,8 @@ func IsErrorAnyOf(err error, codes ...uint16) bool {
 		return false
 	}
 
-	serverError, ok := err.(*Error)
-	if !ok {
+	var serverError *Error
+	if !errors.As(err, &serverError) {
 		return false
 	}
 

vendor/github.com/go-ldap/ldap/v3/ldap.go

@@ -314,8 +314,6 @@ func DebugBinaryFile(fileName string) error {
 	return nil
 }
 
-var hex = "0123456789abcdef"
-
 func mustEscape(c byte) bool {
 	return c > 0x7f || c == '(' || c == ')' || c == '\\' || c == '*' || c == 0
 }
@@ -324,6 +322,7 @@ func mustEscape(c byte) bool {
 // characters in the set `()*\` and those out of the range 0 < c < 0x80,
 // as defined in RFC4515.
 func EscapeFilter(filter string) string {
+	const hexValues = "0123456789abcdef"
 	escape := 0
 	for i := 0; i < len(filter); i++ {
 		if mustEscape(filter[i]) {
@@ -338,8 +337,8 @@ func EscapeFilter(filter string) string {
 		c := filter[i]
 		if mustEscape(c) {
 			buf[j+0] = '\\'
-			buf[j+1] = hex[c>>4]
-			buf[j+2] = hex[c&0xf]
+			buf[j+1] = hexValues[c>>4]
+			buf[j+2] = hexValues[c&0xf]
 			j += 3
 		} else {
 			buf[j] = c

vendor/github.com/go-ldap/ldap/v3/response.go

@@ -98,13 +98,12 @@ func (r *searchResponse) start(ctx context.Context, searchRequest *SearchRequest
 
 		foundSearchSingleResultDone := false
 		for !foundSearchSingleResultDone {
+			r.conn.Debug.Printf("%d: waiting for response", msgCtx.id)
 			select {
 			case <-ctx.Done():
 				r.conn.Debug.Printf("%d: %s", msgCtx.id, ctx.Err().Error())
 				return
-			default:
-				r.conn.Debug.Printf("%d: waiting for response", msgCtx.id)
-				packetResponse, ok := <-msgCtx.responses
+			case packetResponse, ok := <-msgCtx.responses:
 				if !ok {
 					err := NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
 					r.ch <- &SearchSingleResult{Error: err}

vendor/github.com/go-ldap/ldap/v3/search.go

@@ -18,6 +18,9 @@ const (
 	ScopeBaseObject   = 0
 	ScopeSingleLevel  = 1
 	ScopeWholeSubtree = 2
+	// ScopeChildren is an OpenLDAP extension that may not be supported by another directory server.
+	// See: https://github.com/openldap/openldap/blob/7c55484ee153047efd0e562fc1638c1a2525f320/include/ldap.h#L598
+	ScopeChildren = 3
 )
 
 // ScopeMap contains human readable descriptions of scope choices
@@ -25,6 +28,7 @@ var ScopeMap = map[int]string{
 	ScopeBaseObject:   "Base Object",
 	ScopeSingleLevel:  "Single Level",
 	ScopeWholeSubtree: "Whole Subtree",
+	ScopeChildren:     "Children",
 }
 
 // derefAliases
@@ -43,6 +47,10 @@ var DerefMap = map[int]string{
 	DerefAlways:         "DerefAlways",
 }
 
+// ErrSizeLimitExceeded will be returned if the search result is exceeding the defined SizeLimit
+// and enforcing the requested limit is enabled in the search request (EnforceSizeLimit)
+var ErrSizeLimitExceeded = NewError(ErrorNetwork, errors.New("ldap: size limit exceeded"))
+
 // NewEntry returns an Entry object with the specified distinguished name and attribute key-value pairs.
 // The map of attributes is accessed in alphabetical order of the keys in order to ensure that, for the
 // same input map of attributes, the output entry will contain the same order of attributes
@@ -187,8 +195,8 @@ func readTag(f reflect.StructField) (string, bool) {
 // Unmarshal parses the Entry in the value pointed to by i
 //
 // Currently, this methods only supports struct fields of type
-// string, []string, int, int64, []byte, *DN, []*DN or time.Time. Other field types
-// will not be regarded. If the field type is a string or int but multiple
+// string, *string, []string, int, int64, []byte, *DN, []*DN or time.Time.
+// Other field types will not be regarded. If the field type is a string or int but multiple
 // attribute values are returned, the first value will be used to fill the field.
 //
 // Example:
@@ -279,6 +287,8 @@ func (e *Entry) Unmarshal(i interface{}) (err error) {
 			}
 		case string:
 			fv.SetString(values[0])
+		case *string:
+			fv.Set(reflect.ValueOf(&values[0]))
 		case []byte:
 			fv.SetBytes([]byte(values[0]))
 		case int, int64:
@@ -308,7 +318,7 @@ func (e *Entry) Unmarshal(i interface{}) (err error) {
 				fv.Set(reflect.Append(fv, reflect.ValueOf(dn)))
 			}
 		default:
-			return fmt.Errorf("ldap: expected field to be of type string, []string, int, int64, []byte, *DN, []*DN or time.Time, got %v", ft.Type)
+			return fmt.Errorf("ldap: expected field to be of type string, *string, []string, int, int64, []byte, *DN, []*DN or time.Time, got %v", ft.Type)
 		}
 	}
 	return
@@ -411,6 +421,11 @@ type SearchRequest struct {
 	Filter       string
 	Attributes   []string
 	Controls     []Control
+
+	// EnforceSizeLimit will hard limit the maximum number of entries parsed, in case the directory
+	// server returns more results than requested. This setting is disabled by default and does not
+	// work in async search requests.
+	EnforceSizeLimit bool
 }
 
 func (req *SearchRequest) appendTo(envelope *ber.Packet) error {
@@ -558,6 +573,12 @@ func (l *Conn) Search(searchRequest *SearchRequest) (*SearchResult, error) {
 
 		switch packet.Children[1].Tag {
 		case 4:
+			if searchRequest.EnforceSizeLimit &&
+				searchRequest.SizeLimit > 0 &&
+				len(result.Entries) >= searchRequest.SizeLimit {
+				return result, ErrSizeLimitExceeded
+			}
+
 			entry := &Entry{
 				DN:         packet.Children[1].Children[0].Value.(string),
 				Attributes: unpackAttributes(packet.Children[1].Children[1].Children),

vendor/modules.txt

@@ -904,7 +904,7 @@ github.com/go-jose/go-jose/v4/json
 ## explicit; go 1.17
 github.com/go-kit/log
 github.com/go-kit/log/level
-# github.com/go-ldap/ldap/v3 v3.4.6
+# github.com/go-ldap/ldap/v3 v3.4.7
 ## explicit; go 1.14
 github.com/go-ldap/ldap/v3
 # github.com/go-ldap/ldif v0.0.0-20200320164324-fd88d9b715b3