incubator-openmeetings-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoit Vautrin" <Benoit.Vaut...@trw.com>
Subject Re: Rép. : Re: AW: Username in ldap authentication is case sensitive
Date Wed, 25 Jan 2012 13:51:23 GMT
Hi,

I've tested your new code (by downloading the nightly build). I have
added the option in my ldap config file :
ldap_use_lower_case=yes

When i try to login without enforce lower/upper case as it is in my
ldap directory  see below the error :

-------------------------------------------------------------------------------------
 WARN 01-25 14:25:03.012 MainService.java 135125 320
org.openmeetings.app.remote.MainService [NioProcessor-3] - loginUser:
d308a786fd74abf52609b39222d8f8c5 xXXXXXx
DEBUG 01-25 14:25:03.013 MainService.java 135126 331
org.openmeetings.app.remote.MainService [NioProcessor-3] - Ldap Login
DEBUG 01-25 14:25:03.018 LdapLoginManagement.java 135131 217
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] -
LdapLoginmanagement.doLdapLogin
DEBUG 01-25 14:25:03.019 LdapLoginManagement.java 135132 173
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] -
LdapLoginmanagement.getLdapConfigData
DEBUG 01-25 14:25:03.019 LdapLoginManagement.java 135132 192
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] -
LdapLoginmanagement.readConfig :
/home/openmeet/red5/webapps/openmeetings/conf/om_XXXXX_ldap.cfg
DEBUG 01-25 14:25:03.020 LdapLoginManagement.java 135133 113
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] -
isValidAuthType
DEBUG 01-25 14:25:03.021 LdapLoginManagement.java 135134 348
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] -
Searching userdata with LDAP Search Filter :(uid=xXXXXXx)
DEBUG 01-25 14:25:03.024 LdapAuthBase.java 135137 66
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - LdapAuthBase
DEBUG 01-25 14:25:03.024 LdapLoginManagement.java 135137 359
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] -
authenticating admin...
DEBUG 01-25 14:25:03.025 LdapAuthBase.java 135138 83
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -
authenticateUser
DEBUG 01-25 14:25:03.026 LdapAuthBase.java 135139 99
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -

Authentification to LDAP - Server start
DEBUG 01-25 14:25:03.026 LdapAuthBase.java 135139 133
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -
loginToLdapServer
DEBUG 01-25 14:25:03.871 LdapLoginManagement.java 135984 362
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] -
Checking server type...
DEBUG 01-25 14:25:03.872 LdapLoginManagement.java 135985 366
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - LDAP
server is OpenLDAP
DEBUG 01-25 14:25:03.872 LdapLoginManagement.java 135985 367
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - LDAP
search base: OU=XXXXXX,O=XXX
DEBUG 01-25 14:25:04.147 LdapAuthBase.java 136260 83
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -
authenticateUser
DEBUG 01-25 14:25:04.147 LdapAuthBase.java 136260 99
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -

Authentification to LDAP - Server start
DEBUG 01-25 14:25:04.147 LdapAuthBase.java 136260 133
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -
loginToLdapServer
ERROR 01-25 14:25:05.025 LdapAuthBase.java 137138 105
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -

Authentification on LDAP Server failed : [LDAP: error code 34 - Invalid
DN Syntax]
ERROR 01-25 14:25:05.033 LdapAuthBase.java 137146 106
org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] -
[Authentification on LDAP Server failed]
javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN
Syntax]
------------------------------------------------------------------------------------------------

When i use the exact correct username as it is in my ldap directory i
have an Error message box : "Unknow error. Please report this to the
administrator".
In the log i can see that the ldap authentication is working properly.
I see an other error :
-----------------------------------------------------------------------------------------------
DEBUG 01-25 14:41:40.697 Usermanagement.java 1132810 988
org.openmeetings.app.data.user.Usermanagement [NioProcessor-3] - Added
user-Id null
DEBUG 01-25 14:41:40.698 LdapLoginManagement.java 1132811 678
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - User
Created!
DEBUG 01-25 14:41:40.699 LdapLoginManagement.java 1132812 684
org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - Adding
user '-111' to organization '1'
DEBUG 01-25 14:41:40.700 Organisationmanagement.java 1132813 493
org.openmeetings.app.data.user.Organisationmanagement [NioProcessor-3] -
getOrganisation_UserByUserAndOrganisation -111  1
 INFO 01-25 14:41:40.703 UsersDaoImpl.java 1132816 55
org.openmeetings.app.data.user.dao.UsersDaoImpl [NioProcessor-3] -
[getUser] Info: No USER_ID given
ERROR 01-25 14:41:40.707 Organisationmanagement.java 1132820 485
org.openmeetings.app.data.user.Organisationmanagement [NioProcessor-3] -
[addUserToOrganisation]
java.lang.NullPointerException: null
------------------------------------------------------------------------------------------------

Regards

Benoit

>>> "Benoit Vautrin" <Benoit.Vautrin@trw.com> 24/01/2012 14:34 >>>
Hi,

I've not be able to use SVN yet. I plan to wait the nighly build and
test tomorrow morning ... 

I would like to explain me much better :-(
in my example:
in my ldap server, username = TotoA
if i use " TotoA " in the OM login window, the bind request is correct
" DN=CN=TotoA,ou=users,o=corp "
if i use " totoa" in the login window, the bind request is not correct
" DN=totoa "
 
After your modifications this morning, the username will be always in
lowercase (this is that we want), but i guess the result will be the
same... a wrong ldap request without OU=, O= ?
I don't understand what are doing  lines 377 to 382 ... Is it possible
if the IF condition(line 379) is not true the ldap request will be
only
DN=user ???

But ok, let me test tomorrow morning your new code and i will tell you
that i see on the network interface...

Thank you very much,

Benoit


>>> "seba.wagner@gmail.com" <seba.wagner@gmail.com> 24/01/2012 14:06
>>>
Hi Benoit,

sorry I don't get it now. What version of OpenMeetings are you
testing?

*when i did a request without respecting uppercase/lowercase*
=> Why should TotoA by automatically lowercased' ?! Did you checkout
OpenMeetings SVN version from the Apache Repository testing the new
feature
that I have commited 2 hours ago ?

Sebastian

2012/1/24 Benoit Vautrin <Benoit.Vautrin@trw.com>

> Hi Sebastian,
>
> So maybe the problem is somewhere else ... I did some packet network
> capture :
> when i did a request with the exact username (respecting
> uppercase/lowercase) the bind request is "
DN=CN=TotoA,ou=users,o=corp "
> (so it works and i can login)
> when i did a request without respecting uppercase/lowercase the bind
> request is " DN=totoa " and my ldap server answer : InvalidSyntax
(i'm
> not able to login)
>
> Maybe this is something wrong when the ldap request is build ?
(arround
> ligne 377 ???)
>
>
http://svn.apache.org/viewvc/incubator/openmeetings/trunk/singlewebapp/src/app/org/openmeetings/app/ldap/LdapLoginManagement.java?revision=1235166&view=markup


>
>
> Benoit
>
> >>> "seba.wagner@gmail.com" <seba.wagner@gmail.com> 24/01/2012 13:38
> >>>
> So to sum up:
> All the option does is to convert the username to lowercase,
expecting
> your
> ldap server to either ignore the upper/lowercase or actually having
> the
> names really in lowercase in ldap.
>
> Sebastian
>
> 2012/1/24 seba.wagner@gmail.com <seba.wagner@gmail.com>
>
> > No I don't convert anything like that, there is no such
possibility
> I
> > don't get any user from LDAP.
> > All I do is search the LDAP Server for a user, if the
> ldap_use_lower_case
> > is true, the user that searchs the LDAP server is transformed to
> lowercase.
> > OpenMeetings itself will also use the lowercase username
internally
> for
> > that user if that option is set to true.
> >
> > I cannot influence the way the ldap server itself compares the
> strings.
> > Maybe there is an ignoreCase setting in the LDAP server.
> > However, actually OpenMeetings does no string comparisson of Users
> and
> > matches to results, its the other way round: The username is taken
> and an
> > LDAP search is started with that username.
> > Line 353 the ldap_search_base is defined with the specified user
from
> the
> > login.
> >
> > And in
> >
>
>
http://svn.apache.org/viewvc/incubator/openmeetings/trunk/singlewebapp/src/app/org/openmeetings/app/ldap/LdapAuthBase.java?view=markup


>
> > Line 82 you can see how the user+pwd is send to LDAP to
> authentificate.
> >
> > I cannot find any "equals" method that compares LDAP user to
> usernames of
> > OpenMeetings, as there is none.
> >
> > Sebastian
> >
> >
> > 2012/1/24 Benoit Vautrin <Benoit.Vautrin@trw.com>
> >
> >> Hi Sebastian,
> >>
> >> I'm not a good developer but i try to understand your new code.
If
> the
> >> new param ldap_use_lower_case is added to the config file, you
> convert
> >> in lower case the value fill-in by users in the Openmeetings
login
> >> window ? am i right ?
> >>
> >> But i don't see where you convert also in lower case the answer
of
> the
> >> ldap request (username field only of course) ... To be sure both
> string
> >> will be the same.
> >> Maybe i've not seen it.
> >>
> >> Thank you very much for your quick answers on issues, that's
really
> >> great !
> >>
> >> Regards.
> >>
> >> Benoit
> >>
> >> >>> "seba.wagner@gmail.com" <seba.wagner@gmail.com> 24/01/2012
> 09:51
> >> >>>
> >> I've resolved the issue:
> >>
> >> there is a new param ldap_use_lower_case that you can add in the
> >> config
> >> file.
> >> If the param is true, the username is converted to lowercase
before
> >> validating the username.
> >> This has no effect on how the password is verified.
> >>
> >>
> >>
>
>
https://issues.apache.org/jira/browse/OPENMEETINGS-27?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs


>
> >>
> >>
> >> Sebastian
> >>
> >> 2012/1/23 Jeff Schoby <ssrjazz@gmail.com>
> >>
> >> > LDAP usernames,  as I understand it,  should be case
insensitive.
> >> > On Jan 23, 2012 3:19 PM, "Norbert Haag"
> <norbert@noahidenations.com>
> >> > wrote:
> >> >
> >> >> Quite frankly I think that this behavior is an not an issue
but
> a
> >> >> feature. Unix system have a strict distinction between caps
and
> >> non-caps
> >> >> for a good reason. So please don't change that "issue" but try
> to
> >> educate
> >> >> users, that ABC does not equal Abc does not equal aBc etc.
> >> >>
> >> >> Cheers
> >> >>
> >> >> -----Ursprüngliche Nachricht-----
> >> >> Von: BBS Technik [mailto:dormitilla@gmx.de] 
> >> >> Gesendet: Montag, 23. Januar 2012 17:30
> >> >> An: openmeetings-user@incubator.apache.org 
> >> >> Betreff: Re: Username in ldap authentication is case sensitive
> >> >>
> >> >> Hi,
> >> >> I did also run onto this problem and I would be happy when
this
> >> issue
> >> >> could be resolved.
> >> >> In the moment we have to instruct our users, but we  often
have
> >> >> helpdesk-requests.
> >> >>
> >> >> Greetings
> >> >> Ed
> >> >>
> >> >> -------- Original-Nachricht --------
> >> >> > Datum: Mon, 23 Jan 2012 10:08:19 +0100
> >> >> > Von: "Benoit Vautrin" <Benoit.Vautrin@trw.com>
> >> >> > An: openmeetings-user@incubator.apache.org 
> >> >> > Betreff: Username in ldap authentication is case sensitive
> >> >>
> >> >> > Hi guys,
> >> >> >
> >> >> > I would like to know if some of you have already run onto
this
> >> problem :
> >> >> > Authentication using OpenLDAP option check the exact
> 'username'
> >> string
> >> >> > between ldap answer and the username field in authentication
> >> message
> >> >> box. So,
> >> >> > for example, if your ldap username attribute contains
"TotoA"
> and
> >> user
> >> >> key
> >> >> > in "totoa", application returns : Invalid Username.
> >> >> >
> >> >> > I think most of authentication systems are case sensitive
only
> >> for
> >> >> > password,  not on the username.
> >> >> >
> >> >> > The code checking for ldap authentication in Openmeetings is
> there
> >> :
> >> >> >
> >> >>
> >>
> >>
>
>
http://svn.apache.org/viewvc/incubator/openmeetings/trunk/singlewebapp/src/app/org/openmeetings/app/ldap/LdapLoginManagement.java


>
> >>
> >> >> >
> >> >> > Sebastian has proposed this solution :
> >> >> > "we could add an option "ignoreUpperLowerCase" to the ldap
> >> >> configuration.
> >> >> > Making it generally "ignore" would need verification on ADS,
> >> OpenLDAP et
> >> >> > cetera how they behave regarding upper/lowercase."
> >> >> > I've opened this ticket :
> >> >> > https://issues.apache.org/jira/browse/OPENMEETINGS-27 
> >> >> > Please vote for it if you are interested to change the way
> >> username is
> >> >> > manage.
> >> >> >
> >> >> > Have a nice day.
> >> >> >
> >> >> > Benoit
> >> >> >
> >> >>
> >> >> --
> >> >> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> >> >> belohnen Sie mit bis zu 50,- Euro!
> >> https://freundschaftswerbung.gmx.de 
> >> >>
> >> >>
> >>
> >>
> >> --
> >> Sebastian Wagner
> >> http://www.openmeetings.de 
> >> http://incubator.apache.org/openmeetings/ 
> >> http://www.webbase-design.de 
> >> http://www.wagner-sebastian.com 
> >> seba.wagner@gmail.com 
> >>
> >
> >
> >
> > --
> > Sebastian Wagner
> > http://www.openmeetings.de 
> > http://incubator.apache.org/openmeetings/ 
> > http://www.webbase-design.de 
> > http://www.wagner-sebastian.com 
> > seba.wagner@gmail.com 
> >
>
>
>
> --
> Sebastian Wagner
> http://www.openmeetings.de 
> http://incubator.apache.org/openmeetings/ 
> http://www.webbase-design.de 
> http://www.wagner-sebastian.com 
> seba.wagner@gmail.com 
>



-- 
Sebastian Wagner
http://www.openmeetings.de 
http://incubator.apache.org/openmeetings/ 
http://www.webbase-design.de 
http://www.wagner-sebastian.com 
seba.wagner@gmail.com

Mime
View raw message