Return-Path: X-Original-To: apmail-incubator-openmeetings-user-archive@minotaur.apache.org Delivered-To: apmail-incubator-openmeetings-user-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 99F009CF1 for ; Wed, 25 Jan 2012 13:52:02 +0000 (UTC) Received: (qmail 65228 invoked by uid 500); 25 Jan 2012 13:52:02 -0000 Delivered-To: apmail-incubator-openmeetings-user-archive@incubator.apache.org Received: (qmail 65162 invoked by uid 500); 25 Jan 2012 13:52:01 -0000 Mailing-List: contact openmeetings-user-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: openmeetings-user@incubator.apache.org Delivered-To: mailing list openmeetings-user@incubator.apache.org Received: (qmail 65152 invoked by uid 99); 25 Jan 2012 13:52:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jan 2012 13:52:01 +0000 X-ASF-Spam-Status: No, hits=-1.6 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [74.125.149.238] (HELO na3sys009aog115.obsmtp.com) (74.125.149.238) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jan 2012 13:51:56 +0000 Received: from trw.com ([212.185.41.34]) (using TLSv1) by na3sys009aob115.postini.com ([74.125.148.12]) with SMTP ID DSNKTyAI5rhEuHMLLRcEg5zus0cVVLL9bfgC@postini.com; Wed, 25 Jan 2012 05:51:35 PST Received: from radolfzell-MTA by trw.com with Novell_GroupWise; Wed, 25 Jan 2012 14:51:32 +0100 Message-Id: <4F2016EB0200008C000165B6@trw.com> X-Mailer: Novell GroupWise Internet Agent 8.0.2 Date: Wed, 25 Jan 2012 14:51:23 +0100 From: "Benoit Vautrin" To: Subject: =?ISO-8859-15?Q?Re:=20R=E9p.=20:=20Re:=20AW:=20Username=20in=20l?= =?ISO-8859-15?Q?dap=20authentication=20is=20case=20sensitive?= References: <4F1D31930200008C00016525@trw.com> <20120123163029.180410@gmx.net> <000301ccda14$93d06150$bb7123f0$@com> <4F1E9C340200008C00016551@trw.com> <4F1EB7450200008C0001655B@trw.com> <4F1EC1930200008C00016563@trw.com> In-Reply-To: <4F1EC1930200008C00016563@trw.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Content-Disposition: inline Hi, I've tested your new code (by downloading the nightly build). I have added the option in my ldap config file : ldap_use_lower_case=yes When i try to login without enforce lower/upper case as it is in my ldap directory see below the error : ------------------------------------------------------------------------------------- WARN 01-25 14:25:03.012 MainService.java 135125 320 org.openmeetings.app.remote.MainService [NioProcessor-3] - loginUser: d308a786fd74abf52609b39222d8f8c5 xXXXXXx DEBUG 01-25 14:25:03.013 MainService.java 135126 331 org.openmeetings.app.remote.MainService [NioProcessor-3] - Ldap Login DEBUG 01-25 14:25:03.018 LdapLoginManagement.java 135131 217 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - LdapLoginmanagement.doLdapLogin DEBUG 01-25 14:25:03.019 LdapLoginManagement.java 135132 173 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - LdapLoginmanagement.getLdapConfigData DEBUG 01-25 14:25:03.019 LdapLoginManagement.java 135132 192 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - LdapLoginmanagement.readConfig : /home/openmeet/red5/webapps/openmeetings/conf/om_XXXXX_ldap.cfg DEBUG 01-25 14:25:03.020 LdapLoginManagement.java 135133 113 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - isValidAuthType DEBUG 01-25 14:25:03.021 LdapLoginManagement.java 135134 348 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - Searching userdata with LDAP Search Filter :(uid=xXXXXXx) DEBUG 01-25 14:25:03.024 LdapAuthBase.java 135137 66 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - LdapAuthBase DEBUG 01-25 14:25:03.024 LdapLoginManagement.java 135137 359 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - authenticating admin... DEBUG 01-25 14:25:03.025 LdapAuthBase.java 135138 83 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - authenticateUser DEBUG 01-25 14:25:03.026 LdapAuthBase.java 135139 99 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - Authentification to LDAP - Server start DEBUG 01-25 14:25:03.026 LdapAuthBase.java 135139 133 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - loginToLdapServer DEBUG 01-25 14:25:03.871 LdapLoginManagement.java 135984 362 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - Checking server type... DEBUG 01-25 14:25:03.872 LdapLoginManagement.java 135985 366 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - LDAP server is OpenLDAP DEBUG 01-25 14:25:03.872 LdapLoginManagement.java 135985 367 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - LDAP search base: OU=XXXXXX,O=XXX DEBUG 01-25 14:25:04.147 LdapAuthBase.java 136260 83 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - authenticateUser DEBUG 01-25 14:25:04.147 LdapAuthBase.java 136260 99 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - Authentification to LDAP - Server start DEBUG 01-25 14:25:04.147 LdapAuthBase.java 136260 133 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - loginToLdapServer ERROR 01-25 14:25:05.025 LdapAuthBase.java 137138 105 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - Authentification on LDAP Server failed : [LDAP: error code 34 - Invalid DN Syntax] ERROR 01-25 14:25:05.033 LdapAuthBase.java 137146 106 org.openmeetings.app.ldap.LdapAuthBase [NioProcessor-3] - [Authentification on LDAP Server failed] javax.naming.InvalidNameException: [LDAP: error code 34 - Invalid DN Syntax] ------------------------------------------------------------------------------------------------ When i use the exact correct username as it is in my ldap directory i have an Error message box : "Unknow error. Please report this to the administrator". In the log i can see that the ldap authentication is working properly. I see an other error : ----------------------------------------------------------------------------------------------- DEBUG 01-25 14:41:40.697 Usermanagement.java 1132810 988 org.openmeetings.app.data.user.Usermanagement [NioProcessor-3] - Added user-Id null DEBUG 01-25 14:41:40.698 LdapLoginManagement.java 1132811 678 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - User Created! DEBUG 01-25 14:41:40.699 LdapLoginManagement.java 1132812 684 org.openmeetings.app.ldap.LdapLoginManagement [NioProcessor-3] - Adding user '-111' to organization '1' DEBUG 01-25 14:41:40.700 Organisationmanagement.java 1132813 493 org.openmeetings.app.data.user.Organisationmanagement [NioProcessor-3] - getOrganisation_UserByUserAndOrganisation -111 1 INFO 01-25 14:41:40.703 UsersDaoImpl.java 1132816 55 org.openmeetings.app.data.user.dao.UsersDaoImpl [NioProcessor-3] - [getUser] Info: No USER_ID given ERROR 01-25 14:41:40.707 Organisationmanagement.java 1132820 485 org.openmeetings.app.data.user.Organisationmanagement [NioProcessor-3] - [addUserToOrganisation] java.lang.NullPointerException: null ------------------------------------------------------------------------------------------------ Regards Benoit >>> "Benoit Vautrin" 24/01/2012 14:34 >>> Hi, I've not be able to use SVN yet. I plan to wait the nighly build and test tomorrow morning ... I would like to explain me much better :-( in my example: in my ldap server, username = TotoA if i use " TotoA " in the OM login window, the bind request is correct " DN=CN=TotoA,ou=users,o=corp " if i use " totoa" in the login window, the bind request is not correct " DN=totoa " After your modifications this morning, the username will be always in lowercase (this is that we want), but i guess the result will be the same... a wrong ldap request without OU=, O= ? I don't understand what are doing lines 377 to 382 ... Is it possible if the IF condition(line 379) is not true the ldap request will be only DN=user ??? But ok, let me test tomorrow morning your new code and i will tell you that i see on the network interface... Thank you very much, Benoit >>> "seba.wagner@gmail.com" 24/01/2012 14:06 >>> Hi Benoit, sorry I don't get it now. What version of OpenMeetings are you testing? *when i did a request without respecting uppercase/lowercase* => Why should TotoA by automatically lowercased' ?! Did you checkout OpenMeetings SVN version from the Apache Repository testing the new feature that I have commited 2 hours ago ? Sebastian 2012/1/24 Benoit Vautrin > Hi Sebastian, > > So maybe the problem is somewhere else ... I did some packet network > capture : > when i did a request with the exact username (respecting > uppercase/lowercase) the bind request is " DN=CN=TotoA,ou=users,o=corp " > (so it works and i can login) > when i did a request without respecting uppercase/lowercase the bind > request is " DN=totoa " and my ldap server answer : InvalidSyntax (i'm > not able to login) > > Maybe this is something wrong when the ldap request is build ? (arround > ligne 377 ???) > > http://svn.apache.org/viewvc/incubator/openmeetings/trunk/singlewebapp/src/app/org/openmeetings/app/ldap/LdapLoginManagement.java?revision=1235166&view=markup > > > Benoit > > >>> "seba.wagner@gmail.com" 24/01/2012 13:38 > >>> > So to sum up: > All the option does is to convert the username to lowercase, expecting > your > ldap server to either ignore the upper/lowercase or actually having > the > names really in lowercase in ldap. > > Sebastian > > 2012/1/24 seba.wagner@gmail.com > > > No I don't convert anything like that, there is no such possibility > I > > don't get any user from LDAP. > > All I do is search the LDAP Server for a user, if the > ldap_use_lower_case > > is true, the user that searchs the LDAP server is transformed to > lowercase. > > OpenMeetings itself will also use the lowercase username internally > for > > that user if that option is set to true. > > > > I cannot influence the way the ldap server itself compares the > strings. > > Maybe there is an ignoreCase setting in the LDAP server. > > However, actually OpenMeetings does no string comparisson of Users > and > > matches to results, its the other way round: The username is taken > and an > > LDAP search is started with that username. > > Line 353 the ldap_search_base is defined with the specified user from > the > > login. > > > > And in > > > > http://svn.apache.org/viewvc/incubator/openmeetings/trunk/singlewebapp/src/app/org/openmeetings/app/ldap/LdapAuthBase.java?view=markup > > > Line 82 you can see how the user+pwd is send to LDAP to > authentificate. > > > > I cannot find any "equals" method that compares LDAP user to > usernames of > > OpenMeetings, as there is none. > > > > Sebastian > > > > > > 2012/1/24 Benoit Vautrin > > > >> Hi Sebastian, > >> > >> I'm not a good developer but i try to understand your new code. If > the > >> new param ldap_use_lower_case is added to the config file, you > convert > >> in lower case the value fill-in by users in the Openmeetings login > >> window ? am i right ? > >> > >> But i don't see where you convert also in lower case the answer of > the > >> ldap request (username field only of course) ... To be sure both > string > >> will be the same. > >> Maybe i've not seen it. > >> > >> Thank you very much for your quick answers on issues, that's really > >> great ! > >> > >> Regards. > >> > >> Benoit > >> > >> >>> "seba.wagner@gmail.com" 24/01/2012 > 09:51 > >> >>> > >> I've resolved the issue: > >> > >> there is a new param ldap_use_lower_case that you can add in the > >> config > >> file. > >> If the param is true, the username is converted to lowercase before > >> validating the username. > >> This has no effect on how the password is verified. > >> > >> > >> > > https://issues.apache.org/jira/browse/OPENMEETINGS-27?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel#issue-tabs > > >> > >> > >> Sebastian > >> > >> 2012/1/23 Jeff Schoby > >> > >> > LDAP usernames, as I understand it, should be case insensitive. > >> > On Jan 23, 2012 3:19 PM, "Norbert Haag" > > >> > wrote: > >> > > >> >> Quite frankly I think that this behavior is an not an issue but > a > >> >> feature. Unix system have a strict distinction between caps and > >> non-caps > >> >> for a good reason. So please don't change that "issue" but try > to > >> educate > >> >> users, that ABC does not equal Abc does not equal aBc etc. > >> >> > >> >> Cheers > >> >> > >> >> -----Urspr�ngliche Nachricht----- > >> >> Von: BBS Technik [mailto:dormitilla@gmx.de] > >> >> Gesendet: Montag, 23. Januar 2012 17:30 > >> >> An: openmeetings-user@incubator.apache.org > >> >> Betreff: Re: Username in ldap authentication is case sensitive > >> >> > >> >> Hi, > >> >> I did also run onto this problem and I would be happy when this > >> issue > >> >> could be resolved. > >> >> In the moment we have to instruct our users, but we often have > >> >> helpdesk-requests. > >> >> > >> >> Greetings > >> >> Ed > >> >> > >> >> -------- Original-Nachricht -------- > >> >> > Datum: Mon, 23 Jan 2012 10:08:19 +0100 > >> >> > Von: "Benoit Vautrin" > >> >> > An: openmeetings-user@incubator.apache.org > >> >> > Betreff: Username in ldap authentication is case sensitive > >> >> > >> >> > Hi guys, > >> >> > > >> >> > I would like to know if some of you have already run onto this > >> problem : > >> >> > Authentication using OpenLDAP option check the exact > 'username' > >> string > >> >> > between ldap answer and the username field in authentication > >> message > >> >> box. So, > >> >> > for example, if your ldap username attribute contains "TotoA" > and > >> user > >> >> key > >> >> > in "totoa", application returns : Invalid Username. > >> >> > > >> >> > I think most of authentication systems are case sensitive only > >> for > >> >> > password, not on the username. > >> >> > > >> >> > The code checking for ldap authentication in Openmeetings is > there > >> : > >> >> > > >> >> > >> > >> > > http://svn.apache.org/viewvc/incubator/openmeetings/trunk/singlewebapp/src/app/org/openmeetings/app/ldap/LdapLoginManagement.java > > >> > >> >> > > >> >> > Sebastian has proposed this solution : > >> >> > "we could add an option "ignoreUpperLowerCase" to the ldap > >> >> configuration. > >> >> > Making it generally "ignore" would need verification on ADS, > >> OpenLDAP et > >> >> > cetera how they behave regarding upper/lowercase." > >> >> > I've opened this ticket : > >> >> > https://issues.apache.org/jira/browse/OPENMEETINGS-27 > >> >> > Please vote for it if you are interested to change the way > >> username is > >> >> > manage. > >> >> > > >> >> > Have a nice day. > >> >> > > >> >> > Benoit > >> >> > > >> >> > >> >> -- > >> >> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir > >> >> belohnen Sie mit bis zu 50,- Euro! > >> https://freundschaftswerbung.gmx.de > >> >> > >> >> > >> > >> > >> -- > >> Sebastian Wagner > >> http://www.openmeetings.de > >> http://incubator.apache.org/openmeetings/ > >> http://www.webbase-design.de > >> http://www.wagner-sebastian.com > >> seba.wagner@gmail.com > >> > > > > > > > > -- > > Sebastian Wagner > > http://www.openmeetings.de > > http://incubator.apache.org/openmeetings/ > > http://www.webbase-design.de > > http://www.wagner-sebastian.com > > seba.wagner@gmail.com > > > > > > -- > Sebastian Wagner > http://www.openmeetings.de > http://incubator.apache.org/openmeetings/ > http://www.webbase-design.de > http://www.wagner-sebastian.com > seba.wagner@gmail.com > -- Sebastian Wagner http://www.openmeetings.de http://incubator.apache.org/openmeetings/ http://www.webbase-design.de http://www.wagner-sebastian.com seba.wagner@gmail.com