Mischa Diehm
2014-03-21 07:34:15 UTC
Hi,
this bug broke LDAP-Auth for us too but we are using OpenLDAP as a backend.
After applying the patches to our system things work nice again.
Debug output:
put_simple_filter: "uid:caseExactMatch:=foobar"
...
[error] UNAVAILABLE_CRITICAL_EXTENSION: {'info': 'Bad search filter',
'desc': 'Critical extension is unavailable'}
Mischa
--
Mischa Diehm | Network Operations Center (NOC)
UniBasel | UniRechenZentrum (URZ)
Klingebergstr. 70 | CH-4056 Basel
Tel. +41 61 267 1574 | http://urz.unibas.ch
From: Morten Brekkevold <morten.brekkevold-***@public.gmane.org>
Date: Donnerstag, 13. März 2014 14:37
To: Sjøholt Steinar Otto <ssj-***@public.gmane.org>
Cc: "nav-users-***@public.gmane.org" <nav-users-***@public.gmane.org>
Subject: Re: NAV authentication with LDAP + MS AD
On Wed, 12 Mar 2014 16:06:50 +0100 Morten Brekkevold
external authentication is invoked.
NAV's login page doesn't concern itself with what any external
authentication mechanism actually does, only that it returns a good or
bad status. There is currently no mechanism to pass a revised username
back to the login page, since it only cares about what the user actually
typed into the login form.
I take that back. It's been a while since I hacked on this part of NAV,
and last time it was refactored, this was made easily possible. I filed
a report at [1], and have committed a fix.
The downside to this fix is that all NAV login names will now be case
insensitive. Hopefully, people using NAV aren't in the habit of creating
separate users with the same name using different casing.
The fallback to cached password when the user wasn't found was in
reality a different problem, but I fixed it as part of [1] anyway.
[1] https://bugs.launchpad.net/nav/+bug/1291956
this bug broke LDAP-Auth for us too but we are using OpenLDAP as a backend.
After applying the patches to our system things work nice again.
Debug output:
put_simple_filter: "uid:caseExactMatch:=foobar"
...
[error] UNAVAILABLE_CRITICAL_EXTENSION: {'info': 'Bad search filter',
'desc': 'Critical extension is unavailable'}
Mischa
--
Mischa Diehm | Network Operations Center (NOC)
UniBasel | UniRechenZentrum (URZ)
Klingebergstr. 70 | CH-4056 Basel
Tel. +41 61 267 1574 | http://urz.unibas.ch
From: Morten Brekkevold <morten.brekkevold-***@public.gmane.org>
Date: Donnerstag, 13. März 2014 14:37
To: Sjøholt Steinar Otto <ssj-***@public.gmane.org>
Cc: "nav-users-***@public.gmane.org" <nav-users-***@public.gmane.org>
Subject: Re: NAV authentication with LDAP + MS AD
On Wed, 12 Mar 2014 16:06:50 +0100 Morten Brekkevold
Since the addition of ":caseExactMatch:" doesn't work with AD, a
better solution to Bug#1207722 would be to have NAV check the output
of the LDAP-query to get the actual username (with correct casing) and
use this to create the user in the database instead of the actual
userinput.
You are probably right, but we will have to look into rewriting the waybetter solution to Bug#1207722 would be to have NAV check the output
of the LDAP-query to get the actual username (with correct casing) and
use this to create the user in the database instead of the actual
userinput.
external authentication is invoked.
NAV's login page doesn't concern itself with what any external
authentication mechanism actually does, only that it returns a good or
bad status. There is currently no mechanism to pass a revised username
back to the login page, since it only cares about what the user actually
typed into the login form.
and last time it was refactored, this was made easily possible. I filed
a report at [1], and have committed a fix.
The downside to this fix is that all NAV login names will now be case
insensitive. Hopefully, people using NAV aren't in the habit of creating
separate users with the same name using different casing.
The fallback to cached password when the user wasn't found was in
reality a different problem, but I fixed it as part of [1] anyway.
[1] https://bugs.launchpad.net/nav/+bug/1291956
--
Morten Brekkevold
UNINETT
Morten Brekkevold
UNINETT