Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Account provider Bind DN validation error #6534

Closed
DavidePrincipi opened this issue Jun 23, 2021 · 7 comments
Closed

Account provider Bind DN validation error #6534

DavidePrincipi opened this issue Jun 23, 2021 · 7 comments
Labels
bug A defect of the software verified All test cases were verified successfully

Comments

@DavidePrincipi
Copy link
Member

The Edit provider input form fails to validate the Bind DN / password credentials against a remote AD accounts provider.

image

Steps to reproduce

  • Configure a remote AD accounts provider
  • Enter the credentials for LDAP applications. Use the DOMAIN\user Bind DN syntax

Expected behavior

The credentials must be accepted in both DOMAIN\user and user@realm form

Actual behavior

That Bind DN DOMAIN\user syntax is rejected.

Instead if user@realm form is used the password is accepted.

The remote MS AD provider accepts both forms:

 ldapwhoami -w 'secr3t'  -D 'MYDOM\ldapuser' -H ldap://dc1.mydom.tld
 u:MYDOM\ldapuser
 ldapwhoami -w 'secr3t'  -D 'ldapuser@mydom.tld' -H ldap://dc1.mydom.tld
 u:MYDOM\ldapuser

Note that both DN syntaxes map to the same user name.

Components

nethserver-sssd-1.7.1-1.ns7.noarch

Thanks to @lucagasparini
@DavidePrincipi DavidePrincipi added the bug A defect of the software label Jun 23, 2021
@stephdl stephdl self-assigned this Jun 25, 2021
@stephdl
Copy link

stephdl commented Jun 25, 2021
edited

the good practice is to use the user principal name (UPN) , the proposed format is inherited of NETBIOS and limited to 15 characters. Not sure but it could bring more issues than we want to solve.

Some characters are prohibited too like _

@stephdl
Copy link

stephdl commented Jun 25, 2021

We send to the API

[root@backup ~]# echo '{"StartTls":"enabled","BindPassword":"password","BaseDN":"DC=ad,DC=domain,DC=fr","BindDN":"domain\\administrator","LdapURI":"ldap://nsdc-server.ad.domain.fr","UserDN":"DC=ad,DC=domain,DC=fr","GroupDN":"DC=ad,DC=domain,DC=fr","action":"bind-credentials"}' | /usr/bin/sudo /usr/libexec/nethserver/api/system-accounts-provider/validate

but the api prints

domain\administrator{"type":"NotValid","message":"validation_failed","attributes":[{"parameter":"BindDN","value":null,"error":"domainadministratorldap-credentials,ldaptestbind,49"}]}

/usr/libexec/nethserver/api/system-accounts-provider/validate print $data['BindDN' = domain\administrator
/etc/e-smith/validators/ldap-credentials/S20ldaptestbind prints domainadministrator

The culprit is there

@stephdl stephdl mentioned this issue Jun 25, 2021
Merged
stephdl added a commit to NethServer/nethserver-cockpit that referenced this issue Jun 28, 2021
@stephdl
Merge pull request #340 from stephdl/GH6534
9ec1cab 
Escapeshellarg inputs of UI for bind DN validation NethServer/dev#6534
@stephdl
Copy link

stephdl commented Jun 28, 2021

QA

test the bug is not more reproducible, you can use a netbios way to set an AD user : DOMAIN\administrator

@stephdl stephdl removed their assignment Jun 28, 2021
@stephdl stephdl added the testing Packages are available from testing repositories label Jun 28, 2021
@nethbot
Copy link
Member

nethbot commented Jun 28, 2021

in 7.9.2009/testing:

@lucagasparini
Copy link

The bug is not reproducible 👍
Now you can use DOMAIN\username for the BindDN

@lucagasparini lucagasparini added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Jun 28, 2021
@lucagasparini lucagasparini removed their assignment Jun 28, 2021
@nethbot
Copy link
Member

nethbot commented Jun 28, 2021

in 7.9.2009/updates:

@stephdl
Copy link

stephdl commented Jun 28, 2021

closed as released

@stephdl stephdl closed this as completed Jun 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A defect of the software verified All test cases were verified successfully
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DavidePrincipi @stephdl @lucagasparini @nethbot