Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with LDAP authentication #352

Closed
fchiacchiaretta opened this issue May 10, 2017 · 5 comments
Closed

Issue with LDAP authentication #352

fchiacchiaretta opened this issue May 10, 2017 · 5 comments
Labels
bug

Comments

@fchiacchiaretta
Copy link

Hi,
I'm using version 2.3.0.
I've setup LDAP authentication with group matching on ldap_searchfilter, here is my config

"ldap_enable": true,
"ldap_binddn": "uid=binduser,cn=users,cn=accounts,dc=mydomain,dc=it",
"ldap_bindpassword": "supersecurepassword",
"ldap_server": "server.mydomain.it:389",
"ldap_needtls": false,
"ldap_searchdn": "cn=users,cn=accounts,dc=mydomain,dc=it",
"ldap_searchfilter": "(&(uid=%s)(memberOf=cn=semaphore_users,cn=groups,cn=accounts,dc=mydomain,dc=it))",
 "ldap_mappings": {
 	"dn": "dn",
 	"mail": "mail",
 	"uid": "uid",
 	"cn": "cn"
}

After first successful login with a user who is in the group semaphore_users, user table in MySQL db shows this:

+----+---------------------+-------------------------+-------------------------+--------------------------------------+--------------------------------------------------------------+----------+-------+
| id | created             | username                | name                    | email                                | password                                                     | external | alert |
+----+---------------------+-------------------------+-------------------------+--------------------------------------+--------------------------------------------------------------+----------+-------+
|  1 | 2017-05-10 09:15:21 | admin                   | admin                   | admin@mydomain.it                    | supersecurepassword                                          |        0 |     0 |
| 30 | 2017-05-10 09:36:52 | username                | Full Name               | myemail@mydomain.it                  |                                                              |        1 |     0 |
+----+---------------------+-------------------------+-------------------------+--------------------------------------+--------------------------------------------------------------+----------+-------+

User details are properly populated from LDAP, and user is flagged as external.
After logout, I tried to login with a user not in the group semaphore_users, expecting a failed login response, but login is instead successful, and user table is populated with an empty entry (id 31):

+----+---------------------+-------------------------+-------------------------+--------------------------------------+--------------------------------------------------------------+----------+-------+
| id | created             | username                | name                    | email                                | password                                                     | external | alert |
+----+---------------------+-------------------------+-------------------------+--------------------------------------+--------------------------------------------------------------+----------+-------+
|  1 | 2017-05-10 09:15:21 | admin                   | admin                   | admin@mydomain.it                    | supersecurepassword                                          |        0 |     0 |
| 30 | 2017-05-10 09:36:52 | username                | Full Name               | myemail@mydomain.it                  |                                                              |        1 |     0 |
| 31 | 0000-00-00 00:00:00 |                         |                         |                                      |                                                              |        0 |     0 |
+----+---------------------+-------------------------+-------------------------+--------------------------------------+--------------------------------------------------------------+----------+-------+

The same thing happens using an invalid user on LDAP.
After this entry is created, login only works for user with id 30, and no other user can login, nor valid neither invalid LDAP users, login prompt answers with "-1 Request Failed. Try again later."

Since this happens even with invalid LDAP users, my guess is that it would happen even with default filter (uid=%s).

Is this a misconfiguration or something else?

Please let me know if I can provide further details or logs.
@strangeman
Copy link
Contributor

Are you use current master, or release version? It was fixed in #336

@fchiacchiaretta
Copy link
Author

Sorry, I looked for existing issue without luck and opened a new one.
I'm using release version, I'll test master asap.

@fchiacchiaretta
Copy link
Author

I tried to build a dev environment to test master as described in CONTRIBUTING.md, but without luck.
Wouldn't it be possible for you to issue a point release including this fix? It' quite critical as authentication validation is completely bypassed.

@matejkramny
Copy link
Contributor

It is indeed critical & will be fixed shortly. Apologies for any delay in handling this.

You should disable LDAP until it is released

@matejkramny
Copy link
Contributor

Fixed in #336

@Neneow Neneow mentioned this issue Jun 6, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matejkramny @strangeman @fchiacchiaretta