Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP Authentication: Login works although I see this in the log: LDAP error: User does not exist. #1903

Open
uli-heller opened this issue Mar 7, 2018 · 4 comments
Open

LDAP Authentication: Login works although I see this in the log: LDAP error: User does not exist. #1903

uli-heller opened this issue Mar 7, 2018 · 4 comments
Labels
LDAP/SSO

Comments

@uli-heller
Copy link
Contributor

Issue

Impacted version: 4.22.0 (and probably many older versions)

Deployment mode: standalone app behind an apache reverse proxy

Problem description:

  • I'm using LDAP authentication
  • I've added an additional filter recently:
    |(memberOf=cn=gitbucket,ou=group,dc=daemons-point,dc=com)
  • I've tried to verify this filter: I removed my personal user from this LDAP group and tried to
    login
  • Expected behavior: I'm unable to login
  • Observed behavior: I am able to login!
    Within the log file, a message like this shows up: 
    2018-03-07 14:18:43.978 [qtp321001045-18] INFO  g.core.service.AccountService - LDAP error: User does not exist.
  • I browsed the database tables and I think the ACCOUNT table and the password field are responsible for this behavior. Once I delete the password by setting the password column to '' for my user, everything works as expected!
@uli-heller uli-heller changed the title LDAP Authentication: Login works although I see this i the log: LDAP error: User does not exist. LDAP Authentication: Login works although I see this in the log: LDAP error: User does not exist. Mar 7, 2018
@Sherpard
Copy link

As far as I know, if you previously had an account without LDAP authentication, that authentication is not revoked. so you're always able to log-in even if you're not member of LDAP anymore.

I have the very same situation going on on my gitbucket instance, if you want to disable such behavior just clean-up the password.

Anyway, it would be nice to have a way to disable it from administration console

@uli-heller
Copy link
Contributor Author

@Sherpard You're probably right. The current behavior is kind of unexpected. Since for example changing the password in LDAP doesn't prevent you from logging in with the password you stored within gitbucket before. To me, it seems that gitbucket works like this:

  1. Try to login using LDAP
  2. If this fails, try to login using gitbucket internal authentication

I think there should be at least a remark about this in the LDAP config documentation.

@Sherpard
Copy link

Sherpard commented Mar 19, 2018
edited

I would suggest to implement a realm selector on the log in page. Or a feature to disable git bucket realm all together.

This behavior allows to authenticate with git bucket, but LDAP records it as a failed login. On many enterprise systems, that would mean an account lock if it happens too often

@takezoe
Copy link
Member

takezoe commented Mar 19, 2018

@Sherpard It makes sense!

@moonwolf-github moonwolf-github mentioned this issue Jul 24, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
LDAP/SSO
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aadrian @takezoe @uli-heller @Sherpard