3069: LDAP auth should use fully qualified DN for user bind
- Fixed
- Review Board
hglo****@gmai***** (Google Code) (Is this you? Claim this profile.) | |
Aug. 29, 2013 |
What version are you running? 1.7.13 What steps will reproduce the problem? 1. Configure reviewboard for LDAP configuration 2. Do not fill in anonymous user/password 3. Set base DN to "dc=mycompany.com", set user string to "log=%s" What is the expected output? What do you see instead? Users should be able to login to the reviewboard, but they get authentication failure. What operating system are you using? What browser? Linux/Firefox Please provide any additional information below. The problem is in the LDAP authentification code: When no anonymous user/password is configured, reviewboard LDAP code tries to authenticate the user by binding to the ldap server. For the user dn, it self assembles the combination of given login name and base DN. In my example above, this would be "log=xyz,dc=mycompany.com". This does not work on our LDAP server, as the LDAP server expects a fully qualified DN for the user. I changed the code a bit to anonymously first search for this fully qualified DN and then using it to bind (authenticate) with the server: 1) bind_s() bind on the ldap server anonymously 2) ldap search for the user with username and base DN (log=%s,dc=mycompany.com) 3) search[0][0] has the fully qualified DN of the user 4) now bind with the fully qualified DN of the user and password I think this mechanism should work on all LDAP servers and it is a more generic way, so it will also work on LDAP servers that require the fully qualified user dn for authentication.
The suggested change basically does the same as reviewboard is already doing when an anonymous user/password is configured. Then it binds with the anonymous user, then searches for the user to log in with base DN and the uid. After that it does the bind with the found users fully qualified DN (result from search[0][0]).
http://reviews.reviewboard.org currently gives me a 403 error. See the diff below, but please not I am not a python developer... --- backends.py.orig 2013-08-26 08:58:38.937586726 +0200 +++ backends.py 2013-08-26 09:04:24.114355191 +0200 @@ -204,10 +204,13 @@ class LDAPBackend(AuthBackend): ldapo.bind_s(search[0][0], password) else : - # Attempt to bind using the given uid and password. It may be - # that we really need a setting for how the DN in this is - # constructed; this way is correct for my system - userbinding=','.join([uid,settings.LDAP_BASE_DN]) + # Bind anonymously to the server, then search for the user with the + # given base DN and uid. If user is found a fully qualified DN is + # returned. Authentication then is done with bind using this fully + # qualified DN. + ldapo.simple_bind_s() + search = ldapo.search_s(settings.LDAP_BASE_DN, ldap.SCOPE_SUBTREE, uid) + userbinding=search[0][0] ldapo.bind_s(userbinding, password) return self.get_or_create_user(username, ldapo)
This should also fix issue 2836.
Patch now available here: https://reviews.reviewboard.org/r/4488/