3069: LDAP auth should use fully qualified DN for user bind

hglo****@gmai***** (Google Code) (Is this you? Claim this profile.)
Aug. 29, 2013 
What version are you running?
1.7.13

What steps will reproduce the problem?
1. Configure reviewboard for LDAP configuration
2. Do not fill in anonymous user/password
3. Set base DN to "dc=mycompany.com", set user string to "log=%s"

What is the expected output? What do you see instead?
Users should be able to login to the reviewboard, but they get
authentication failure.

What operating system are you using? What browser?
Linux/Firefox

Please provide any additional information below.
The problem is in the LDAP authentification code:
When no anonymous user/password is configured, reviewboard LDAP
code tries to authenticate the user by binding to the ldap server.
For the user dn, it self assembles the combination of given login name and base DN. In my example above, this would be "log=xyz,dc=mycompany.com". This does not work on our LDAP server, as the LDAP server expects a fully qualified DN for the user.

I changed the code a bit to anonymously first search for this fully qualified DN and then using it to bind (authenticate) with the server:

1) bind_s()  bind on the ldap server anonymously
2) ldap search for the user with username and base DN (log=%s,dc=mycompany.com)
3) search[0][0] has the fully qualified DN of the user
4) now bind with the fully qualified DN of the user and password

I think this mechanism should work on all LDAP servers and it is
a more generic way, so it will also work on LDAP servers that
require the fully qualified user dn for authentication.
#1 hglo****@gmai***** (Google Code) (Is this you? Claim this profile.) 
The suggested change basically does the same as reviewboard is already doing when an anonymous user/password is configured. Then it binds with the anonymous user, then searches for the user to log in with base DN and the uid. After that it does the bind with the found users fully qualified DN (result from search[0][0]).
david
#2 david 
Would you be willing/able to submit a patch for this to http://reviews.reviewboard.org ?
#3 hglo****@gmai***** (Google Code) (Is this you? Claim this profile.) 
http://reviews.reviewboard.org currently gives me a 403 error.

See the diff below, but please not I am not a python developer...


--- backends.py.orig    2013-08-26 08:58:38.937586726 +0200
+++ backends.py 2013-08-26 09:04:24.114355191 +0200
@@ -204,10 +204,13 @@ class LDAPBackend(AuthBackend):
                     ldapo.bind_s(search[0][0], password)

             else :
-                # Attempt to bind using the given uid and password. It may be
-                # that we really need a setting for how the DN in this is
-                # constructed; this way is correct for my system
-                userbinding=','.join([uid,settings.LDAP_BASE_DN])
+                # Bind anonymously to the server, then search for the user with the
+                # given base DN and uid. If user is found a fully qualified DN is
+                # returned. Authentication then is done with bind using this fully
+                # qualified DN.
+                ldapo.simple_bind_s()
+                search = ldapo.search_s(settings.LDAP_BASE_DN, ldap.SCOPE_SUBTREE, uid)
+                userbinding=search[0][0]
                 ldapo.bind_s(userbinding, password)

             return self.get_or_create_user(username, ldapo)
#4 hglo****@gmai***** (Google Code) (Is this you? Claim this profile.) 
This should also fix issue 2836.
#5 hglo****@gmai***** (Google Code) (Is this you? Claim this profile.) 
Patch now available here: https://reviews.reviewboard.org/r/4488/
david
#6 david 
Fixed in release-1.7.x (39c6ab6). Thanks!
  • +Fixed