Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 3069 by hgloc...@gmail.com: LDAP auth should use fully qualified
DN for user bind
http://code.google.com/p/reviewboard/issues/detail?id=3069
What version are you running?
1.7.13
What steps will reproduce the problem?
1. Configure reviewboard for LDAP configuration
2. Do not fill in anonymous user/password
3. Set base DN to "dc=mycompany.com", set user string to "log=%s"
What is the expected output? What do you see instead?
Users should be able to login to the reviewboard, but they get
authentication failure.
What operating system are you using? What browser?
Linux/Firefox
Please provide any additional information below.
The problem is in the LDAP authentification code:
When no anonymous user/password is configured, reviewboard LDAP
code tries to authenticate the user by binding to the ldap server.
For the user dn, it self assembles the combination of given login name and
base DN. In my example above, this would be "log=xyz,dc=mycompany.com".
This does not work on our LDAP server, as the LDAP server expects a fully
qualified DN for the user.
I changed the code a bit to anonymously first search for this fully
qualified DN and then using it to bind (authenticate) with the server:
1) bind_s() bind on the ldap server anonymously
2) ldap search for the user with username and base DN
(log=%s,dc=mycompany.com)
3) search[0][0] has the fully qualified DN of the user
4) now bind with the fully qualified DN of the user and password
I think this mechanism should work on all LDAP servers and it is
a more generic way, so it will also work on LDAP servers that
require the fully qualified user dn for authentication.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to reviewboard-issues+unsubscr...@googlegroups.com.
To post to this group, send email to reviewboard-issues@googlegroups.com.
Visit this group at http://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/groups/opt_out.
