Well, I guess I misunderstood the meaning of the configuration field 
(somewhat), and found what could be a problem in the code. My LDAP server 
does not allow anonymous binds, and so I've had to take caution in 
configuring what just about every other tool calls the "bind account" and 
"bind password." When I saw the "Anonymous User Mask" and "Anonymous User 
Password" I drew a near immediate correlation. After I reviewed the code, I 
found that when a user sends an authentication request, ReviewBoard uses 
the user's credentials to perform its initial bind, instead of either 
binding anonymously or using a bind account. Removing the "Anonymous User 
Mask" and password fixed the problem for me (my ReviewBoard site does not 
allow anonymous access anyways). But in studying the code I found that the 
"User Mask" field contents are used to build the bind distinguished name 
when no "Anonymous User Mask" is provided. This is all well and good, 
except I thought the "User Mask" field was meant to hold an LDAP filter 
specification. A proper filter to match against a uid would be "(uid=%s)" 
with "%s" being substituted by the input user ID. This string, however, is 
not appropriate to use as the first element of the bind DN, as line 208 in 
reviewboard/accounts/backends.py:
               userbinding=','.join([uid,settings.LDAP_BASE_DN])
If I'm reading that code right, "uid" which when the "User Mask" field has 
been set to "(uid=%s)" has expanded to "(uid=localuser)" (for example with 
a "localuser" user), is prepended to the base DN then used as the bind DN. 
"(uid=localuser),ou=Users,dc=local" is of course a badly formatted DN. 
Entering "uid=%s" (without the parenthesis) fixes the problem for now.

I'm still at a loss as to why with the Anonymous User Mask and Password 
LDAP returned a bad search filter, though.

On Monday, January 7, 2013 5:45:00 PM UTC-5, Rolando Nieves wrote:
>
> Well, I'm having the same error and I know my way around LDAP:
>
> LDAP Server: ldap://localhost:389
> LDAP Base DN: ou=Users,dc=local
> Given Name Attribute: givenName
> Surname Attribute: sn
> Full Name Attribute: cn
> E-Mail LDAP Attribute: mail
> User Mask: (uid=%s)
> Anonymous User Mask: cn=proxyuser,dc=local
> Anonymous User Password: xxxx
>
> When presented with valid LDAP credentials, ReviewBoard rejects them and I 
> receive this error in my Apache log:
> [error] WARNING:root:LDAP error: {'desc': 'Bad search filter'}
>
> Running this on the command line life is good:
> ldapsearch -x -H ldap://localhost:389 -D 'cn=proxyuser,dc=local' -w xxxx 
> -b 'ou=Users,dc=local' '(uid=localuser)'
>
> I know the '(uid=%s)' filter specification is not the problem since when I 
> log in with the built-in 'admin' account I see the appropriate error 
> message in my Apache2 log:
> [error] WARNING:root:LDAP error: The specified object does not exist in 
> the Directory: (uid=admin)
>
> Hence the uid filter is expanding properly, and there are no mysterious 
> filters in the initial LDAP search dip. There's gotta be another LDAP 
> search that has a poorly-constructed filter.
>
> On Monday, August 20, 2012 4:02:19 PM UTC-4, Tucker wrote:
>>
>> * You LDAP server needs to start with "ldap://";.  Probably 
>> "ldap://10.10.192.42:389"; 
>> * Your LDAP base DN is most likely wrong.  You'll either need to 
>> familiarize yourself with your LDAP schema or find someone who knows 
>> what that should be. 
>> * Unless you actually own example.com, your E-mail domain is wrong. 
>> * Leave the anonymous user mask blank, unless you know what you're doing. 
>>
>> On Mon, Aug 20, 2012 at 12:40 AM, Raymond Meng <raymon...@gmail.com> 
>> wrote: 
>> > hi guys: 
>> > 
>> > I'm quite a freshman of reviewboard. I met problems during my LDAP 
>> > configuration. 
>> > 
>> > my settings: 
>> > LDAP server: 10.10.192.41:389 
>> > LDAP base DN: ou=example,dc=example,dc= 
>> > example 
>> > given name attribute: givenName 
>> > surname attribute: sn 
>> > full name attribute: cn 
>> > E-mail Domain: example.com 
>> > E-mail LDAP attribute: mail 
>> > unchecked Use TLS for authentication 
>> > user mask: (uid=%s) 
>> > anonymous user mask: (uid=%s) 
>> > anonymous user password: *** 
>> > 
>> > and when I try to login reviewboard with my email account, error occur: 
>> > WARNING - LDAP error: {'info': '', 'desc': 'Bad search filter'} 
>> > 
>> > can you help me to take a look on that? 
>> > 
>> > thanks! 
>> > 
>> > -- 
>> > Want to help the Review Board project? Donate today at 
>> > http://www.reviewboard.org/donate/ 
>> > Happy user? Let us know at http://www.reviewboard.org/users/ 
>> > -~----------~----~----~----~------~----~------~--~--- 
>> > To unsubscribe from this group, send email to 
>> > reviewboard...@googlegroups.com 
>> > For more options, visit this group at 
>> > http://groups.google.com/group/reviewboard?hl=en 
>>
>>
>>
>> -- 
>>
>> --tucker 
>>
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en


Reply via email to