Chris,

Are you using the LDAP auth backend or the AD backend? I know we had some
issues with usernames or other filters that needed to be escaped for AD,
but I don't think we've run into equivalent bugs (+fixes) for the basic
LDAP backend.

Is there anything unique about the username?

-David


On Wed, Dec 4, 2013 at 3:52 PM, Chris Armstrong <chris.armstr...@socrata.com
> wrote:

> More evidence that this appears to be an issue with ReviewBoard handling
> this success case - trying a bad password raises the correct error, meaning
> the user account is indeed found and returned by LDAP:
>
> [03/Dec/2013:17:52:03 -0800] CONNECT conn=42698
> from=reviewboard:32879 to=ldap:1636 protocol=LDAPS
> [03/Dec/2013:17:52:03 -0800] BIND REQ conn=42698 op=0 msgID=1 type=SIMPLE
> dn=""
> [03/Dec/2013:17:52:03 -0800] BIND RES conn=42698 op=0 msgID=1 result=0
> authDN="" etime=1
> [03/Dec/2013:17:52:03 -0800] SEARCH REQ conn=42698 op=1 msgID=2
> base="dc=socrata,dc=com" scope=wholeSubtree filter="(uid=johndoe)"
> attrs="ALL"
> [03/Dec/2013:17:52:03 -0800] SEARCH RES conn=42698 op=1 msgID=2 result=0
> nentries=1 etime=1
> [03/Dec/2013:17:52:03 -0800] BIND REQ conn=42698 op=2 msgID=3 type=SIMPLE
> dn="uid=johndoe,ou=Employees,dc=socrata,dc=com"
> [03/Dec/2013:17:52:03 -0800] BIND RES conn=42698 op=2 msgID=3 result=49
> authFailureID=196887 authFailureReason="The password provided by the user
> did not match any password(s) stored in the user's entry" etime=0
> [03/Dec/2013:17:52:03 -0800] UNBIND REQ conn=42698 op=3 msgID=4
> [03/Dec/2013:17:52:03 -0800] DISCONNECT conn=42698 reason="Client Unbind"
>
> ReviewBoard
> 2013-12-04 01:52:03,633 - WARNING -  - LDAP error: The specified object
> does not exist in the Directory or provided invalid credentials:
> (uid=johndoe)
>
>
> On Wed, Dec 4, 2013 at 3:41 PM, Chris Armstrong <
> chris.armstr...@socrata.com> wrote:
>
>> I'm trying to get a new user provisioned in ReviewBoard. His account
>> exists in LDAP, but when he tries to log into ReviewBoard, he triggers a
>> "Bad search filter" error:
>>
>> 2013-12-04 01:51:59,695 - WARNING -  - LDAP error: {'desc': 'Bad search
>> filter'}
>>
>> The LDAP server seems to be perfectly happy:
>>
>> [03/Dec/2013:17:51:59 -0800] CONNECT conn=42697
>> from=reviewboard:32876to=ldap:1636 protocol=LDAPS
>> [03/Dec/2013:17:51:59 -0800] BIND REQ conn=42697 op=0 msgID=1 type=SIMPLE
>> dn=""
>> [03/Dec/2013:17:51:59 -0800] BIND RES conn=42697 op=0 msgID=1 result=0
>> authDN="" etime=0
>> [03/Dec/2013:17:51:59 -0800] SEARCH REQ conn=42697 op=1 msgID=2
>> base="dc=socrata,dc=com" scope=wholeSubtree filter="(uid=johndoe)"
>> attrs="ALL"
>> [03/Dec/2013:17:51:59 -0800] SEARCH RES conn=42697 op=1 msgID=2 result=0
>> nentries=1 etime=1
>> [03/Dec/2013:17:51:59 -0800] BIND REQ conn=42697 op=2 msgID=3 type=SIMPLE
>> dn="uid= johndoe,ou=Employees,dc=socrata,dc=com"
>> [03/Dec/2013:17:51:59 -0800] BIND RES conn=42697 op=2 msgID=3 result=0
>> authDN="uid= johndoe,ou=Employees,dc=socrata,dc=com" etime=1
>> [03/Dec/2013:17:51:59 -0800] UNBIND REQ conn=42697 op=3 msgID=5
>> [03/Dec/2013:17:51:59 -0800] DISCONNECT conn=42697 reason="Client Unbind"+
>>
>> For comparison, I logged in successfully, and the output seems to be
>> identical:
>>
>> [04/Dec/2013:09:42:38 -0800] CONNECT conn=42706
>> from=reviewboard:34744to=ldap:1636 protocol=LDAPS
>> [04/Dec/2013:09:42:39 -0800] BIND REQ conn=42706 op=0 msgID=1 type=SIMPLE
>> dn=""
>> [04/Dec/2013:09:42:39 -0800] BIND RES conn=42706 op=0 msgID=1 result=0
>> authDN="" etime=0
>> [04/Dec/2013:09:42:39 -0800] SEARCH REQ conn=42706 op=1 msgID=2
>> base="dc=socrata,dc=com" scope=wholeSubtree filter="(uid=carmstrong)"
>> attrs="ALL"
>> [04/Dec/2013:09:42:39 -0800] SEARCH RES conn=42706 op=1 msgID=2 result=0
>> nentries=1 etime=0
>> [04/Dec/2013:09:42:39 -0800] BIND REQ conn=42706 op=2 msgID=3 type=SIMPLE
>> dn="uid=carmstrong,ou=Employees,dc=socrata,dc=com"
>> [04/Dec/2013:09:42:39 -0800] BIND RES conn=42706 op=2 msgID=3 result=0
>> authDN="uid=carmstrong,ou=Employees,dc=socrata,dc=com" etime=1
>> [04/Dec/2013:09:42:39 -0800] UNBIND REQ conn=42706 op=3 msgID=4
>> [04/Dec/2013:09:42:39 -0800] DISCONNECT conn=42706 reason="Client Unbind"
>>
>> We were running 1.7.16, but I upgraded to 1.7.19 and still see the issue.
>> The workaround for this is to provision them in ReviewBoard manually, but
>> obviously this is less-than-ideal as it defeats the entire purpose of
>> LDAP...
>>
>> Does anyone have any idea what this can be? Did the provisioning of new
>> users from LDAP break some time ago, and noone noticed?
>>
>> --
>> Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
>> ---
>> Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
>> ---
>> Happy user? Let us know at http://www.reviewboard.org/users/
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "reviewboard" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to reviewboard+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
>
> --
> Chris Armstrong, Site Reliability Engineer at Socrata
>
> --
> Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
> ---
> Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
> ---
> Happy user? Let us know at http://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to the Google Groups
> "reviewboard" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to reviewboard+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>

-- 
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
---
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
---
Happy user? Let us know at http://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to