Re: Issue 3069 in reviewboard: LDAP auth should use fully qualified DN for user bind
Updates: Status: Fixed Comment #6 on issue 3069 by trowb...@gmail.com: LDAP auth should use fully qualified DN for user bind http://code.google.com/p/reviewboard/issues/detail?id=3069 Fixed in release-1.7.x (39c6ab6). Thanks! -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings -- You received this message because you are subscribed to the Google Groups reviewboard-issues group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard-issues+unsubscr...@googlegroups.com. To post to this group, send email to reviewboard-issues@googlegroups.com. Visit this group at http://groups.google.com/group/reviewboard-issues. For more options, visit https://groups.google.com/groups/opt_out.
Re: Issue 3069 in reviewboard: LDAP auth should use fully qualified DN for user bind
Comment #3 on issue 3069 by hgloc...@gmail.com: LDAP auth should use fully qualified DN for user bind http://code.google.com/p/reviewboard/issues/detail?id=3069 http://reviews.reviewboard.org currently gives me a 403 error. See the diff below, but please not I am not a python developer... --- backends.py.orig2013-08-26 08:58:38.937586726 +0200 +++ backends.py 2013-08-26 09:04:24.114355191 +0200 @@ -204,10 +204,13 @@ class LDAPBackend(AuthBackend): ldapo.bind_s(search[0][0], password) else : -# Attempt to bind using the given uid and password. It may be -# that we really need a setting for how the DN in this is -# constructed; this way is correct for my system -userbinding=','.join([uid,settings.LDAP_BASE_DN]) +# Bind anonymously to the server, then search for the user with the +# given base DN and uid. If user is found a fully qualified DN is +# returned. Authentication then is done with bind using this fully +# qualified DN. +ldapo.simple_bind_s() +search = ldapo.search_s(settings.LDAP_BASE_DN, ldap.SCOPE_SUBTREE, uid) +userbinding=search[0][0] ldapo.bind_s(userbinding, password) return self.get_or_create_user(username, ldapo) -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings -- You received this message because you are subscribed to the Google Groups reviewboard-issues group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard-issues+unsubscr...@googlegroups.com. To post to this group, send email to reviewboard-issues@googlegroups.com. Visit this group at http://groups.google.com/group/reviewboard-issues. For more options, visit https://groups.google.com/groups/opt_out.
Re: Issue 3069 in reviewboard: LDAP auth should use fully qualified DN for user bind
Comment #4 on issue 3069 by hgloc...@gmail.com: LDAP auth should use fully qualified DN for user bind http://code.google.com/p/reviewboard/issues/detail?id=3069 This should also fix issue 2836. -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings -- You received this message because you are subscribed to the Google Groups reviewboard-issues group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard-issues+unsubscr...@googlegroups.com. To post to this group, send email to reviewboard-issues@googlegroups.com. Visit this group at http://groups.google.com/group/reviewboard-issues. For more options, visit https://groups.google.com/groups/opt_out.
Issue 3069 in reviewboard: LDAP auth should use fully qualified DN for user bind
Status: New Owner: Labels: Type-Defect Priority-Medium New issue 3069 by hgloc...@gmail.com: LDAP auth should use fully qualified DN for user bind http://code.google.com/p/reviewboard/issues/detail?id=3069 What version are you running? 1.7.13 What steps will reproduce the problem? 1. Configure reviewboard for LDAP configuration 2. Do not fill in anonymous user/password 3. Set base DN to dc=mycompany.com, set user string to log=%s What is the expected output? What do you see instead? Users should be able to login to the reviewboard, but they get authentication failure. What operating system are you using? What browser? Linux/Firefox Please provide any additional information below. The problem is in the LDAP authentification code: When no anonymous user/password is configured, reviewboard LDAP code tries to authenticate the user by binding to the ldap server. For the user dn, it self assembles the combination of given login name and base DN. In my example above, this would be log=xyz,dc=mycompany.com. This does not work on our LDAP server, as the LDAP server expects a fully qualified DN for the user. I changed the code a bit to anonymously first search for this fully qualified DN and then using it to bind (authenticate) with the server: 1) bind_s() bind on the ldap server anonymously 2) ldap search for the user with username and base DN (log=%s,dc=mycompany.com) 3) search[0][0] has the fully qualified DN of the user 4) now bind with the fully qualified DN of the user and password I think this mechanism should work on all LDAP servers and it is a more generic way, so it will also work on LDAP servers that require the fully qualified user dn for authentication. -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings -- You received this message because you are subscribed to the Google Groups reviewboard-issues group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard-issues+unsubscr...@googlegroups.com. To post to this group, send email to reviewboard-issues@googlegroups.com. Visit this group at http://groups.google.com/group/reviewboard-issues. For more options, visit https://groups.google.com/groups/opt_out.
Re: Issue 3069 in reviewboard: LDAP auth should use fully qualified DN for user bind
Comment #1 on issue 3069 by hgloc...@gmail.com: LDAP auth should use fully qualified DN for user bind http://code.google.com/p/reviewboard/issues/detail?id=3069 The suggested change basically does the same as reviewboard is already doing when an anonymous user/password is configured. Then it binds with the anonymous user, then searches for the user to log in with base DN and the uid. After that it does the bind with the found users fully qualified DN (result from search[0][0]). -- You received this message because this project is configured to send all issue notifications to this address. You may adjust your notification preferences at: https://code.google.com/hosting/settings -- You received this message because you are subscribed to the Google Groups reviewboard-issues group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard-issues+unsubscr...@googlegroups.com. To post to this group, send email to reviewboard-issues@googlegroups.com. Visit this group at http://groups.google.com/group/reviewboard-issues. For more options, visit https://groups.google.com/groups/opt_out.
