Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CS12 LDAP Cannot Handle Duplicated "uid:" field For the Username #71

Closed
sean-horn opened this issue Jan 27, 2015 · 3 comments
Closed

CS12 LDAP Cannot Handle Duplicated "uid:" field For the Username #71

sean-horn opened this issue Jan 27, 2015 · 3 comments
Assignees
@stevendanna
Labels
Component: ldap Type: Bug Does not work as expected.

Comments

@sean-horn
Copy link
Contributor

  1. Attempt a login on an LDAP configured CS12 system with Manage as a valid user
  2. Login fails if LDAP user record contains more than one "uid:" field. Which one should we choose?

As a customer, I would like Chef Server 12 to handle duplicated fields in user records, like two uid: fields as in

uid: someguy
uid: someguy@SOMEPLACE.SOMEWHERE.COM

CS12 seems to be tripping up on the above arrangement here
https://github.com/opscode/oc_erchef/blob/95d80e2af0b143e66c111584ed4626db8cfa6663/apps/oc_chef_wm/src/oc_chef_wm_authn_ldap.erl#L155-L159

redbug debugging results and full user record can be found in ZenDesk 2555

redbug results for find_and_authenticate for the above data were

% 16:27:19 <0.809.0>({mochiweb_acceptor,init,3}) 
% oc_chef_wm_authn_ldap:find_and_authenticate_user/4 -> {error, 
{badmatch, 
["someguy", 
"someguy@SOMEPLACE.SOMEWHERE.COM"]}}

This bug has lower priority than #68
@sean-horn sean-horn added the bug label Jan 27, 2015
@sean-horn
Copy link
Contributor Author

Great rundown of the issue from the Samba project: https://bugzilla.samba.org/show_bug.cgi?id=6157

TL:DR We should pick the first "uid:" attribute found in the user record, because that's what nss_ldap would do. For compatibility with Manage, we would need to choose the one that is only letters, numbers, underscores.

@seth
Copy link
Contributor

seth commented Jan 28, 2015

What's the failure we're seeing? If there are duplicate fields in a
proplist, then the proplist accessors should pick the first value. So from
a quick read of the link you gave I was thinking the code would do what we
want?

@stevendanna
Copy link
Contributor

My hunch is that eldap is handing us back something like:

[{uid, ["bob"]}, {other, ldap_stuff}]

which works great with https://github.com/chef/oc_erchef/blob/95d80e2af0b143e66c111584ed4626db8cfa6663/apps/oc_chef_wm/src/oc_chef_wm_authn_ldap.erl#L156 But when we have multiple Uid fields, if eldap_search is handing us back:

[{uid, ["bob", "bobby"]}, {other, ldap_stuff}]

Then that match will fail:

15> [Uid] = proplists:get_value(uid, [{uid, ["bob", "bobby"]}, {other, ldap_stuff}]).
** exception error: no match of right hand side value ["bob","bobby"]

@stevendanna stevendanna self-assigned this Feb 2, 2015
stevendanna added a commit to chef-boneyard/oc_erchef that referenced this issue Feb 6, 2015
@stevendanna
Allow multiple LoginAttr fields in LDAP user record.
b294a8c 
It is not uncommone for an LDAP record to have multiple copies of a
field, allowing users to be found more easily during search and to
account for name changes through time.  This change accounts for
multiple copies of the LoginAttr field by simply taking the first one
that matches the username we were given.

Closes chef/chef-server#71
@stevendanna stevendanna mentioned this issue Feb 7, 2015
Merged
@tas50 tas50 added Type: Bug Does not work as expected. and removed bug labels Jan 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stevendanna stevendanna

Labels
Component: ldap Type: Bug Does not work as expected.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@seth @stevendanna @tas50 @sean-horn