OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/7521
Full headers

From: tim@cerazone.net
Subject: Passwords with either a comma or period don't authenticate against AD LDAP
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 06 Feb 2013 12:50:44 +0000
From: tim@cerazone.net
To: openldap-its@OpenLDAP.org
Subject: Passwords with either a comma or period don't authenticate against AD LDAP
Full_Name: Tim Cera
Version: 2.4.23-26.el6_3.2
OS: CentOS
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (74.252.34.1)


Currently using tikiwki (PHP) with LDAP authentication, and began experimenting
with xwiki (Java) also with LDAP authentication.  Both against an Active
Directory server.  With both systems you cannot authenticate a password with
either a comma or a period, so suspect it is the underlying OpenLDAP libraries. 
The test password had both a comma and period, and the account is locked right
now so I can't easily test which one or both are required to activate the bug.

I did try looking for this bug suspecting that it would have been reported, and
didn't find it.  Hope this isn't a duplicate.

Followup 1

Download message
Date: Wed, 06 Feb 2013 10:15:34 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: tim@cerazone.net, openldap-its@openldap.org
Subject: Re: (ITS#7521) Passwords with either a comma or period don't
 authenticate against AD LDAP
--On Wednesday, February 06, 2013 12:50 PM +0000 tim@cerazone.net wrote:

> Full_Name: Tim Cera
> Version: 2.4.23-26.el6_3.2
> OS: CentOS
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (74.252.34.1)
>
>
> Currently using tikiwki (PHP) with LDAP authentication, and began
> experimenting with xwiki (Java) also with LDAP authentication.  Both
> against an Active Directory server.  With both systems you cannot
> authenticate a password with either a comma or a period, so suspect it is
> the underlying OpenLDAP libraries.  The test password had both a comma
> and period, and the account is locked right now so I can't easily test
> which one or both are required to activate the bug.

I would suspect you are incorrect if you are having this problem with a 
Java program, since Java would not be linked to the OpenLDAP C libraries.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 2

Download message
From: Tim Cera <TCera@sjrwmd.com>
To: "'openldap-its@OpenLDAP.org'" <openldap-its@OpenLDAP.org>
CC: "'tim@cerazone.net'" <tim@cerazone.net>
Subject: Re: (ITS#7521) Passwords with either a comma or period don't
 authenticate against AD LDAP
Date: Wed, 6 Feb 2013 18:33:11 +0000
--_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

xwiki uses jldap.

http://www.openldap.org/jldap/

Without delving deeper, I don't know whether jldap uses openldap libraries =
or not.  I thought that it might since it was an openldap project.  Though =
if jldap and openldap are different enough then this issue points to a prob=
lem then with Active Directory.  On the other hand, Windows login, email, .=
..etc. were unaffected by the comma and period in the password.

Regardless - take the comma and period out of my password, both tikiwiki an=
d xwiki work.

--_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
-->
</style><!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">xwiki uses jldap.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">http://www.openldap.org/jldap/<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Without delving deeper, I don't know whether jldap
u=
ses openldap libraries or not.&nbsp; I thought that it might since it was a=
n openldap project.&nbsp; Though if jldap and openldap are different enough=
 then this issue points to a problem then with
 Active Directory.&nbsp; On the other hand, Windows login, email,
&#8230;et=
c. were unaffected by the comma and period in the password.&nbsp;
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Regardless - take the comma and period out of my
pas=
sword, both tikiwiki and xwiki work.
<o:p></o:p></p>
</div>
</body>
</html>

--_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_--



Followup 3

Download message
Date: Wed, 06 Feb 2013 10:40:38 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: TCera@sjrwmd.com, openldap-its@openldap.org
Subject: Re: (ITS#7521) Passwords with either a comma or period don't
 authenticate against AD LDAP
--On Wednesday, February 06, 2013 6:33 PM +0000 TCera@sjrwmd.com wrote:

> --_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> xwiki uses jldap.
>
> http://www.openldap.org/jldap/

JLDAP is written in java, and does not use the OpenLDAP C libraries.  If 
you are going to use Java, I highly recommend you look at the unboundID SDK.

I would also note that PHP's LDAP Support is known to be utterly broken. 
There is no indication anywhere here in your report that indicates a bug 
with the OpenLDAP software.

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 4

Download message
Date: Wed, 06 Feb 2013 19:17:20 +0000
From: Howard Chu <hyc@symas.com>
To: quanah@zimbra.com, openldap-its@openldap.org
Subject: Re: (ITS#7521) Passwords with either a comma or period don't authenticate
 against AD LDAP
quanah@zimbra.com wrote:
> --On Wednesday, February 06, 2013 6:33 PM +0000 TCera@sjrwmd.com wrote:
>
>> --_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: quoted-printable
>>
>> xwiki uses jldap.
>>
>> http://www.openldap.org/jldap/
>
> JLDAP is written in java, and does not use the OpenLDAP C libraries.  If
> you are going to use Java, I highly recommend you look at the unboundID
SDK.
>
> I would also note that PHP's LDAP Support is known to be utterly broken.
> There is no indication anywhere here in your report that indicates a bug
> with the OpenLDAP software.

If he could reproduce the issue using OpenLDAP's command line tools, there 
would be reason to suspect libldap. But no such problem occurs for me using 
e.g. ldapsearch. Closing this ITS.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org