Logged in as guest
Viewing Incoming/7521 Full headers
Major security issue: yes no
Notes: Notification:
Date: Wed, 06 Feb 2013 12:50:44 +0000 From: tim@cerazone.net To: openldap-its@OpenLDAP.org Subject: Passwords with either a comma or period don't authenticate against AD LDAP
Full_Name: Tim Cera Version: 2.4.23-26.el6_3.2 OS: CentOS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.252.34.1) Currently using tikiwki (PHP) with LDAP authentication, and began experimenting with xwiki (Java) also with LDAP authentication. Both against an Active Directory server. With both systems you cannot authenticate a password with either a comma or a period, so suspect it is the underlying OpenLDAP libraries. The test password had both a comma and period, and the account is locked right now so I can't easily test which one or both are required to activate the bug. I did try looking for this bug suspecting that it would have been reported, and didn't find it. Hope this isn't a duplicate.
Date: Wed, 06 Feb 2013 10:15:34 -0800 From: Quanah Gibson-Mount <quanah@zimbra.com> To: tim@cerazone.net, openldap-its@openldap.org Subject: Re: (ITS#7521) Passwords with either a comma or period don't authenticate against AD LDAP
--On Wednesday, February 06, 2013 12:50 PM +0000 tim@cerazone.net wrote: > Full_Name: Tim Cera > Version: 2.4.23-26.el6_3.2 > OS: CentOS > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (74.252.34.1) > > > Currently using tikiwki (PHP) with LDAP authentication, and began > experimenting with xwiki (Java) also with LDAP authentication. Both > against an Active Directory server. With both systems you cannot > authenticate a password with either a comma or a period, so suspect it is > the underlying OpenLDAP libraries. The test password had both a comma > and period, and the account is locked right now so I can't easily test > which one or both are required to activate the bug. I would suspect you are incorrect if you are having this problem with a Java program, since Java would not be linked to the OpenLDAP C libraries. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
From: Tim Cera <TCera@sjrwmd.com> To: "'openldap-its@OpenLDAP.org'" <openldap-its@OpenLDAP.org> CC: "'tim@cerazone.net'" <tim@cerazone.net> Subject: Re: (ITS#7521) Passwords with either a comma or period don't authenticate against AD LDAP Date: Wed, 6 Feb 2013 18:33:11 +0000
--_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable xwiki uses jldap. http://www.openldap.org/jldap/ Without delving deeper, I don't know whether jldap uses openldap libraries = or not. I thought that it might since it was an openldap project. Though = if jldap and openldap are different enough then this issue points to a prob= lem then with Active Directory. On the other hand, Windows login, email, .= ..etc. were unaffected by the comma and period in the password. Regardless - take the comma and period out of my password, both tikiwiki an= d xwiki work. --_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr= osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:= //www.w3.org/TR/REC-html40"> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"= > <meta name=3D"Generator" content=3D"Microsoft Word 12 (filtered medium)"> <style> <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri","sans-serif";} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:"Calibri","sans-serif"; color:windowtext;} .MsoChpDefault {mso-style-type:export-only;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} --> </style><!--[if gte mso 9]><xml> <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" /> </xml><![endif]--><!--[if gte mso 9]><xml> <o:shapelayout v:ext=3D"edit"> <o:idmap v:ext=3D"edit" data=3D"1" /> </o:shapelayout></xml><![endif]--> </head> <body lang=3D"EN-US" link=3D"blue" vlink=3D"purple"> <div class=3D"WordSection1"> <p class=3D"MsoNormal">xwiki uses jldap.<o:p></o:p></p> <p class=3D"MsoNormal"><o:p> </o:p></p> <p class=3D"MsoNormal">http://www.openldap.org/jldap/<o:p></o:p></p> <p class=3D"MsoNormal"><o:p> </o:p></p> <p class=3D"MsoNormal">Without delving deeper, I don't know whether jldap u= ses openldap libraries or not. I thought that it might since it was a= n openldap project. Though if jldap and openldap are different enough= then this issue points to a problem then with Active Directory. On the other hand, Windows login, email, …et= c. were unaffected by the comma and period in the password. <o:p></o:p></p> <p class=3D"MsoNormal"><o:p> </o:p></p> <p class=3D"MsoNormal">Regardless - take the comma and period out of my pas= sword, both tikiwiki and xwiki work. <o:p></o:p></p> </div> </body> </html> --_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_--
Date: Wed, 06 Feb 2013 10:40:38 -0800 From: Quanah Gibson-Mount <quanah@zimbra.com> To: TCera@sjrwmd.com, openldap-its@openldap.org Subject: Re: (ITS#7521) Passwords with either a comma or period don't authenticate against AD LDAP
--On Wednesday, February 06, 2013 6:33 PM +0000 TCera@sjrwmd.com wrote: > --_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_ > Content-Type: text/plain; charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > > xwiki uses jldap. > > http://www.openldap.org/jldap/ JLDAP is written in java, and does not use the OpenLDAP C libraries. If you are going to use Java, I highly recommend you look at the unboundID SDK. I would also note that PHP's LDAP Support is known to be utterly broken. There is no indication anywhere here in your report that indicates a bug with the OpenLDAP software. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Date: Wed, 06 Feb 2013 19:17:20 +0000 From: Howard Chu <hyc@symas.com> To: quanah@zimbra.com, openldap-its@openldap.org Subject: Re: (ITS#7521) Passwords with either a comma or period don't authenticate against AD LDAP
quanah@zimbra.com wrote: > --On Wednesday, February 06, 2013 6:33 PM +0000 TCera@sjrwmd.com wrote: > >> --_000_EE54DB3B9E0D63489B0845CE62912E8C3BAD846ABY2PRD0511MB441_ >> Content-Type: text/plain; charset="us-ascii" >> Content-Transfer-Encoding: quoted-printable >> >> xwiki uses jldap. >> >> http://www.openldap.org/jldap/ > > JLDAP is written in java, and does not use the OpenLDAP C libraries. If > you are going to use Java, I highly recommend you look at the unboundID SDK. > > I would also note that PHP's LDAP Support is known to be utterly broken. > There is no indication anywhere here in your report that indicates a bug > with the OpenLDAP software. If he could reproduce the issue using OpenLDAP's command line tools, there would be reason to suspect libldap. But no such problem occurs for me using e.g. ldapsearch. Closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
