Products.LDAPUserFolder

Re-binding looses Password

Bug #650114 reported by Oliver Pabst
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Products.LDAPUserFolder
Fix Released
Medium
Unassigned

Bug Description

When using LDAPUserFolder in Manager DN Usage in "For login data lookup only" mode, when I try to authenticate to a NDS server, I get this log behaviour:

(9) Dez 12 14:37:22: _lookupuser: Binding as "cn=manager,XXXXXXXXXXXXXX:CORRECTMANAGERPW"
(5) Dez 12 14:36:57: _lookupUser: user_attrs = {'uid': ['XXXXX'], 'givenName': ['Oliver'], 'sn': ['Pabst'], 'mail': ['<email address hidden>'], 'dn': 'cn=opabst,XXXXXXXXXX'}
(9) Dez 12 14:36:57: _lookupuser: Re-binding as "cn=opabst,XXXXXXXXXX:None"
(9) Dez 12 14:36:57: _lookupuser: Binding as "cn=manager,XXXXXXXX:CORRECTMANAGERPW"
(5) Dez 12 14:36:57: _lookupUser: user_attrs = {'cn': ['opabst'], 'aesPassword': ['abcdefghijkl'], 'givenName': ['Oliver'], 'mail': ['<email address hidden>'], 'dn': 'cn=opabst,XXXXXXXXXXXXX', 'ntPassword': ['ABCDEFGHIJKL'], 'sn': ['Pabst'], 'uid': ['opabst']}
(9) Dez 12 14:36:57: _lookupuser: Re-binding as "cn=opabst,XXXXXXXXXXXX:CORRECTUSERPW"
(9) Dez 12 14:36:57: _lookupuser: Binding as "cn=manager,XXXXXXXXXXXXXXX:CORRECTMANAGERPW"
(3) Dez 12 14:36:57: LDAPUserFolder reinitialized by __setstate__
(0) Dez 12 14:36:57: Log buffer cleared

in other words, first, it binds with manager and correct manager pw, then binds with user with correct user pw. It then retrieves ALL attributes (and this is desired)... But when I do another call to get the attributes via CMFLDAP, member.getProperty('aesPassword') for example, I got None as result, and the log says that it binds with the user and password "None"... ist this normal? I expected the normal user password here...

I am thus missing some attributes, that can not be read anonymously (since providing no password)

Tags: bug
Revision history for this message
Oliver Pabst (opabst) wrote :

with this patch, I merged the previous 'clear-text' feature and the failover
if the pwd is None to the manager account

------
Index: LDAPUserFolder.py
===================================================================
RCS file: /cvs-repository/Products/LDAPUserFolder/LDAPUserFolder.py,v
retrieving revision 1.88
diff -r1.88 LDAPUserFolder.py
250a251,259
> # XXX Is this really working ?
> # XXX If the pwd provided is None, then connect with manager info
> if pwd == None:
> connect_dn = bind_dn
> connect_pwd = bind_pwd
> else:
> connect_dn = dn
> connect_pwd = pwd
>
 253c262
< msg = '_lookupuser: Re-binding as "%s:%s"' % (dn, pwd)
---
> msg = '_lookupuser: Re-binding as "%s:%s"' % (connect_dn,
 connect_pwd)
260,261c269,270
< , bind_dn=dn
< , bind_pwd=pwd or ''
---
> , bind_dn=connect_dn
> , bind_pwd=connect_pwd or ''
 265c274
< msg = '_lookupuser: "%s" lookup fails bound as "%s"' %
(dn, dn)
---
> msg = '_lookupuser: "%s" lookup fails bound as "%s"' %
 (connect_dn, connect_dn)
268c277
<
---
>
 1397c1406
< return ('SHA', 'SSHA')
---
> return ('clear', 'SHA', 'SSHA')
 1399c1408
< return ('crypt', 'SHA', 'SSHA')
---
> return ('clear', 'crypt', 'SHA', 'SSHA')
 Index: utils.py
===================================================================
RCS file: /cvs-repository/Products/LDAPUserFolder/utils.py,v
retrieving revision 1.11
diff -r1.11 utils.py
72a73,74
> elif encoding == 'clear':
> pwd_str = password

Revision history for this message
Jens Vagelpohl (dataflake-deactivatedaccount-deactivatedaccount) wrote :

oliver,

there's a much simpler patch for this specific situation: if the password is None simply skip the re-binding completely. it's just added work to bind again and retrieve results you already have.

i am going to test the simple patch a little and see how it does.

jens

Revision history for this message
Jens Vagelpohl (dataflake-deactivatedaccount-deactivatedaccount) wrote :

oliver,

i just checked in a more correct patch. my patch will grab the current user's DN and password to bind if the passed-in password to _lookupuser is None.

this change is in version 2.0beta3 which i just uploaded to the site. please test it out and let me know if thinks work well for you.

jens

Revision history for this message
Oliver Pabst (opabst) wrote :

jens,

my tests passed without problems... nice version!

> -----Urspr=FCngliche Nachricht-----
> Von: JTracker [SMTP:<email address hidden>]
> Gesendet am: Freitag, 13. Dezember 2002 02:59
> An: Oliver Pabst
> Betreff: [Tracker] LDAP User Folder followup: "Re-binding looses
> Password" (issue_00210)
>=20
> Issue followup (Resolve) by Jens Vagelpohl (<email address hidden>):
>=20
> "Re-binding looses Password"
> http://www.dataflake.org/software/tracker/issue_00210
>=20
> ----------
>=20
> oliver,
>=20
> i just checked in a more correct patch. my patch will grab the =
current
> user's DN and password to bind if the passed-in password to =
_lookupuser is
> None.
>=20
> this change is in version 2.0beta3 which i just uploaded to the site.
> please test it out and let me know if thinks work well for you.
>=20
> jens
>=20
>=20
> ----------
>=20
> Sent automatically by JTracker "Report Bugs" at
> http://www.dataflake.org/software/tracker

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.