Kitware / CDash

An open source, web-based software testing server
http://www.cdash.org/
Other
218 stars 76 forks source link

non ldap but already registered user can't login when ldap authentication is activated. #2037

Open vlebourl opened 9 months ago

vlebourl commented 9 months ago

Bug report

Expected Behavior

being able to login with both ldap and local user

Actual Behavior

ldap user is logging in correctly but existing local user can't login.

CDash Version

v3.2.3

Additional Information

in the .env file, using this:

CDASH_ROOT_ADMIN_EMAIL=admin@host.com
CDASH_ROOT_ADMIN_PASS=<password>
# USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true

# CDASH_AUTHENTICATION_PROVIDER=ldap
# LDAP_HOSTS=sub.host.com
# LDAP_BASE_DN="cn=users,dc=host,dc=com"
# LDAP_USERNAME="cn=cdash,cn=users,dc=host,dc=com"
# LDAP_PASSWORD=${DB_PASSWORD}
# LDAP_BIND_USERS_BY=userPrincipalName
# LDAP_PROVIDER=activedirectory

can login correctly,

Using

CDASH_ROOT_ADMIN_EMAIL=admin@host.com
CDASH_ROOT_ADMIN_PASS=<password>
USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true

CDASH_AUTHENTICATION_PROVIDER=ldap
LDAP_HOSTS=sub.host.com
LDAP_BASE_DN="cn=users,dc=host,dc=com"
LDAP_USERNAME="cn=cdash,cn=users,dc=host,dc=com"
LDAP_PASSWORD=${DB_PASSWORD}
LDAP_BIND_USERS_BY=userPrincipalName
LDAP_PROVIDER=activedirectory

An ldap user can correctly login, but user admin@host.com can't login anymore. The testing.INFO logs shows

cdash           | [Fri Feb 16 14:38:53.058313 2024] [php:notice] [pid 477] [client 10.10.10.51:63205] [2024-02-16 15:38:53] testing.INFO: LDAP (ldap://sub.host.com.com:389) - Connection: default - Operation: Binding - Username: cn=cdash,cn=users,dc=host,dc=com  \n, referer: https://cdash.host.com/index.php?project=Project
cdash           | [Fri Feb 16 14:38:53.093743 2024] [php:notice] [pid 477] [client 10.10.10.51:63205] [2024-02-16 15:38:53] testing.INFO: LDAP (ldap://sub.host.com.com:389) - Connection: default - Operation: Bound - Username: cn=cdash,cn=users,dc=host,dc=com  \n, referer: https://cdash.host.com/index.php?project=Project
cdash           | [Fri Feb 16 14:38:53.097430 2024] [php:notice] [pid 477] [client 10.10.10.51:63205] [2024-02-16 15:38:53] testing.INFO: LDAP (ldap://sub.host.com.com:389) - Connection: default - Operation: Search - Base DN: cn=users,dc=host,dc=com - Filter: (&(objectclass=user)(objectcategory=person)(!(objectclass=contact))(mail=admin@host.com)) - Selected: (*,objectguid) - Time Elapsed: 2  \n, referer: https://cdash.host.com/index.php?project=Project

My understanding was that USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true would allow to log in with the non ldap user even though ldap authentication is activated. But I guess I'm wrong. How could I circumvent that? Thanks very much for the help.

zackgalbreath commented 9 months ago

My understanding was that USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true would allow to log in with the non ldap user even though ldap authentication is activated. But I guess I'm wrong. How could I circumvent that? Thanks very much for the help.

Unfortunately as you discovered, CDash's LDAP authentication currently blocks "regular" (database) authentication when it is enabled. We'll keep your use case in mind as we work to improve and expand our authentication support in CDash.