PyAuthenNTLM2 is an authentication module for Apache. It validates a user by means of the NTLM protocol and a separate Domain Controller (or Active Directory server).
Other
57
stars
42
forks
source link
ASN decode fails if a user is in more than 127 groups #20
setup a user with more than 127 groups, the script checks different groups recursively until it reaches 127, then, when evaluating the 128th, the assert fails:
# python PyAuthenNTLM2/ntlm_client.py -u sevetest -p XXX -d yyyy.ch -g g_HIN_Proxyusers -a ldap://xxxx/DC=yyyy,DC=ch
Using Active Directory (LDAP) to verify credentials.
User sevetest\spital-biel.ch was authenticated.
Traceback (most recent call last):
File "PyAuthenNTLM2/ntlm_client.py", line 333, in <module>
res = proxy.check_membership(member, config['group'])
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 269, in check_membership
if self.check_membership(None,groups,x, tabs+1):
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 269, in check_membership
if self.check_membership(None,groups,x, tabs+1):
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 269, in check_membership
if self.check_membership(None,groups,x, tabs+1):
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 251, in check_membership
resp = self.proto.parse_search_resp(msg)
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/ntlm_ad_proxy.py", line 181, in parse_search_resp
messageID, data = parseint(data, True)
File "/usr/local/lib/python2.7/dist-packages/PyAuthenNTLM2/asn1.py", line 130, in parseint
assert (ord(payload[0]) & 0x80) == 0x00
AssertionError
I have tested with different users and it stops by different group names, but always in the 127th. Users with less than 127 groups work fine and users that were not working, work again as soon as the group membership goes below 127. Z.B, user tttt was not working, but now that I have removed some groups, it does:
# python PyAuthenNTLM2/ntlm_client.py -u tttt -p XXX -d yyyy.ch -g g_HIN_Proxyusers -a ldap://xxxx/DC=yyyy,DC=ch
Using Active Directory (LDAP) to verify credentials.
User tttt\yyyy.ch was authenticated.
User tttt belongs to at least one group.
I have tried modifying asn1.py to see what is happening and it seems that the parsing code fails to decode the message: the message ID for the 128th group is not 128 as expected (0x80) but 4294967168 (0xFFFFFF80).
setup a user with more than 127 groups, the script checks different groups recursively until it reaches 127, then, when evaluating the 128th, the assert fails:
I have tested with different users and it stops by different group names, but always in the 127th. Users with less than 127 groups work fine and users that were not working, work again as soon as the group membership goes below 127. Z.B, user tttt was not working, but now that I have removed some groups, it does:
I have tried modifying asn1.py to see what is happening and it seems that the parsing code fails to decode the message: the message ID for the 128th group is not 128 as expected (0x80) but 4294967168 (0xFFFFFF80).