Closed mattj21 closed 3 months ago
Hi,
thanks for reporting. The Okta LDAP implementation possibly doesn't return the root DSE for anonymous binds. Could you please check whether the diff below fixes this issue?
Thanks,
Marc
index eeb847b..2c33b6d 100755
--- a/mavis/perl/mavis_tacplus-ng_ldap.pl
+++ b/mavis/perl/mavis_tacplus-ng_ldap.pl
@@ -308,6 +308,11 @@ retry_once:
goto fatal;
}
}
+ my $mesg = $ldap->bind(@LDAP_BIND);
+ if ($mesg->code){
+ $V[AV_A_USER_RESPONSE] = $mesg->error . " (" . __LINE__ . ")";
+ goto fatal;
+ }
unless (defined $LDAP_SERVER_TYPE) {
if ($ldap->is_AD() || $ldap->is_ADAM()) {
$LDAP_SERVER_TYPE = "microsoft";
Hi Marc, Thanks for the update, I just tested and that does seem to fix the issue.
To be clear this shouldn't be an anonymous bind, as far as I know the Okta LDAP Interface doesn't allow anonymous binding. In Apache Directory Studio I do see a root DSE with a vendorName
field of Okta Inc.
but even ignoring case in the $ldap->root_dse->get_value('vendorname')
lookup didn't seem to return a value.
Hi,
thanks for testing again. My assumption with root DSEs was that those don't need authentication at all, as tests with the commonly used servers didn't indicate an issue. I'll push a fix for the various backend variants (Perl, Python, C) shortly.
Thanks,
Marc
I'm pointing my MAVIS backend to the Okta LDAP Interface in my
tac_plus-ng
config file but the lookup just silently fails. The relevant portion of my config looks like this:I manually tested
mavis_tacplus-ng_ldap.pl
and can see how it fails on thevendorname
lookup:In my test environment I wrapped the
vendorname
lookup in atry/catch
block usingTry::Tiny
and I was able to get the full user lookup to work and thetac_plus-ng
lookup works end-to-end now.I'm not familiar enough with perl to know if that's the proper way to handle this, or if there's another way to verify what
vendorname
Okta returns, or if this is also causing an issue with any other directories.https://github.com/MarcJHuber/event-driven-servers/blob/3206bff0eb20829c5e407d0114ed996fd2f3482a/mavis/perl/mavis_tacplus-ng_ldap.pl#L320C1-L324C4