search

UniStuttgart-VISUS / Visus.LdapAuthentication

LDAP authentication middleware for ASP.NET Core
MIT License
24 stars 8 forks source link

User authentication with DN is passing but then user cannot be found with default mapping #9

Closed Maxhy closed 8 months ago

Maxhy commented 8 months ago

Affected library

Environment

Summary Using schema RFC 2307 and when authenticating an user with DN, the user mapping is not correctly resolved. This because the UserFilter is incorrect in that case.

What are you doing? I reproduced the issue with the freely available openldap instance from forumsys.com.

"Server": "ldap.forumsys.com",
"SearchBase": "dc=example,dc=com",
"Schema": "RFC 2307",
"IsRecursiveGroupMembership": true,
"Port": 389,
"IsSsl": false,
"IsNoCertificateCheck": true,

then perform authentication with var user = _authService.Login("uid=tesla,dc=example,dc=com", "password");

What is the problem? The authentication succeeded but the user cannot be retrieved. Error message is ErrorUserNotFound. This makes sense, as it tries to run the request with (&(objectClass=posixAccount)(uid={0})) which resolves to (&(objectClass=posixAccount)(uid=uid=tesla,dc=example,dc=com)) and this is wrong.

What behaviour did you expect? The current automation is failing with DN authentication if I'm not mistaking. Not sure how it should be correctly handled API side (overload to explicitly treat the DN authentication case differently?). For now the workaround is to redefine UserFilter mapping with (&(objectClass=posixAccount)(entryDN={0})).

crowbar27 commented 8 months ago

It seems the UserFilter is indeed wrong for RFC 2307. I need to check whehter this property is used somewhere else before pushing the fix.

crowbar27 commented 8 months ago

Fixed in 1.13.0 and 0.10.0, respectively.