Summary
Using schema RFC 2307 and when authenticating an user with DN, the user mapping is not correctly resolved. This because the UserFilter is incorrect in that case.
What are you doing?
I reproduced the issue with the freely available openldap instance from forumsys.com.
then perform authentication with var user = _authService.Login("uid=tesla,dc=example,dc=com", "password");
What is the problem?
The authentication succeeded but the user cannot be retrieved. Error message is ErrorUserNotFound.
This makes sense, as it tries to run the request with (&(objectClass=posixAccount)(uid={0})) which resolves to (&(objectClass=posixAccount)(uid=uid=tesla,dc=example,dc=com)) and this is wrong.
What behaviour did you expect?
The current automation is failing with DN authentication if I'm not mistaking. Not sure how it should be correctly handled API side (overload to explicitly treat the DN authentication case differently?). For now the workaround is to redefine UserFilter mapping with (&(objectClass=posixAccount)(entryDN={0})).
Affected library
Environment
Summary Using schema RFC 2307 and when authenticating an user with DN, the user mapping is not correctly resolved. This because the UserFilter is incorrect in that case.
What are you doing? I reproduced the issue with the freely available openldap instance from forumsys.com.
then perform authentication with
var user = _authService.Login("uid=tesla,dc=example,dc=com", "password");
What is the problem? The authentication succeeded but the user cannot be retrieved. Error message is
ErrorUserNotFound
. This makes sense, as it tries to run the request with(&(objectClass=posixAccount)(uid={0}))
which resolves to(&(objectClass=posixAccount)(uid=uid=tesla,dc=example,dc=com))
and this is wrong.What behaviour did you expect? The current automation is failing with DN authentication if I'm not mistaking. Not sure how it should be correctly handled API side (overload to explicitly treat the DN authentication case differently?). For now the workaround is to redefine UserFilter mapping with
(&(objectClass=posixAccount)(entryDN={0}))
.