duttonw / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

Forgotten Username and Forgotten Password Search do not support optional attributes #377

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
The Forgotten User Name and Forgotten Password Search Filters/ forms do not 
contain the same logic as the Activation Search Filter/ form. I'm not sure if 
this is on purpose. The Activation Search allows attributes that are listed in 
the form but are not used in the search filter. Those values are tested by 
attempting an ldap compare with the user supplied value. This functionality is 
necessary to handle optional attribute values on that User object.

This functionality is however missing for the Forgotten Username and Forgotten 
Password Search. If an attribute is in the Form (required=false), but not in 
the Search Filter (because it is optional for a User object), the user supplied 
value is just simply ignored. Therefore it is currently not possible to test on 
optional attributes in the Forgotten Password and Forgotten Username Forms.

What steps will reproduce the problem?
1. In the Configuration Manager go to Configuration editor -> Modules -> 
Forgotten Username
2. Add two required=true attributes (AuxTestmail3 and AuxTestdateOfBirth) and 
one required=false attribute (AuxTestsmsNumber) in the Forgotten Username Form
3. Edit the Forgotten Username Search Filter so that only the required=true 
attributes are searched for: 
(&(objectClass=AuxTestperson)(AuxTestdateOfBirth=%AuxTestdateOfBirth%)(AuxTestma
il3=%AuxTestmail3%))
4. Save the configuration
5  Make sure that your User object has a value in the LDAP directory for both 
the required=true attribute and the required=false attribute
5. Go the the Enduser PWM frontend and click on Forgotten Username
6. fill in the correct value for the required=true attribute
7. fill in an incorrect value for the required=false attribute
8. Press Search

What is the expected output? What do you see instead?
I would expect that PWM does not find my User Object, because the user supplied 
value for the required=false attribute does not match the value in the LDAP 
directory. However, PWM returns my username, because the required=false 
attribute is not in the Search filter and is not tested by attempting an ldap 
compare with the user supplied value.

Relevant part of Catalina.out

2013-04-26 15:08:58, TRACE, pwm.SessionFilter, {1l} POST request for: 
/pwm/public/ForgottenUsername  [123.456.789.321]
  pwmFormID='YEYDl3dXKdZrVwmFZiC2K5SXYe6yvB3M13e467194dfb7p7b2'
  AuxTestmail3='testuser@gmail.com'
  AuxTestsmsNumber='+31612345678'
  AuxTestdateOfBirth='01-01-1970'
  processAction='search'
2013-04-26 15:08:58, DEBUG, operations.UserSearchEngine, {1l} beginning user 
search process [123.456.789.321]
2013-04-26 15:08:58, DEBUG, operations.UserSearchEngine, {1l} performing ldap 
search for user, base=ou=users,o=meta filter=SearchHelper: filter: 
(&(objectClass=AuxTestperson)(AuxTestdateOfBirth=01-01-1970)(AuxTestmail3=testus
er@gmail.com)), scope: SUBTREE, attributes: [] [123.456.789.321]
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, begin op#126 
search(ou=users,o=meta,SearchHelper: filter: 
(&(objectClass=AuxTestperson)(AuxTestdateOfBirth=01-01-1970)(AuxTestmail3=testus
er@gmail.com)), scope: SUBTREE, attributes: [])
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, begin op#42 
search(ou=users,o=meta,SearchHelper: filter: 
(&(objectClass=AuxTestperson)(AuxTestdateOfBirth=01-01-1970)(AuxTestmail3=testus
er@gmail.com)), scope: SUBTREE, attributes: [])
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, finish op#42 result: 
{cn=12345678,ou=users,o=meta={}} (10ms)
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, finish op#126 result: 
{cn=12345678,ou=users,o=meta={}} (12ms)
2013-04-26 15:08:58, TRACE, operations.UserSearchEngine, {1l} found 1 results 
in context: ou=users,o=meta [123.456.789.321]
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, begin op#127 
getDirectoryVendor()
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, begin op#43 
getDirectoryVendor()
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, finish op#43 result: 
NOVELL_EDIRECTORY (0ms)
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, finish op#127 result: 
NOVELL_EDIRECTORY (1ms)
2013-04-26 15:08:58, DEBUG, operations.UserSearchEngine, {1l} completed user 
search process in 14ms, resultSize=1 [123.456.789.321]
2013-04-26 15:08:58, DEBUG, operations.UserSearchEngine, {1l} found userDN: 
cn=12345678,ou=users,o=meta [123.456.789.321]
2013-04-26 15:08:58, INFO , servlet.ForgottenUsernameServlet, {1l} found user 
cn=12345678,ou=users,o=meta [123.456.789.321]
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, begin op#128 
readStringAttribute(cn=12345678,ou=users,o=meta,AuxTestuser)
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, begin op#44 
readStringAttribute(cn=12345678,ou=users,o=meta,AuxTestuser)
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, finish op#44 result: 
testuser (4ms)
2013-04-26 15:08:58, TRACE, provider.WireTraceWrapper, finish op#128 result: 
testuser (5ms)
2013-04-26 15:08:58, TRACE, servlet.ForgottenUsernameServlet, {1l} read 
username attribute 'AuxTestuser' value=testuser [123.456.789.321]

What version of PWM are you using?
Daily build (pwmVersion="1.7.0" pwmBuild="1217" pwmBuildType="RC2")

What ldap directory and version are you using?
eDirectory for Linux x86_64 v8.8 SP7 ON SLES11 SP1

Original issue reported on code.google.com by sebastia...@gmail.com on 26 Apr 2013 at 1:15

GoogleCodeExporter commented 9 years ago
I've made a patch to the Forgotten Username Servlet to support optional 
attributes.

The Forgotten Username Search now allows attributes that are listed in the form 
but are not used in the search filter. Those values are tested by attempting an 
ldap compare with the user supplied value. This functionality is necessary to 
handle optional attribute values on that User object.

I did not implement this logic on the Forgotten Password search, because after 
code analysis I saw that there is already support for optional attributes: 
"Required ldap attributes for challenge/response" is actually supporting 
optional attributes already (if the user has a value for that attribute).

Attached a patch file for the Forgotten Username Servlet

Original comment by sebastia...@gmail.com on 3 May 2013 at 12:07

Attachments: