search

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD
https://gitea.com
MIT License
45.08k stars 5.49k forks source link

[LDAP Push] LDAP Result Code 49 "Invalid Credentials" #17350

Open Commifreak opened 3 years ago

Commifreak commented 3 years ago

Gitea Version

1.14.6

Git Version

2.30.2

Operating System

Linux

How are you running Gitea?

Docker

Database

MySQL

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Description

gitea is configured to use LDAP for Auth.

This happens with a user which has an Umlaut (Ä) in its password:

2021/10/18 10:09:13 ...rm.io/xorm/engine.go:1226:Get() [I] [SQL] SELECT `id`, `lower_name`, `name`, `full_name`, `email`, `keep_email_private`, `email_notifications_preference`, `passwd`, `passwd_hash_algo`, `must_change_password`, `login_type`, `login_source`, `login_name`, `type`, `location`, `website`, `rands`, `salt`, `language`, `description`, `created_unix`, `updated_unix`, `last_login_unix`, `last_repo_visibility`, `max_repo_creation`, `is_active`, `is_admin`, `is_restricted`, `allow_git_hook`, `allow_import_local`, `allow_create_organization`, `prohibit_login`, `avatar`, `avatar_email`, `use_custom_avatar`, `num_followers`, `num_following`, `num_stars`, `num_repos`, `num_teams`, `num_members`, `visibility`, `repo_admin_change_team_access`, `diff_view_style`, `theme`, `keep_activity_private` FROM `user` WHERE `lower_name`=? LIMIT 1 [user.name] - 95.866µs
2021/10/18 10:09:13 ...dels/login_source.go:844:UserSignIn() [I] [SQL] SELECT `id`, `type`, `name`, `is_actived`, `is_sync_enabled`, `cfg`, `created_unix`, `updated_unix` FROM `login_source` WHERE `id`=? LIMIT 1 [1] - 53.473µs
2021/10/18 10:09:13 ...es/auth/ldap/ldap.go:178:bindUser() [D] LDAP auth. failed for cn=User,ou=Normale Nutzer,ou=OU,dc=DC,dc=DC, reason: LDAP Result Code 49 "Invalid Credentials": 
2021/10/18 10:09:13 ...s/context/context.go:308:HandleText() [E] invalid credentials from 10.10.4.1:45648

Removing the umlaut fixed the issue. Is there a problem with Umlauts and ldap.go:178:bindUser()?

Screenshots

No response

zeripath commented 3 years ago

I suspect the issue is going to be one of encoding.

You haven't stated how you're pushing - I assume it's over http(s) from a git command line. Is the user using a windows or a linux box? What encoding are they sending the password in? Is it possible that they're sending the character using CP-1252 encoding or an ISO-8859-2 encoding?

If you can reliably replicate the problem you could look at exactly what is being sent across to the LDAP server.

If you were on 1.16 I'd say take a look at:

https://github.com/go-gitea/gitea/blob/main/services/auth/source/ldap/source_authenticate.go#L18

adding in some logging there and then work back at all the places it's called. On 1.15 it'd be similar.

I also note you report you're on 1.14 - please upgrade to 1.15.

wxiaoguang commented 2 years ago

Maybe related to https://github.com/go-gitea/gitea/issues/19336

Only pushing doesn't work