Closed nwinkelstraeter closed 1 year ago
I investigated this a little further and noticed that when i put the semicolon a the beginning I get the error: "flow error password: This field may not be blank."
from the outpost.
It looks like at some point the password gets parsed in a way where it is cut off at the semicolon. I captured the HTTP traffic between the outpost and the server while binding with ldapsearch. At the request to the identification stage the password is intact.
{"component":"ak-stage-identification","password":"abcde;fghi","uid_field":"nwinkelstraeter"}
But at the request to password stage the password ist cutoff at the semicolon.
{"component":"ak-stage-password","password":"abcde"}
Here are the HTTP captures
semicolon_in_pw_at_end.txt semicolon_in_pw_at_start.txt semicolon_in_pw_in_middle.txt
Yeah so I dont know how I never thought of this, but when we added support for code-based TOTP, I didnt consider that the password will always be split. The issue comes from the fact that the password has to be split in advance seeing as the ldap outpost doesn't know if the next challenge will be for TOTP or not.
Describe the bug
Authentication via LDAP Outpost fails when the password contains a semicolon
To Reproduce Steps to reproduce the behavior:
Working case
ldapsearch
ldapsearch -x -H ldap://127.0.0.1:389 -D cn=nwinkelstraeter,ou=users,dc=ldap,dc=goauthentik,dc=io -b ou=users,dc=ldap,dc=goauthentik,dc=io -w
Failure case
ldapsearch
ldap_bind: Invalid credentials (49)
I also tried to find other characters with which that happens but I haven't found any so far.
Expected behavior
Ldap authentication also works with a semicolon in the password
Logs
ldapsearch output:
Outpost Log:
Version and Deployment