search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
12.95k stars 865 forks source link

Semicolons in passwords not working in LDAP Outpost #5917

Closed nwinkelstraeter closed 1 year ago

nwinkelstraeter commented 1 year ago

Describe the bug

Authentication via LDAP Outpost fails when the password contains a semicolon

To Reproduce Steps to reproduce the behavior:

Working case

Failure case

I also tried to find other characters with which that happens but I haven't found any so far.

Expected behavior

Ldap authentication also works with a semicolon in the password

Logs

ldapsearch output:

ldap_bind: Invalid credentials (49)

Outpost Log:

ldap-outpost_1  | {"bindDN":"cn=nwinkelstraeter,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.181.2.34","error":"flow error password: Invalid password","event":"failed to execute flow","level":"warning","requestId":"ce58618b-d105-42b7-95a4-8a682f9d97f5","timestamp":"2023-06-09T14:41:46Z"}
ldap-outpost_1  | {"bindDN":"cn=nwinkelstraeter,ou=users,dc=ldap,dc=goauthentik,dc=io","client":"10.181.2.34","event":"Bind request","level":"info","requestId":"ce58618b-d105-42b7-95a4-8a682f9d97f5","timestamp":"2023-06-09T14:41:46Z","took-ms":925}

Version and Deployment

nwinkelstraeter commented 1 year ago

I investigated this a little further and noticed that when i put the semicolon a the beginning I get the error: "flow error password: This field may not be blank." from the outpost.

It looks like at some point the password gets parsed in a way where it is cut off at the semicolon. I captured the HTTP traffic between the outpost and the server while binding with ldapsearch. At the request to the identification stage the password is intact.

{"component":"ak-stage-identification","password":"abcde;fghi","uid_field":"nwinkelstraeter"}

But at the request to password stage the password ist cutoff at the semicolon.

{"component":"ak-stage-password","password":"abcde"}

Here are the HTTP captures

semicolon_in_pw_at_end.txt semicolon_in_pw_at_start.txt semicolon_in_pw_in_middle.txt

BeryJu commented 1 year ago

Yeah so I dont know how I never thought of this, but when we added support for code-based TOTP, I didnt consider that the password will always be split. The issue comes from the fact that the password has to be split in advance seeing as the ldap outpost doesn't know if the next challenge will be for TOTP or not.