search

ma1uta / ma1sd

Federated Matrix Identity Server (formerly fork of kamax/mxisd)
GNU Affero General Public License v3.0
167 stars 56 forks source link

Convert Username to lowercase #3

Closed enannos closed 5 years ago

enannos commented 5 years ago

Hello,

we are currently using the matrix-synapse server with riot for our users in the Active Directory. During the past, we where using the mxisd for the authentication but since the development was halted, we started using the internal ldap authentication mechanism of matrix. Our biggest problem was that when a user typed-in the username using uppercase or a combination of upper and lowercase, the user could not login. I find out through another issue that you have this wonderful project that does exactly what the mxisd did.

I have set up the ma1sd, configured nginx etc, but we still have problems when the user types in the username in the form of f.i. First_name.Last_name. If the user logs in with first_name.last_name, the login works.

I read about the possibility to rewrite some auth credentials but I cannot make it to work. Can you please help me out?

ma1uta commented 5 years ago

Hello.

I will investigate how I can help you. Could you please provide ma1sd and synapse logs when an user login with the username with upper case symbols?

enannos commented 5 years ago

Hello @ma1uta , here is the syslog when I am trying to login using an uppercase character in my login name(replaced some private infos with XXXXXXX):

ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.http.undertow.handler.auth.RestAuthHandler - Requested to check credentials for @evangelos.nannoS:XXXXXXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - Attempting authentication with store LdapAuthProvider ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Performing auth for @evangelos.nannoS:XXXXXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Checking possible match, DN: CN=Evangelos Nannos,OU=XXXXXXX,OU=XXXX,OU=XXXXX,DC=XXXX,DC=XXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Attempting authentication on LDAP for CN=Evangelos Nannos,OU=XXXX,OU=XXXX,OU=XXXX,DC=XXXX,DC=XXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Authentication successful for CN=Evangelos Nannos,OU=XXXX,OU=XXXX,OU=XXXX,DC=XXXX,DC=XXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - DN CN=Evangelos Nannos,OU=XXXX,OU=XXXX,OU=XXXX,DC=XXXX,DC=XXXX i s a valid match ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Processing 3PIDs for profile ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Processing 3PID type msisdn ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute telephoneNumber has 1 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute mobile has 1 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute homePhone has 0 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute otherTelephone has 0 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute otherMobile has 0 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute otherHomePhone has 0 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Processing 3PID type email ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute mailPrimaryAddress has 0 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute mail has 1 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - #011Attribute otherMailbox has 0 value(s) ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.backend.ldap.LdapAuthProvider - Found 3 3PIDs ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - @evangelos.nannoS:XXXXXX was authenticated by LdapAuthProvider, publishing 3PID mappings, if any ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - Processing io.kamax.matrix.ThreePid@53275986 for @evangelos.nannoS:XXXXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.invitation.InvitationManager - Looking up possible pending invites for msisdn:XXXXXXXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - Processing io.kamax.matrix.ThreePid@92f98b12 for @evangelos.nannoS:XXXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.invitation.InvitationManager - Looking up possible pending invites for msisdn:XXXXXXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.auth.AuthManager - Processing io.kamax.matrix.ThreePid@9a150ec for @evangelos.nannoS:XXXXXXX ma1sd[954]: [XNIO-1 task-12] INFO io.kamax.mxisd.invitation.InvitationManager - Looking up possible pending invites for email:Evangelos.Nannos@XXXXXXXX ma1sd[954]: [XNIO-1 task-12] WARN io.kamax.mxisd.auth.AuthManager - The returned User ID @evangelos.nannoS:XXXXXX is not a valid Matrix ID. Login might fail at the Homeserver level ma1sd[954]: [XNIO-1 task-11] INFO io.kamax.mxisd.auth.AuthManager - http status = 200

enannos commented 5 years ago

As you can see in the above example, as long as I use an uppercase in my username (in this case evangelos.nannoS ), the login fails.

enannos commented 5 years ago

Any ideas? It would be really helpful if we could resolve this issue

ma1uta commented 5 years ago

Sorry, I was busy and missed this issues. According https://matrix.org/docs/spec/appendices#user-identifiers MXID should contains only lower-case characters. But for backward compatibility it is possible to have MXID with upper case characters.

ma1uta commented 5 years ago

You can get the release 2.1.2 at https://github.com/ma1uta/ma1sd/releases/tag/2.1.2 with the fix for this issue. Thanks for patience.

enannos commented 5 years ago

Hi @ma1uta , first of all, thank you for your support and your efforts. Unfortunately, that didn't do the trick. I mean, that apparently the ma1sd has no problems any more but the matrix-synapse server has.

schat02 Oct 23 12:04:00 XXXX ma1sd[29689]: [XNIO-1 task-6] INFO io.kamax.mxisd.invitation.InvitationManager - Looking up possible pending invites for msisdn:XXXXX Oct 23 12:04:00 XXXX ma1sd[29689]: [XNIO-1 task-6] INFO io.kamax.mxisd.auth.AuthManager - Processing io.kamax.matrix.ThreePid@92f98b12 for @Evangelos.nannos:XXXX Oct 23 12:04:00 XXXX ma1sd[29689]: [XNIO-1 task-6] INFO io.kamax.mxisd.invitation.InvitationManager - Looking up possible pending invites for msisdn:XXXXXXX Oct 23 12:04:00 XXXX ma1sd[29689]: [XNIO-1 task-6] INFO io.kamax.mxisd.auth.AuthManager - Processing io.kamax.matrix.ThreePid@9a150ec for @Evangelos.nannos:XXXX Oct 23 12:04:00 XXXX ma1sd[29689]: [XNIO-1 task-6] INFO io.kamax.mxisd.invitation.InvitationManager - Looking up possible pending invites for email:Evangelos.Nannos@XXXXXXX Oct 23 12:04:00 XXXX ma1sd[29689]: [XNIO-1 task-4] INFO io.kamax.mxisd.auth.AuthManager - http status = 200 Oct 23 12:04:01 XXXX matrix-synapse[29028]: 2019-10-23 12:04:01,118 - synapse.api.auth - 339 - WARNING - GET-94- Unrecognised access token - not in store.

As an extra help, if I login "normally"(with lowercase), the login works but in the syslog I can see:

Oct 23 12:19:35 XXXX matrix-synapse[29028]: 2019-10-23 12:19:35,704 - synapse.storage.client_ips - 359 - ERROR - update_client_ips-593- Failed to insert client IP (('@evangelos.nannos:XXXX', 'XXXXXXXXXXXXXXXXXXXX', '127.0.0.1'), ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36', 'XXXXXXXX', XXXXXXXX)): InvalidColumnReference('there is no unique or exclusion constraint matching the ON CONFLICT specification\n',)

Any ideas?