[BUG]: Username with accents not able to connect

loulous24 commented 4 months ago

⚠️ This issue respects the following points: ⚠️

[X] This is a single bug, not a question or a configuration/webserver/proxy issue.
[X] This is not a bug in the browser extension or another client.
[X] This issue is not already reported on Github (I've searched it).
[X] Nextcloud Server and the Passwords App is up to date. See Nextcloud Apps.
[X] There are no warnings and errors reported in the Passwords App settings in the admin area
[X] The following apps are not installed: Rainloop

Server Information

{
    "version": {
        "server": "28.0.3.2",
        "app": "2024.5.20",
        "lsr": false,
        "php": "8.2.19",
        "cronPhp": "8.2.19"
    },
    "environment": {
        "os": "Linux",
        "architecture": "x86_64",
        "bits": 64,
        "database": "mysql",
        "cron": "cron",
        "proxy": false,
        "sslProxy": false,
        "subdirectory": false
    },
    "services": {
        "images": "imagick",
        "favicons": "bi",
        "previews": "default",
        "security": "hibp",
        "words": "auto",
        "previewApi": false,
        "faviconApi": false
    },
    "settings": {
        "channel": "stable",
        "nightlies": false,
        "handbook": false,
        "performance": 5
    },
    "status": {
        "autoBackupRestored": false
    },
    "apps": {
        "guests": {
            "installed": false,
            "enabled": false
        },
        "occweb": {
            "installed": false,
            "enabled": false
        },
        "theming": {
            "installed": false,
            "enabled": false
        },
        "passman": {
            "installed": false,
            "enabled": false
        },
        "unsplash": {
            "installed": false,
            "enabled": false
        },
        "impersonate": {
            "installed": false,
            "enabled": false
        },
        "passwords_handbook": {
            "installed": false,
            "enabled": false
        }
    },
    "sharing": {
        "shares": 500
    },
    "encryption": {
        "sse": {
            "SSEv1r1": false,
            "SSEv1r2": true,
            "SSEv2r1": false,
            "SSEv3r1": false,
            "none": false,
            "default": "SSEv1r2"
        },
        "cse": {
            "CSEv1r1": false,
            "none": true,
            "default": "none"
        }
    }
}

Client Information

Browser and Version: Chrome 125 Client OS and Version: Windows 10

Bug description

When connecting to the password application with a user that has a special character inside their username, a 500 - Server error occurs.

The problem is related to the LDAP. In the two logs provided below, one request is done with the right filter for the uid of the user (uid=C\u00e9line) and the user is "Céline" but the other request to the LDAP is done with a wrong filter (uid=C?line) and so the user is not found.

This problem only applies to the Passwords app, no other weird behaviour happens to this user on our Nextcloud.

Steps to reproduce

Open Nextcloud
Click on Password to access the application
The problem occurs and it is not possible to access the application.

Expected behavior

Open Nextcloud
Click on Password to access the application
It is possible to access the application.

Nextcloud Logs

In nextcloud server's error log file

{"reqId":"i7JtqGDwsVYiWgA3EoFz","level":0,"time":"2024-05-30T14:58:45+02:00","remoteAddr":"XX.XX.XX.XX","user":"--","app":"user_ldap","method":"GET","url":"/index.php/apps/passwords/api/1.0/session/request","message":"No user available for the given login name on ldaps://XX.XX.fr:636","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"28.0.3.2","exception":{"Exception":"OCA\\User_LDAP\\Exceptions\\NotOnLDAP","Message":"No user available for the given login name on ldaps://XX.XX.fr:636","Code":0,"Trace":[{"file":"/var/www/clients/client1/web11/web/apps/user_ldap/lib/User_LDAP.php","line":179,"function":"getLDAPUserByLoginName","class":"OCA\\User_LDAP\\User_LDAP","type":"->"},{"function":"checkPassword","class":"OCA\\User_LDAP\\User_LDAP","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/clients/client1/web11/web/apps/user_ldap/lib/User_Proxy.php","line":126,"function":"call_user_func_array"},{"file":"/var/www/clients/client1/web11/web/apps/user_ldap/lib/Proxy.php","line":140,"function":"walkBackends","class":"OCA\\User_LDAP\\User_Proxy","type":"->"},{"file":"/var/www/clients/client1/web11/web/apps/user_ldap/lib/User_Proxy.php","line":275,"function":"handleRequest","class":"OCA\\User_LDAP\\Proxy","type":"->"},{"file":"/var/www/clients/client1/web11/web/lib/private/User/Manager.php","line":280,"function":"checkPassword","class":"OCA\\User_LDAP\\User_Proxy","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/clients/client1/web11/web/lib/private/User/Session.php","line":627,"function":"checkPasswordNoLogging","class":"OC\\User\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/clients/client1/web11/web/lib/private/User/Session.php","line":356,"function":"loginWithPassword","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/clients/client1/web11/web/lib/private/User/Session.php","line":453,"function":"login","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/clients/client1/web11/web/lib/private/User/Session.php","line":592,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/clients/client1/web11/web/lib/base.php","line":1154,"function":"tryBasicAuthLogin","class":"OC\\User\\Session","type":"->"},{"file":"/var/www/clients/client1/web11/web/lib/base.php","line":1058,"function":"handleLogin","class":"OC","type":"::"},{"file":"/var/www/clients/client1/web11/web/index.php","line":39,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/clients/client1/web11/web/apps/user_ldap/lib/User_LDAP.php","Line":164,"message":"No user available for the given login name on ldaps://XX.XX.fr:636","exception":{},"CustomMessage":"No user available for the given login name on ldaps://XX.XX.fr:636"}}

In nextcloud server's log file

{"reqId":"6g4yS9kREfwCizLABT1R","level":0,"time":"2024-05-30T14:58:41+02:00","remoteAddr":"185.25.194.10","user":"Celine","app":"user_ldap","method":"GET","url":"/apps/passwords/","message":"initializing paged search for filter (&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=XX,ou=XX,dc=XX,dc=fr)))(uid=C\u00e9line)), base ou=users,dc=XX,dc=fr, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"cn\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 500, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"28.0.3.2","data":{"app":"user_ldap"}}
{"reqId":"i7JtqGDwsVYiWgA3EoFz","level":0,"time":"2024-05-30T14:58:44+02:00","remoteAddr":"185.25.194.10","user":"--","app":"user_ldap","method":"GET","url":"/index.php/apps/passwords/api/1.0/session/request","message":"initializing paged search for filter (&(&(|(objectclass=inetOrgPerson))(|(memberof=cn=XX,ou=XX,dc=XX,dc=fr)))(uid=C?line)), base ou=users,dc=resilios,dc=fr, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"cn\",\"jpegphoto\",\"thumbnailphoto\"], pageSize 500, offset 0","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36","version":"28.0.3.2","data":{"app":"user_ldap"}}

Browser Logs

No response

marius-wieschollek commented 3 months ago

TBH, i don't think that's an actually supported use case. Nextcloud won't let me create any users with UTF-8 characters and neither will openldap. So i have no way of reproducing the issue and testing any fixes.

My guess is that the browser function btoa (which does not support UTF-8) mangles the name when creating the authentication header for the API.

I have added a workaround for this, which should result in an UTF-8 encoded name being sent. It looks like the data is correct, but you will have to check with the 2024.6.20 nightly to see if it actually solves the issue.

loulous24 commented 3 months ago

Hello, Thank you for your quick answer. For tests purposes, I replicated a mock of our infrastructure with nextcloud running in a docker and ldap running in another one. I was able to replicate the bug with a user with a UTF-8 character in its name. Without any problem, I was able to create in openldap a user with UTF-8 character in its uid.

It is right that the frontend of Nextcloud do not allow to have a username with an UTF-8 character (I did not try to force it). For users imported from ldap, the internal username used by Nextcloud is an UUID (according to here) but the log in is made with the LDAP uid which can contain UTF-8 characters.

I did the upgrade to the Passwords app with the nightly version found here.

It seemed that your workaround worked well. We will put it in production when the next stable version will be released.

Thank you for your quick answer and your fix !

marius-wieschollek / passwords