teleharry
commented
2 years ago Sorry, it was an issue with capitals.
Closed teleharry closed 2 years ago
teleharry
commented
2 years ago Sorry, it was an issue with capitals.
Hi,
I'm trying to get several small web apps authenticated by Apache's LDAP to ctldap. For some reason the group membership seems to fail in case the group contains german Umlaut, perhaps any non-ascii characters.
The user is member in both groups. But authorization fails with groups like this:
[DEBUG] churchtools-test - Filter: (&(&(objectclass=*)(memberof=cn=Gemeindebüro,ou=groups,o=churchtools-test))(uid=xxx)) [DEBUG] churchtools-test - Search for users and groups combined [DEBUG] churchtools-test - Performing request to API function getUsersData [DEBUG] churchtools-test - Performing request to API function getGroupsData [DEBUG] churchtools-test - CT session invalid, login and retry... [DEBUG] churchtools-test - Performing CT API login... [DEBUG] churchtools-test - CT session invalid, login and retry... [DEBUG] churchtools-test - Return pending login promise [DEBUG] churchtools-test - CT API login successful, fetching CSRF-Token... [DEBUG] churchtools-test - Got CSRF-Token. [DEBUG] churchtools-test - CT API login completed [DEBUG] churchtools-test - Retry request to API function getUsersData after login [DEBUG] churchtools-test - Performing request to API function getUsersData [DEBUG] churchtools-test - Retry request to API function getGroupsData after login [DEBUG] churchtools-test - Performing request to API function getGroupsData [DEBUG] churchtools-test - Updated groups: 191 [DEBUG] churchtools-test - Updated users: 294
And succeeds with groups without Umlaut.
[DEBUG] churchtools-test - Admin bind DN: cn=root, ou=users, o=churchtools-test [DEBUG] churchtools-test - Authentication success [DEBUG] churchtools-test - SEARCH base object: o=churchtools-test scope: sub [DEBUG] churchtools-test - Filter: (&(&(objectclass=*)(memberof=cn=it,ou=groups,o=churchtools-test))(uid=xxx)) [DEBUG] churchtools-test - Search for users and groups combined [DEBUG] churchtools-test - Performing request to API function getUsersData [DEBUG] churchtools-test - Performing request to API function getGroupsData [DEBUG] churchtools-test - Updated groups: 191 [DEBUG] churchtools-test - Updated users: 294 [DEBUG] churchtools-test - MatchUser: cn=xxx,ou=users,o=churchtools-test [DEBUG] churchtools-test - Bind user DN: %s [DEBUG] churchtools-test - Performing request to API function authenticate [DEBUG] churchtools-test - Authentication successful for cn=xxx, ou=users, o=churchtools-test
We also using nextcloud, which works just fine with any groups. But using apache doesn't seem to be too exotic as this could open the door for many small webapps. All I could found was this issue in the past: https://github.com/milux/ctldap/issues/4
So far I also tried several options in Apache with no difference. AddLanguage de .de AddDefaultCharset utf-8
Also, I had apache configs with groups containing german umlaut connecting to MS AD which dint cause any issues.
Could this be fixed in ctldap, because there doesn't seem to be too much possibilities on apaches configuration to change its behavior: The closest option seems to be the AuthLDAPCharsetConfig Directive. But there aren't many information on this.
My Auth in Apache look like this. _< AuthName "Auth" AuthType Basic AuthLDAPBindDN "cn=root,ou=users,o=churchtools-test" AuthLDAPBindPassword "PW" AuthLDAPURL "ldap://localhost:7777/o=churchtools-test?uid?sub?(&(objectClass=*)(memberof=cn=Gemeindebüro,ou=groups,o=churchtools-test))" AuthBasicProvider ldap Require valid-user