Closed paoloB132 closed 9 years ago
@blizzz
@paoloB132 What is your LDAP configuration? use occ ldap:show-config
Hi blizzz,
here our lap conf:
[root@cloud owncloud]# sudo -u apache php occ ldap:show-config +------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+ | Configuration | | +------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 1 | | hasPagedResultSupport | | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | cn=ldapsearch,cn=users,dc=rfxoffline,dc=local | | ldapAgentPassword | *\ | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | samaccountname | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | dc=rfxoffline,dc=local | | ldapBaseGroups | dc=rfxoffline,dc=local | | ldapBaseUsers | cn=users,dc=rfxoffline,dc=local | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | samaccountname | | ldapExpertUsernameAttr | | | ldapGroupDisplayName | cn | | ldapGroupFilter | (&(|(objectclass=group))(|(cn=Servizio-Calcolo))) | | ldapGroupFilterGroups | Servizio-Calcolo | | ldapGroupFilterMode | 1 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | member | | ldapHost | ntserv1.rfxoffline.local | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=%uid)(|(sAMAccountName=%uid)))) | | ldapLoginFilterAttributes | sAMAccountName | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 1 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 0 | | ldapNoCase | 1 | | ldapOverrideMainServer | 0 | | ldapPagingSize | 500 | | ldapPort | 389 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserDisplayName | displayname | | ldapUserFilter | (&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local))) | | ldapUserFilterGroups | Servizio-Calcolo | | ldapUserFilterMode | 1 | | ldapUserFilterObjectclass | person | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | +------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------+
Il giorno 05/giu/2015, alle ore 20.33, blizzz ha scritto:
occ ldap:show-config
Log shows a failed core login with the username that comes from webform, and the bind attempt shows an empty DN. I mean that username is passed to the core but then %uid is not properly replaced.
Is displayname set for the users you want to login with? Otherwise try to switch it to "cn" (Advanced Settings).
Blizz,
On 08/giu/2015, at 13:44, blizzz notifications@github.com wrote:
Log shows a failed core login with the username that comes from webform, and the bind attempt shows an empty DN. I mean that username is passed to the core but then %uid is not properly replaced.
Is displayname set for the users you want to login with?
it seems so:
[root@cloud ~]# ldapsearch -v -ZZ -LLL -hntserv1.rfxoffline.local -b"dc=rfxoffline,dc=local" -D "cn=ldapsearch,cn=Users,dc=rfxoffline,dc=local" -W -x "(&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=barbato)(|(sAMAccountName=barbato))))”
displayName: Barbato Paolo cn: barbato name: barbato sAMAccountName: barbato
Otherwise try to switch it to "cn" (Advanced Settings).
try to set "User Display Name Field” to “displayname", to “cn” and to “samaccountname” …log show all the time failure:
{"reqId":"b6c4add98f3080fcc47ba13f77d91786","remoteAddr":"150.178.3.7","app":"user_ldap","message":"No DN found for on ntserv1.rfxoffline.local","level":0,"time":"2015-06-08T11:58:44+00:00","method":"GET","url":"\/owncloud\/index.php\/core\/js\/oc.js?v=affb9603fa428ae312e7fdac3994a8d2"} {"reqId":"d50cf1c47a5be9216f3c3a4b92b810b1","remoteAddr":"150.178.3.7","app":"core","message":"Login failed: 'barbato' (Remote IP: '150.178.3.7', X-Forwarded-For: '')","level":2,"time":"2015-06-08T12:00:16+00:00","method":"POST","url":"\/owncloud\/index.php”}
Looking at the code it seems some problems occurs
/Users/manager/Library/Caches/Cleanup At Startup/com.fetchsoftworks.Fetch/Fetch Temporary Folder 3/user_ldap.php
public function checkPassword($uid, $password) {
$uid = $this->access->escapeFilterPart($uid);
//find out dn of the user name
$attrs = array($this->access->connection->ldapUserDisplayName, 'dn',
'uid', 'samaccountname');
$filter = \OCP\Util::mb_str_replace(
'%uid', $uid, $this->access->connection->ldapLoginFilter, 'utf-8');
# -rfx-
print "uid $uid dn $dn samccountname $samaccountname filter $filter\n";
var_dump ($attrs);
$users = $this->access->fetchListOfUsers($filter, $attrs);
if(count($users) < 1) {
return false;
}
$dn = $users[0]['dn'];
this code return false
$uid is really “barbato”, that is my login, where dn and samaccountname are empty
$filter is (&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=%uid)(|(sAMAccountName=%uid))))
$attrs contains: array(4) { [0]=> string(11) "displayname" [1]=> string(2) "dn" [2]=> string(3) "uid" [3]=> string(14) "samaccountname" }
Regards, Paolo.
— Reply to this email directly or view it on GitHub.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
….
if I force $filter to:
Than it works!
So It seems that something goes wrong here:
$filter = \OCP\Util::mb_str_replace( '%uid', $uid, $this->access->connection->ldapLoginFilter, 'utf-8’);
That seems a problem for patchwork library
/var/www/html/owncloud/3rdparty/patchwork
… I’ve also installed the newest distribution but problem is still there.
May be something related with redhat7 and how utf encoding is managed ?
Regards, Paolo.
On 08/giu/2015, at 14:33, Paolo Barbato paolo.barbato@igi.cnr.it wrote:
Blizz,
On 08/giu/2015, at 13:44, blizzz <notifications@github.com mailto:notifications@github.com> wrote:
Log shows a failed core login with the username that comes from webform, and the bind attempt shows an empty DN. I mean that username is passed to the core but then %uid is not properly replaced.
Is displayname set for the users you want to login with?
it seems so:
[root@cloud ~]# ldapsearch -v -ZZ -LLL -hntserv1.rfxoffline.local -b"dc=rfxoffline,dc=local" -D "cn=ldapsearch,cn=Users,dc=rfxoffline,dc=local" -W -x "(&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=barbato)(|(sAMAccountName=barbato))))”
displayName: Barbato Paolo cn: barbato name: barbato sAMAccountName: barbato
Otherwise try to switch it to "cn" (Advanced Settings).
try to set "User Display Name Field” to “displayname", to “cn” and to “samaccountname” …log show all the time failure:
{"reqId":"b6c4add98f3080fcc47ba13f77d91786","remoteAddr":"150.178.3.7","app":"user_ldap","message":"No DN found for on ntserv1.rfxoffline.local","level":0,"time":"2015-06-08T11:58:44+00:00","method":"GET","url":"\/owncloud\/index.php\/core\/js\/oc.js?v=affb9603fa428ae312e7fdac3994a8d2"} {"reqId":"d50cf1c47a5be9216f3c3a4b92b810b1","remoteAddr":"150.178.3.7","app":"core","message":"Login failed: 'barbato' (Remote IP: '150.178.3.7', X-Forwarded-For: '')","level":2,"time":"2015-06-08T12:00:16+00:00","method":"POST","url":"\/owncloud\/index.php”}
Looking at the code it seems some problems occurs
/Users/manager/Library/Caches/Cleanup At Startup/com.fetchsoftworks.Fetch/Fetch Temporary Folder 3/user_ldap.php
public function checkPassword($uid, $password) { $uid = $this->access->escapeFilterPart($uid);
//find out dn of the user name $attrs = array($this->access->connection->ldapUserDisplayName, 'dn', 'uid', 'samaccountname'); $filter = \OCP\Util::mb_str_replace( '%uid', $uid, $this->access->connection->ldapLoginFilter, 'utf-8'); # -rfx- print "uid $uid dn $dn samccountname $samaccountname filter $filter\n"; var_dump ($attrs); $users = $this->access->fetchListOfUsers($filter, $attrs); if(count($users) < 1) { return false; } $dn = $users[0]['dn'];
this code return false
$uid is really “barbato”, that is my login, where dn and samaccountname are empty
$filter is (&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=%uid)(|(sAMAccountName=%uid))))
$attrs contains: array(4) { [0]=> string(11) "displayname" [1]=> string(2) "dn" [2]=> string(3) "uid" [3]=> string(14) "samaccountname" }
Regards, Paolo.
— Reply to this email directly or view it on GitHub.
Paolo Barbato
Consorzio RFX corso Stati Uniti,4
35127 Padova - Italy
Network Administratorphone: +39 049 8295097 fax: +39 049 8700718
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
Hi Blizz,
are you been able to reproduce this bug ?
Regards, Paolo.
On 08/giu/2015, at 14:48, Paolo Barbato paolo.barbato@igi.cnr.it wrote:
….
if I force $filter to:
$filter= "(&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=barbato)(|(sAMAccountName=barbato))))";
Than it works!
So It seems that something goes wrong here:
$filter = \OCP\Util::mb_str_replace( '%uid', $uid, $this->access->connection->ldapLoginFilter, 'utf-8’);
That seems a problem for patchwork library
/var/www/html/owncloud/3rdparty/patchwork
… I’ve also installed the newest distribution but problem is still there.
May be something related with redhat7 and how utf encoding is managed ?
Regards, Paolo.
On 08/giu/2015, at 14:33, Paolo Barbato <paolo.barbato@igi.cnr.it mailto:paolo.barbato@igi.cnr.it> wrote:
Blizz,
On 08/giu/2015, at 13:44, blizzz <notifications@github.com mailto:notifications@github.com> wrote:
Log shows a failed core login with the username that comes from webform, and the bind attempt shows an empty DN. I mean that username is passed to the core but then %uid is not properly replaced.
Is displayname set for the users you want to login with?
it seems so:
[root@cloud ~]# ldapsearch -v -ZZ -LLL -hntserv1.rfxoffline.local -b"dc=rfxoffline,dc=local" -D "cn=ldapsearch,cn=Users,dc=rfxoffline,dc=local" -W -x "(&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=barbato)(|(sAMAccountName=barbato))))”
displayName: Barbato Paolo cn: barbato name: barbato sAMAccountName: barbato
Otherwise try to switch it to "cn" (Advanced Settings).
try to set "User Display Name Field” to “displayname", to “cn” and to “samaccountname” …log show all the time failure:
{"reqId":"b6c4add98f3080fcc47ba13f77d91786","remoteAddr":"150.178.3.7","app":"user_ldap","message":"No DN found for on ntserv1.rfxoffline.local","level":0,"time":"2015-06-08T11:58:44+00:00","method":"GET","url":"\/owncloud\/index.php\/core\/js\/oc.js?v=affb9603fa428ae312e7fdac3994a8d2"} {"reqId":"d50cf1c47a5be9216f3c3a4b92b810b1","remoteAddr":"150.178.3.7","app":"core","message":"Login failed: 'barbato' (Remote IP: '150.178.3.7', X-Forwarded-For: '')","level":2,"time":"2015-06-08T12:00:16+00:00","method":"POST","url":"\/owncloud\/index.php”}
Looking at the code it seems some problems occurs
/Users/manager/Library/Caches/Cleanup At Startup/com.fetchsoftworks.Fetch/Fetch Temporary Folder 3/user_ldap.php
public function checkPassword($uid, $password) { $uid = $this->access->escapeFilterPart($uid);
//find out dn of the user name $attrs = array($this->access->connection->ldapUserDisplayName, 'dn', 'uid', 'samaccountname'); $filter = \OCP\Util::mb_str_replace( '%uid', $uid, $this->access->connection->ldapLoginFilter, 'utf-8'); # -rfx- print "uid $uid dn $dn samccountname $samaccountname filter $filter\n"; var_dump ($attrs); $users = $this->access->fetchListOfUsers($filter, $attrs); if(count($users) < 1) { return false; } $dn = $users[0]['dn'];
this code return false
$uid is really “barbato”, that is my login, where dn and samaccountname are empty
$filter is (&(&(|(objectclass=person))(|(memberof=CN=Servizio-Calcolo,CN=Users,DC=rfxoffline,DC=local)))(|(samaccountname=%uid)(|(sAMAccountName=%uid))))
$attrs contains: array(4) { [0]=> string(11) "displayname" [1]=> string(2) "dn" [2]=> string(3) "uid" [3]=> string(14) "samaccountname" }
Regards, Paolo.
— Reply to this email directly or view it on GitHub.
Paolo Barbato
Consorzio RFX corso Stati Uniti,4
35127 Padova - Italy
Network Administratorphone: +39 049 8295097 fax: +39 049 8700718
Paolo Barbato
Consorzio RFX corso Stati Uniti,4
35127 Padova - Italy
Network Administratorphone: +39 049 8295097 fax: +39 049 8700718
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
Blizzz,
let me inform you that I've made a new clean install on rhel 7.1. and the problem is still present with owncloud 8.0.4.
I've installed on a new rhel 7.1, the owncloud present on epel, that is owncloud-7.0.5-2.el7.noarch , really AD starts working.
Regards, Paolo.
In OC 7 we do not use Patchwork. Which PHP version do you run?
[root@testrhel7 kit]# php -v PHP 5.4.16 (cli) (built: Oct 23 2014 07:19:40) Copyright (c) 1997-2013 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
On 18/giu/2015, at 13:18, blizzz notifications@github.com wrote:
In OC 7 we do not use Patchwork. Which PHP version do you run?
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113116234.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
are there any PHP warnings or errors in the log?
No errors at all in ssl_errors_log
and nothing specific in ssl_access_log
150.178.3.7 - - [17/Jun/2015:15:54:26 +0200] "POST /owncloud/ HTTP/1.1" 200 11483 150.178.3.7 - - [17/Jun/2015:15:54:26 +0200] "GET /owncloud/index.php/core/js/oc.js?v=affb9603fa428ae312e7fdac3994a8d2 HTTP/1.1" 200 1843 150.178.3.7 - - [17/Jun/2015:15:54:26 +0200] "GET /owncloud/cron.php HTTP/1.1" 200 20
On 18/giu/2015, at 13:28, blizzz notifications@github.com wrote:
are there any PHP warnings or errors in the log?
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113120548.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
I had this same problem today, and put this on the OC forums to see if others had the issue. Then I found this thread. Here's what I wrote:
I'm running a new install of OC 8.0.4 on this stack:
CentOS 7 minimal (SELinux disabled, fully patched) php-fpm 5.4.16 nginx 1.6.3 MariaDB Server 5.5.41
I configured my installation to authenticate against my OpenLDAP server. I got it to correctly count the number of users, and correctly list them on the Users admin panel. But I had no luck authenticating.
I dug into the code and discovered that checkPassword() was not correctly replacing '%uid' with the $uid passed to the function when building the $filter string. The issue seems to be the mb_str_replace function in /lib/private/helper.php. $offset is initialized to -1 (Line 766). If I initialize to zero, the function performs the correct substitution, and my users can authenticate.
I don't know if this "fix" will break something else. I haven't tested it for long.
Hi pherzing,
your report confirm what we’ve observed here in a couple of clean test installation.
As Blizzz said, In OC8 they integrate 3rd party “patchwork” library in order to manage utf-8.
We’ve also look somewhat in deep at the code (but we’re are no OC neither patchwork developers) and found a possible conflict of patchwork with CentOS/Rhel 7.x, in particular on how utf-8 is managed at system level.
Regards, Paolo.
On 18/giu/2015, at 20:49, pherzing notifications@github.com wrote:
I had this same problem today, and put this on the OC forums to see if others had the issue. Then I found this thread. Here's what I wrote:
I'm running a new install of OC 8.0.4 on this stack:
CentOS 7 minimal (SELinux disabled, fully patched) php-fpm 5.4.16 nginx 1.6.3 MariaDB Server 5.5.41
I configured my installation to authenticate against my OpenLDAP server. I got it to correctly count the number of users, and correctly list them on the Users admin panel. But I had no luck authenticating.
I dug into the code and discovered that checkPassword() was not correctly replacing '%uid' with the $uid passed to the function when building the $filter string. The issue seems to be the mb_str_replace function in /lib/private/helper.php. $offset is initialized to -1 (Line 766). If I initialize to zero, the function performs the correct substitution, and my users can authenticate.
I don't know if this "fix" will break something else. I haven't tested it for long.
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113255557.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
@paoloB132 @pherzing would it be possibly to isolate the error, test with latest Patchwork and if reproducible open an issue there?
@jnfrmarks could you try to reproduce it with RHEL/CentOS 7?
Problem is present also with latest 1.2.2
…I’ll try to report the issue to patchwork devs
On 19/giu/2015, at 11:15, blizzz notifications@github.com wrote:
@paoloB132 https://github.com/paoloB132 @pherzing https://github.com/pherzing would it be possibly to isolate the error, test with latest Patchwork https://github.com/tchwork/utf8 and if reproducible open an issue there https://github.com/tchwork/utf8/issues?
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113442481.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
Yes it happens both on redhat 7.1 and centos
On 19/giu/2015, at 11:32, blizzz notifications@github.com wrote:
@jnfrmarks https://github.com/jnfrmarks could you try to reproduce it with RHEL/CentOS 7?
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113445654.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
Thank you @paoloB132 !
To me, the mb_(sub)str_replace
wrappers/utils are useless. String replacement is encoding safe. OC should just use the PHP native (sub)str_replace
functions and get rid of the mb_*_replace
implementations.
Don’t know why in OC8 they have moved on Patchwork….
php-mbstring.x86_64 5.4.16-23.el7_0.3 rhel-7-server-optional-rpms
On 19/giu/2015, at 13:23, Nicolas Grekas notifications@github.com wrote:
To me, the mb_(sub)str_replace wrappers/utils are useless. String replacement is encoding safe. OC should just use the PHP native (sub)strreplace functions and get rid of the mb*_replace implementations.
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113481612.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
So, if the mbstring fallback of patchwork/utf8 is not used, then this issue has nothing to do with patchwork/utf8...
.. well OC 8 developers the ball's in your court
On 19/giu/2015, at 13:42, Nicolas Grekas notifications@github.com wrote:
So, if the mbstring fallback of patchwork/utf8 is not used, then this issue has nothing to do with patchwork/utf8...
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113485770.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
If I can help please let me know. i'm not currently set up as a contributor, but would be happy to join up.
SOLVED!
As Nicolas suggested Patchworks is used by OC8 when rhel/centos php-mbstring is not installed.... so I've installed it: subscription-manager repos --enable=rhel-7-server-optional-rpms yum install php-mbstring service httpd restart (old style sorry !)
and now AD authentication start working !
Also confirmed here. I restored line 766 to its original form, then did this:
yum install php-mbstring systemctl php-fpm restart systemctl php-fpm nginx (just for fun)
My LDAP auth now works without changes to the OC core.
@paoloB132 @pherzing did you install ownCloud via package management originally, or by hand?
@nicolas-grekas thanks for having a look and opening the PR.
By hand (downloaded https://download.owncloud.org/community/owncloud-8.0.4.tar.bz2)
by hand
On 19/giu/2015, at 16:44, blizzz notifications@github.com wrote:
@paoloB132 https://github.com/paoloB132 @pherzing https://github.com/pherzing did you install ownCloud via package management originally, or by hand?
— Reply to this email directly or view it on GitHub https://github.com/owncloud/core/issues/16654#issuecomment-113535360.
Paolo Barbato
Consorzio RFX
corso Stati Uniti,4
35127 Padova - Italy
Network Administrator
OK, because mbstring extension is enlisted as must-have-dependency in the install documentation. Wanted to make sure that packaging went right.
I close this issue as configuration bug as mbstring is required for owncloud and it is documented. The Patchwork fallback is not working atm, but it's being dealt with upstream at https://github.com/tchwork/utf8/issues/44. And I will have a look on our methods on next week, based on #17046.
Just a quick note... I faced this same issue. Clean install of OC 8.1 on Apache 2.4/SciLinux 7.1. Shame on me for not reading the documentation - installed php-mbstring and everything worked. However, OC does not check for this module during the install process, while it does for others. Perhaps consider checking the required module list and ensuring all requirements are tested?
@tvsjr we use a lib that adds this functionality if the module is not available, which had a bug in the version we include.
owncloud 8.0.3 RedHat 7.1
Trying to integrate authentication with AD 2012 LDAP module seems properly configured since AD users are correctly listed, I mean attributes are collected from AD. LADP Authentication fails both from desktop client and from web form.
Log shows a failed core login with the username that comes from webform, and the bind attempt shows an empty DN. I mean that username is passed to the core but then %uid is not properly replaced.
Debug from wireshark confirms that %uid are not replaced with username.