search

xperseguers / t3ext-ig_ldap_sso_auth

TYPO3 Extension ig_ldap_sso_auth. This extension provides LDAP and SSO support for TYPO3.
https://extensions.typo3.org/extension/ig_ldap_sso_auth
27 stars 64 forks source link

During import of users: Column 'tx_igldapssoauth_dn' cannot be null #64

Closed AmiH-github closed 4 years ago

AmiH-github commented 5 years ago

Typo3: 9.5.7 ig_ldap_sso_auth: 3.4.0

A connection to AD is used. Importing of groups works just fine while importing user accounts simply does not work. In the log you find entries like:

Core: Exception handler (WEB): Uncaught TYPO3 Exception: An exception occurred while executing 'INSERT INTO fe_users (pid, tstamp, crdate, cruser_id, deleted, disable, starttime, endtime, description, tx_extbase_type, username, password, usergroup, name, first_name, middle_name, last_name, address, telephone, fax, email, locktodomain, uc, title, zip, city, country, www, company, image, tsconfig, lastlogin, is_online, felogin_redirectpid, felogin_forgothash, tx_igldapssoauth_dn, tx_igldapssoauth_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)' with params ["2", 1560953769, 1560953769, "0", "0", "0", "0", "0", null, "0", "", "$P$ChTxGdys22vlYi2P2FMYBzlyWvDIHG0", "4,5,6,7,2,3,8,9,10,11,12,13,1", "", "", "", "", "", "", "", "", "", null, "", "", "", "", "", "", null, null, "0", "0", null, "", null, 1]: Column 'tx_igldapssoauth_dn' cannot be null | Doctrine\DBAL\Exception\NotNullConstraintViolationException thrown in file /var/www/html/typo3_src-9.5.7/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/AbstractMySQLDriver.php in line 123. Requested URL: http://localhost/typo3/index.php?route=%%2Fajax%%2Fldap%%2Fusers%%2Fimport&token=--AnonymizedToken--&configuration=1&mode=fe&dn=CN%%3DMueller%%5C%%2C%%20Egon%%20DA%%2COU%%3DUsers%%2COU%%3DAdministrative%%20OU%%2CDC%%3Dcompany%%2CDC%%3Dintern

Memolos commented 5 years ago

Hello,

I hope I am right here and someone can help me. I have exactly the same error message.

My system:

Typo3 9.5.8 PHP 7.3.7 MySQL 5.5.5-10.1.38-MariaDB ig_ldap_sso_auth version 3.4.0

I have noticed the following. If I want to import users who have only one name, so without (backlsash, comma) then the import works fine and no error is displayed. However, if a user with first name and last name and thus with (backlash, comma) should be imported, it does not work and the error is issued.

I hope someone can help, Thanks

optodelp commented 4 years ago

here the same :(

users like this are not working CN=Mustermann\, Max (LAN),OU=USERS,OU=ABCD,DC=EFGH,DC=ijkl,DC=intern

users like this are fine: CN=faxbh,OU=USERS,OU=ABCD,DC=EFGH,DC=ijkl,DC=intern

I assume, that the plugin mixes up login name and common name. Or can we fix that by mapping?

Thanks

clews commented 4 years ago

Had the same problem, found a solution, the following pull request gave me the hint : https://github.com/xperseguers/t3ext-ig_ldap_sso_auth/pull/55

I added the following 3 lines in Classes/Controller/ModuleController.php around after line 444 instead of just the one from the pull request, and it worked...

        $filter = str_replace('\\','',$filter);
        $filter = str_replace('(','\(', $filter);
        $filter = str_replace(')','\)', $filter);

Quick and dirty fix, i think there should be more proper escaping on the filter..

xperseguers commented 4 years ago

I created a test account in an Active Directory, with name Perseguers, Xavier (TEST), the Import LDAP users list shows:

CN=Perseguers\, Xavier (TEST),OU=Users,OU=Causal,DC=causal,DC=ch

When I click the Import button, $filter after https://github.com/xperseguers/t3ext-ig_ldap_sso_auth/blob/master/Classes/Controller/ModuleController.php#L444 is extracted as CN=Perseguers\, Xavier (TEST) and the search filter parameter sent to $ldap->search() on https://github.com/xperseguers/t3ext-ig_ldap_sso_auth/blob/master/Classes/Controller/ModuleController.php#L446 is (CN=Perseguers\, Xavier (TEST)) which is wrong.

Toying a bit, and using the official method ldap_escape(), it looks like the correct filter would be to unescape the comma and escape the parentheses, which means having filter:

(CN=Perseguers, Xavier \28TEST\29)

This can be achieved like that:

// If we assume that DN is
// CN=Mustermann\, Max (LAN),OU=Users,DC=example,DC=com
list($filter, $baseDn) = Authentication::getRelativeDistinguishedNames($params['dn'], 2);
// ... we need to properly escape $filter "CN=Mustermann\, Max (LAN)" as "CN=Mustermann, Max \28LAN\29"
list($key, $value) = explode('=', $filter, 2);
// 1) Unescape the comma
$value = str_replace('\\', '', $value);
// 2) Create a proper search filter
$searchFilter = '(' . $key . '=' . ldap_escape($value, '', LDAP_ESCAPE_FILTER) . ')';