https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292009-12-28T23:04:45ZRedmineRedmine - Defect #4483: LDAP authentication with Redmine doesn't return an error when credentials used to bind to LDAP are incorrecthttps://www.redmine.org/issues/4483?journal_id=133382009-12-28T23:04:45ZMischa The Evil
<ul><li><strong>Category</strong> set to <i>LDAP</i></li></ul> Redmine - Defect #4483: LDAP authentication with Redmine doesn't return an error when credentials used to bind to LDAP are incorrecthttps://www.redmine.org/issues/4483?journal_id=216422010-10-22T08:01:52ZYuriy Taraday
<ul></ul><p>I've just ran over the very same problem. I suggest change code of AuthSourceLdap.test_connection to something like this:<br /><pre> def test_connection
ldap_con = initialize_ldap_con(self.account, self.account_password)
if not ldap_con.bind
raise "Failed to bind to LDAP server."
rescue Net::LDAP::LdapError => text
raise "LdapError: " + text
end
</pre><br />This will make Test button to show error when you provide bad bind credentials, not just write success.</p> Redmine - Defect #4483: LDAP authentication with Redmine doesn't return an error when credentials used to bind to LDAP are incorrecthttps://www.redmine.org/issues/4483?journal_id=588222014-09-24T11:53:29ZAlexander Ryabinovskiy
<ul></ul><p>I confirm, Redmine version 2.5.2.<br />Only after research in WireShark I saw the error:<br /><code>LDAPMessage bindResponse(1) invalidCredentials (80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece)</code><br />which means "not permitted to logon at this workstation".<br />Redmine always reports "Success".</p> Redmine - Defect #4483: LDAP authentication with Redmine doesn't return an error when credentials used to bind to LDAP are incorrecthttps://www.redmine.org/issues/4483?journal_id=998122020-11-24T05:18:53ZYuichi HARADA
<ul><li><strong>File</strong> <a href="/attachments/26289">SettingLDAP.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/26289/SettingLDAP.png">SettingLDAP.png</a> added</li><li><strong>File</strong> <a href="/attachments/26290">fixed-4483.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/26290/fixed-4483.patch">fixed-4483.patch</a> added</li></ul><p>Joe Heck wrote:</p>
<blockquote>
<p>However, silent failure seems to be a bug, especially since the "test" link on the auth_sources page appeared to work correctly.</p>
</blockquote>
<p>I think the reason the test connection was successful is that you didn't enter your account or password.</p>
<p><img src="https://www.redmine.org/attachments/download/26289/SettingLDAP.png" style="width:600px;border:1px solid #ccc;" alt="" /></p>
<p>Alternatively, the test connection will succeed even when the Dynamic Bind Account is set for the account.<br /><a class="wiki-page" href="https://www.redmine.org/projects/redmine/wiki/RedmineLDAP#Dynamic-Bind-Account">RedmineLDAP</a></p>
<p>I think the following patch will solve it.</p>
<pre><code class="diff syntaxhl"><span class="gh">diff --git a/app/models/auth_source_ldap.rb b/app/models/auth_source_ldap.rb
index 7adbf45bc..3642b3b31 100644
</span><span class="gd">--- a/app/models/auth_source_ldap.rb
</span><span class="gi">+++ b/app/models/auth_source_ldap.rb
</span><span class="p">@@ -71,10 +71,9 @@</span> class AuthSourceLdap < AuthSource
with_timeout do
ldap_con = initialize_ldap_con(self.account, self.account_password)
ldap_con.open {}
<span class="gd">- if self.account.present? && !self.account.include?("$login") && self.account_password.present?
- ldap_auth = authenticate_dn(self.account, self.account_password)
- raise AuthSourceException.new(l(:error_ldap_bind_credentials)) if !ldap_auth
- end
</span><span class="gi">+ return if self.account.present? && self.account.include?("$login")
+ ldap_auth = authenticate_dn(self.account, self.account_password)
+ raise AuthSourceException.new(l(:error_ldap_bind_credentials)) if !ldap_auth
</span> end
rescue *NETWORK_EXCEPTIONS => e
raise AuthSourceException.new(e.message)
</code></pre>