this bug broke LDAP-Auth for us too but we are using OpenLDAP as a backend.
After applying the patches to our system things work nice again.
put_simple_filter: "uid:caseExactMatch:=foobar"
...
[error] UNAVAILABLE_CRITICAL_EXTENSION: {'info': 'Bad search filter',
'desc': 'Critical extension is unavailable'}
--
Mischa Diehm | Network Operations Center (NOC)
UniBasel | UniRechenZentrum (URZ)
Klingebergstr. 70 | CH-4056 Basel
Tel. +41 61 267 1574 |
http://urz.unibas.ch
From: Morten Brekkevold
morten.brekkevold@uninett.no
Date: Donnerstag, 13. März 2014 14:37
To: Sjøholt Steinar Otto
ssj@hials.no
Cc: "nav-users@uninett.no"
nav-users@uninett.no
Subject: Re: NAV authentication with LDAP + MS AD
On Wed, 12 Mar 2014 16:06:50 +0100 Morten Brekkevold
morten.brekkevold@uninett.no wrote:
>> Since the addition of ":caseExactMatch:" doesn't work with AD, a
>> better solution to Bug#1207722 would be to have NAV check the output
>> of the LDAP-query to get the actual username (with correct casing) and
>> use this to create the user in the database instead of the actual
>> userinput.
>
> You are probably right, but we will have to look into rewriting the way
> external authentication is invoked.
>
> NAV's login page doesn't concern itself with what any external
> authentication mechanism actually does, only that it returns a good or
> bad status. There is currently no mechanism to pass a revised username
> back to the login page, since it only cares about what the user actually
> typed into the login form.
I take that back. It's been a while since I hacked on this part of NAV,
and last time it was refactored, this was made easily possible. I filed
a report at [1], and have committed a fix.
The downside to this fix is that all NAV login names will now be case
insensitive. Hopefully, people using NAV aren't in the habit of creating
separate users with the same name using different casing.
The fallback to cached password when the user wasn't found was in
reality a different problem, but I fixed it as part of [1] anyway.
[1]
https://bugs.launchpad.net/nav/+bug/1291956
--
Morten Brekkevold
UNINETT