Hi,

I pulled the fix from:

https://nav.uninett.no/hg/stable/rev/23d774154094

this makes the login with wrong credentials work (before we had an error) but in case of good credentials the system  still crashes. Debug output below:


read1msg:  mark request completed, ld 0x7fdfb4d38300 msgid 4

request done: ld 0x7fdfb4d38300 msgid 4

res_errno: 0, res_error: <>, res_matched: <>

ldap_free_request (origid 4, msgid 4)

ldap_parse_result

ldap_msgfree

[Wed Apr 02 17:23:22 2014] [error] [Wed Apr 02 17:23:22 2014] [ERROR] [pid=12954 django.request] Internal Server Error: /index/login/

[Wed Apr 02 17:23:22 2014] [error] Traceback (most recent call last):

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 111, in get_response

[Wed Apr 02 17:23:22 2014] [error]     response = callback(request, *callback_args, **callback_kwargs)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py", line 69, in sensitive_post_parameters_wrapper

[Wed Apr 02 17:23:22 2014] [error]     return view(request, *args, **kwargs)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/pymodules/python2.7/nav/web/webfront/views.py", line 92, in login

[Wed Apr 02 17:23:22 2014] [error]     return do_login(request)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py", line 34, in sensitive_variables_wrapper

[Wed Apr 02 17:23:22 2014] [error]     return func(*args, **kwargs)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/pymodules/python2.7/nav/web/webfront/views.py", line 127, in do_login

[Wed Apr 02 17:23:22 2014] [error]     account = auth.authenticate(username, password)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/pymodules/python2.7/nav/web/auth.py", line 79, in authenticate

[Wed Apr 02 17:23:22 2014] [error]     user = ldapauth.authenticate(username, password)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/pymodules/python2.7/nav/web/ldapauth.py", line 151, in authenticate

[Wed Apr 02 17:23:22 2014] [error]     if user.is_group_member(group_dn):

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/pymodules/python2.7/nav/web/ldapauth.py", line 280, in is_group_member

[Wed Apr 02 17:23:22 2014] [error]     result = self.ldap.search_s(group_dn, ldap.SCOPE_BASE, filterstr)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 552, in search_s

[Wed Apr 02 17:23:22 2014] [error]     return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 545, in search_ext_s

[Wed Apr 02 17:23:22 2014] [error]     msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 541, in search_ext

[Wed Apr 02 17:23:22 2014] [error]     timeout,sizelimit,

[Wed Apr 02 17:23:22 2014] [error]   File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call

[Wed Apr 02 17:23:22 2014] [error]     result = func(*args,**kwargs)

[Wed Apr 02 17:23:22 2014] [error] UnicodeEncodeError: 'ascii' codec can't encode character u'\\xfc' in position 26: ordinal not in range(128)

ldap_free_connection 1 1

ldap_send_unbind

ldap_free_connection: actually freed




==== mail received from system ===


Traceback (most recent call last):

  File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 111, in get_response
    response = callback(request, *callback_args, **callback_kwargs)

  File "/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py", line 69, in sensitive_post_parameters_wrapper
    return view(request, *args, **kwargs)

  File "/usr/lib/pymodules/python2.7/nav/web/webfront/views.py", line 92, in login
    return do_login(request)

  File "/usr/lib/python2.7/dist-packages/django/views/decorators/debug.py", line 34, in sensitive_variables_wrapper
    return func(*args, **kwargs)

  File "/usr/lib/pymodules/python2.7/nav/web/webfront/views.py", line 127, in do_login
    account = auth.authenticate(username, password)

  File "/usr/lib/pymodules/python2.7/nav/web/auth.py", line 79, in authenticate
    user = ldapauth.authenticate(username, password)

  File "/usr/lib/pymodules/python2.7/nav/web/ldapauth.py", line 151, in authenticate
    if user.is_group_member(group_dn):

  File "/usr/lib/pymodules/python2.7/nav/web/ldapauth.py", line 280, in is_group_member
    result = self.ldap.search_s(group_dn, ldap.SCOPE_BASE, filterstr)

  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 552, in search_s
    return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout)

  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 545, in search_ext_s
    msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit)

  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 541, in search_ext
    timeout,sizelimit,

  File "/usr/lib/python2.7/dist-packages/ldap/ldapobject.py", line 99, in _ldap_call
    result = func(*args,**kwargs)

UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position 26: ordinal not in range(128)


<WSGIRequest
path:/index/login/,
GET:<QueryDict: {}>,
POST:<QueryDict: {u'origin': [u''], u'username': [u'XXX-adm'], u'password': [u'***********']}>,
COOKIES:{'sessionid': '59e85ca4ca567cfd8966ab12'},
META:{'CONTENT_LENGTH': '47',
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
'DOCUMENT_ROOT': '/usr/share/nav/htdocs',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTPS': '1',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
'HTTP_ACCEPT_LANGUAGE': 'de,en-us;q=0.7,en;q=0.3',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_COOKIE': 'sessionid=59e85ca4c39f3dbe7a567cfd8966ab12',
'HTTP_DNT': '1',
'HTTP_HOST': 'urz-nav',
'HTTP_REFERER': 'https://urz-nav-pet.urz.unibas.ch/index/login/',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0',
'PATH_INFO': u'/index/login/',
'PATH_TRANSLATED': '/usr/share/pyshared/nav/wsgi.py/index/login/',
'QUERY_STRING': '',
'REMOTE_ADDR': '1',
'REMOTE_PORT': '64036',
'REQUEST_METHOD': 'POST',
'REQUEST_URI': '/index/login/',
'SCRIPT_FILENAME': '/usr/share/pyshared/nav/wsgi.py',
'SCRIPT_NAME': u'',
'SERVER_ADDR': '1',
'SERVER_ADMIN': 'webmaster@localhost',
'SERVER_NAME': 'urz-nav',
'SERVER_PORT': '443',
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SIGNATURE': '<address>Apache/2.2.22 (Debian) Server at urz-nav Port 443</address>\n',
'SERVER_SOFTWARE': 'Apache/2.2.22 (Debian)',
'SSL_TLS_SNI': 'urz-nav-pet.urz.unibas.ch',
'mod_wsgi.application_group': 'urz-nav|',
'mod_wsgi.callable_object': 'application',
'mod_wsgi.handler_script': '',
'mod_wsgi.input_chunked': '0',
'mod_wsgi.listener_host': '',
'mod_wsgi.listener_port': '443',
'mod_wsgi.process_group': 'NAV',
'mod_wsgi.request_handler': 'wsgi-script',
'mod_wsgi.script_reloading': '1',
'mod_wsgi.version': (3, 3),
'wsgi.errors': <mod_wsgi.Log object at 0x7fdfb27046f0>,
'wsgi.file_wrapper': <built-in method file_wrapper of mod_wsgi.Adapter object at 0x7fdfb4ca4a08>,
'wsgi.input': <mod_wsgi.Input object at 0x7fdfb34604f0>,
'wsgi.multiprocess': True,
'wsgi.multithread': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'https',
'wsgi.version': (1, 1)}>

-- 
Mischa Diehm | Network Operations Center (NOC)
UniBasel | UniRechenZentrum (URZ)
Klingebergstr. 70 | CH-4056 Basel
Tel. +41 61 267 1574 | http://urz.unibas.ch

From: Morten Brekkevold <morten.brekkevold@uninett.no>
Date: Mittwoch, 2. April 2014 10:13
To: Sjøholt Steinar Otto <ssj@hials.no>
Cc: "nav-users@uninett.no" <nav-users@uninett.no>
Subject: Re: NAV authentication with LDAP + MS AD

On Tue, 1 Apr 2014 11:29:27 +0000 Sjøholt Steinar Otto <ssj@hials.no> wrote:

I'm happy to say the fix works for MOST of our users.

Unfortunately not for me...

I have traced it down to the fact that i have a "ø" in my last name.
Users with names not containing "æøå" can log in just fine.
[snip]
[Tue Apr 01 11:29:17 2014] [error]     self.ldap.simple_bind_s(user_dn.encode(encoding),
[Tue Apr 01 11:29:17 2014] [error] UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 18: ordinal not in range(128)

Oops. The code does not consider that the user search result from the
LDAP server is already encoded as UTF-8. Attempting to encode an already
encoded string will cause Python to attempt to decode it from ASCII to
unicode, before encoding that as UTF-8 again.

And I'm sorry to say, your name is not ASCII compatible ,)

It's a quick fix; I've taken the liberty of patching your server so you
can log in again, Steinar :)


--
Morten Brekkevold
UNINETT