LDAP auth not working correctly when LDAP alias is found first

[shartge]

In our DIT we employ LDAP aliases to put user object in different branches.

Login via LDAP using the UID works fine for 98% of the users but for those users where the LDAP alias is found before the full user object, authentication fails, because Sympa tries to bind to the LDAP alias and not the user object.

Version

6.2.72

Installation method

Installed from source

Expected behavior

Any user can login with their username.

Actual behavior

Users with a very specific order of LDAP objects and LDAP aliases can't login.

Steps to reproduce

Create an LDAP tree with an LDAP alias pointing to a user object and make sure the alias is found before the user object.

For example:

uid=foobar,ou=a,ou=base
objectClass: top
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: uid=foobar,ou=b,ou=base
uid: foobar

uid=foobar,ou=b,ou=base
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
userPassword: foobar
uid: foobar

In this case trying to login as "foobar" will fail, because Sympa finds the Alias first and then tries to bind to uid=foobar,ou=a,ou=base.

If dereferening is switched on (which you usally want in 99% of cases), then the LDAP server will always return the real user object and the login works correctly.

Additional information

auth.conf looks like this:

ldap
        regexp                          .+\.(xxx|yyy|zzz)\.de
        host                            ldap.xxx.de:636
        timeout                         20
        suffix                          dc=xxx-yyy,dc=de
        bind_dn                         uid=sympa,ou=its-sysuser,dc=xxx-yyy,dc=de
        bind_password                   VERYSECRET
        get_dn_by_uid_filter            (uid=[sender])
        get_dn_by_email_filter          (|(mail=[sender])(gifb-mailaddress=[sender]))
        email_attribute                 mail
        scope                           sub
        use_tls                         ldaps
        ssl_version                     tlsv1_2

I tried setting

DEREF ALWAYS

via /etc/ldap/ldap.conf, because that usually works, but not in this case.

As a quick'n'dirty workaround I changed the $db->do_operation() call ldap_authentication() in line 257 of WWW/Auth.pm to look like this:

    my $mesg = $db->do_operation(
        'search',
        base    => $ldap->{'suffix'},
        filter  => $filter,
        deref   => 'always',
        scope   => $ldap->{'scope'},
        timeout => $ldap->{'timeout'}
    );

and this made this work, in a very hackish way, obviously.

This should be made configurable via auth.conf, just like the other parameters are.

[ikedas]

Hi @shartge ,
Could you please apply this patch and check if the bug has been fixed?

[shartge]

Hi @ikedas ,

I will try the patch as soon as I return to the office in about a week.

[shartge]

Question before applying this to a 6.2.72 production system: will it work correctly, because of the not_before => '6.2.74', dependency in the code?

[ikedas]

There are no additional dependency.

The new parameters are intended to be included into the next release (maybe 6.2.74 or 6.2.73b.1). Just the possible release number is noted.

[shartge]

The patch did not apply cleanly to src/lib/Sympa/DataSource/LDAP.pm because control=> $self->{_page} ? [$self->{_page}] : [] in sub _open_operation is not present in 6.2.72, so I manually added the necessary parts referencing the new deref option.

[shartge]

And with the manual merge, I can confirm that this change fixes #1853.

[ikedas]

Thanks for confirming @shartge !