Network Administration Visualized

LDAP authentication crashes on non-ASCII usernames and/or passwords

Bug #1213818 reported by Morten Brekkevold on 2013-08-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Network Administration Visualized	Fix Released	Medium	Morten Brekkevold
	3.15	Fix Released	Medium	Morten Brekkevold	Network Administration Visualized 3.15.0

Bug Description

The LDAP authentication mechanism in NAV appears to encode the entered username and password unicode strings as ASCII when sending them to the LDAP server. This would fail miserably for any user with non-ASCII characters in their username or password.

Tags:

Revision history for this message

Morten Brekkevold (mbrekkevold) wrote on 2013-08-19:

Traceback looks like this on NAV 3.14:

Traceback (most recent call last):

File "/usr/lib/pymodules/python2.6/django/core/handlers/base.py", line 100, in get_response
response = callback(request, *callback_args, **callback_kwargs)

File "/usr/lib/pymodules/python2.6/nav/web/webfront/views.py", line 91, in login
return do_login(request)

File "/usr/lib/pymodules/python2.6/nav/web/webfront/views.py", line 114, in do_login
account = auth.authenticate(username, password)

File "/usr/lib/pymodules/python2.6/nav/web/auth.py", line 144, in authenticate
auth = ldapauth.authenticate(username, password)

File "/usr/lib/pymodules/python2.6/nav/web/ldapauth.py", line 124, in authenticate
user.bind(password)

File "/usr/lib/pymodules/python2.6/nav/web/ldapauth.py", line 177, in bind
self.ldap.simple_bind_s(user_dn, password)

File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 206, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)

File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 200, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))

File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
result = func(*args,**kwargs)

UnicodeEncodeError: 'ascii' codec can't encode character u'\xf8' in position 0: ordinal not in range(128)

<ModPythonRequest
path:/index/login/,
GET:<QueryDict: {}>,
POST:<QueryDict: {u'origin': [u'/report/interfaces?netboxid=29'], u'username': [u'zaphod'], u'password': [u'\xf8l\xf8l\xf8l\xe6\xf8\xe6\xf8s\xe5\xf8f']}>,
COOKIES:{'nav_sessid': 'REDACTED'}
META:{'AUTH_TYPE': None,
'CONTENT_LENGTH': '129',
'CONTENT_TYPE': 'application/x-www-form-urlencoded',
'GATEWAY_INTERFACE': 'CGI/1.1',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'HTTP_ACCEPT_ENCODING': 'gzip,deflate,sdch',
'HTTP_ACCEPT_LANGUAGE': 'no,en-US;q=0.8,en;q=0.6',
'HTTP_CACHE_CONTROL': 'max-age=0',
'HTTP_CONNECTION': 'keep-alive',
'HTTP_CONTENT_LENGTH': '129',
'HTTP_CONTENT_TYPE': 'application/x-www-form-urlencoded',
'HTTP_COOKIE': 'nav_sessid=REDACTED',
'HTTP_DNT': '1',
'HTTP_HOST': 'nav.example.org',
'HTTP_ORIGIN': 'https://nav.example.org',
'HTTP_REFERER': 'https://nav.example.org/index/login/?origin=/report/interfaces%3Fnetboxid%3D29',
'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36',
'PATH_INFO': u'/index/login/',
'PATH_TRANSLATED': None,
'QUERY_STRING': None,
'REMOTE_ADDR': 'REDACTED',
'REMOTE_HOST': None,
'REMOTE_IDENT': None,
'REMOTE_USER': None,
'REQUEST_METHOD': 'POST',
'SCRIPT_NAME': '',
'SERVER_NAME': 'nav.example.org',
'SERVER_PORT': 443,
'SERVER_PROTOCOL': 'HTTP/1.1',
'SERVER_SOFTWARE': 'mod_python'}>

Traceback looks like this on NAV 3.14:

Traceback (most recent call last):

File "/usr/lib/pymodules/python2.6/django/core/handlers/base.py", line 100, in get_response
    response = callback(request, *callback_args, **callback_kwargs)

File "/usr/lib/pymodules/python2.6/nav/web/webfront/views.py", line 91, in login
    return do_login(request)

File "/usr/lib/pymodules/python2.6/nav/web/webfront/views.py", line 114, in do_login
    account = auth.authenticate(username, password)

File "/usr/lib/pymodules/python2.6/nav/web/auth.py", line 144, in authenticate
    auth = ldapauth.authenticate(username, password)

File "/usr/lib/pymodules/python2.6/nav/web/ldapauth.py", line 124, in authenticate
    user.bind(password)

File "/usr/lib/pymodules/python2.6/nav/web/ldapauth.py", line 177, in bind
    self.ldap.simple_bind_s(user_dn, password)

File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 206, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)

File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 200, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))

File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)

UnicodeEncodeError: 'ascii' codec can't encode character u'\xf8' in position 0: ordinal not in range(128)

<ModPythonRequest
path:/index/login/,
GET:<QueryDict: {}>,
POST:<QueryDict: {u'origin': [u'/report/interfaces?netboxid=29'], u'username': [u'zaphod'], u'password': [u'\xf8l\xf8l\xf8l\xe6\xf8\xe6\xf8s\xe5\xf8f']}>,
COOKIES:{'nav_sessid': 'REDACTED'}
META:{'AUTH_TYPE': None,
 'CONTENT_LENGTH': '129',
 'CONTENT_TYPE': 'application/x-www-form-urlencoded',
 'GATEWAY_INTERFACE': 'CGI/1.1',
 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
 'HTTP_ACCEPT_ENCODING': 'gzip,deflate,sdch',
 'HTTP_ACCEPT_LANGUAGE': 'no,en-US;q=0.8,en;q=0.6',
 'HTTP_CACHE_CONTROL': 'max-age=0',
 'HTTP_CONNECTION': 'keep-alive',
 'HTTP_CONTENT_LENGTH': '129',
 'HTTP_CONTENT_TYPE': 'application/x-www-form-urlencoded',
 'HTTP_COOKIE': 'nav_sessid=REDACTED',
 'HTTP_DNT': '1',
 'HTTP_HOST': 'nav.example.org',
 'HTTP_ORIGIN': 'https://nav.example.org',
 'HTTP_REFERER': 'https://nav.example.org/index/login/?origin=/report/interfaces%3Fnetboxid%3D29',
 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36',
 'PATH_INFO': u'/index/login/',
 'PATH_TRANSLATED': None,
 'QUERY_STRING': None,
 'REMOTE_ADDR': 'REDACTED',
 'REMOTE_HOST': None,
 'REMOTE_IDENT': None,
 'REMOTE_USER': None,
 'REQUEST_METHOD': 'POST',
 'SCRIPT_NAME': '',
 'SERVER_NAME': 'nav.example.org',
 'SERVER_PORT': 443,
 'SERVER_PROTOCOL': 'HTTP/1.1',
 'SERVER_SOFTWARE': 'mod_python'}>

Changed in nav:
status:	Confirmed → In Progress

Revision history for this message

Morten Brekkevold (mbrekkevold) wrote on 2013-08-19:

fix here: https://nav.uninett.no/hg/stable/rev/22e9a4ee0e05

Changed in nav:
milestone:	none → 3.14.15926535
status:	In Progress → Fix Committed

Morten Brekkevold (mbrekkevold) on 2013-11-05

Changed in nav:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.