cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Authentication or Authorisation: Asked

LdapContrib login failure for users with underscore followed by [a-f][a-f] (such as test_abcd)

I recently upgraded our instance of Foswiki from 1.1.9 to 2.0.1.
We currently use LDAP to authenticate using ActiveDirectory and everything was working just fine with the 1.1.9 instance.
All user names contain underscores and only some users have the issue. In testing, it seems that the only users that are unable to login are the ones that have hex characters after the underscore.
The users that are unable to login get "Wide character in subroutine entry at /path/to/foswiki/lib/Foswiki/Contrib/LdapContrib.pm line 1898." With other errors in the logs such as "login: "\\x{00be}" does not map to utf8 at /path/to/foswiki/lib/Foswiki/Logger/PlainFile.pm line 138."
Other symptoms include user names instead of WikiNames in the breadcrumb and topic revision history such as "You are here: Foswiki>Main Web>WebHome (19 Aug 2015, test_5fuser)" and "Topic revision: r2 - 19 Aug 2015, test_5fuser".

My Ldap configuration is as follows:
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{Base} = 'DC=MY,DC=COMPANY,DC=COM';
$Foswiki::cfg{Ldap}{BindDN} = 'CN=User,OU=Accounts,DC=MY,DC=COMPANY,DC=COM';
$Foswiki::cfg{Ldap}{BindPassword} = '';
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
$Foswiki::cfg{Ldap}{Debug} = 1;
$Foswiki::cfg{Ldap}{DefaultCacheExpire} = '0';
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{GroupBase} = ['OU=Groups,DC=MY,DC=COMPANY,DC=COM'];
$Foswiki::cfg{Ldap}{GroupFilter} = 'cn=Group-*';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{Host} = 'LDAP.MY.COMPANY.COM';
$Foswiki::cfg{Ldap}{IPv6} = 0;
$Foswiki::cfg{Ldap}{IgnoreViewRightsInSearch} = 0;
$Foswiki::cfg{Ldap}{IndexEmails} = 1;
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'member';
$Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/krb5.keytab';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=organizationalPerson';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{MaxCacheAge} = '86400';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';
$Foswiki::cfg{Ldap}{MemberIndirection} = 1;
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{PageSize} = '500';
$Foswiki::cfg{Ldap}{PersonAttribures} = {'c' => 'Country','company' => 'OrganisationName','department' => 'Department','division' => 'Division','facsimileTelephoneNumber' => 'Telefax','givenName' => 'FirstName','l' => 'Location','mail' => 'Email','manager' => 'Manager','mobile' => 'Mobile','physicalDeliveryOfficeName' => 'Address','postalAddress' => 'Address','sAMAccountName' => 'LoginName','sn' => 'LastName','streetAddress' => 'Address','telephoneNumber' => 'Telephone','title' => 'Title','uid' => 'LoginName'};
$Foswiki::cfg{Ldap}{PersonDataForm} = 'UserForm';
$Foswiki::cfg{Ldap}{Port} = '389';
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PreferLocalSettings} = 1;
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'memberOf';
$Foswiki::cfg{Ldap}{RewriteGroups} = {'^GROUP(.*)$' => '$1Group','^Group(.*)$' => '$1Group'};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {'^(.*)@.*$' => '$1'};
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSCAPath} = '/etc/ssl/certs/';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{UserBase} = ['OU=Users,DC=MY,DC=COMPANY,DC=COM'];
$Foswiki::cfg{Ldap}{UserMappingTopic} = '';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';

-- DouglasKnowles - 20 Aug 2015

We are observing similar problems. I'm considering this a bug, so I opened a task: Tasks.Item13630

-- Main.AndreLichtsteiner - 24 Aug 2015 - 10:16

 

QuestionForm edit

Subject Authentication or Authorisation
Extension LdapContrib
Version Foswiki 2.0.0
Status Asked
Related Topics
Topic revision: r2 - 24 Aug 2015, AndreLichtsteiner - This page was cached on 22 Jun 2018 - 23:14.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy