Windows LDAP Auth issue

General discussions.

Moderator: moderators

Windows LDAP Auth issue

Postby DaveWut » Mon Jan 30, 2012 7:19 pm

Here's an recently discovered issue with the authentication on a Windows LDAP server. I don't know if it's a known issue, but here's what I found.

Code: Select all
[1/30/12 1:52:17 PM EST]   INFO   SubsonicLdapBindAuthenticator   User 'Nahoy' successfully authenticated in LDAP. DN: CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:52:17 PM EST]   INFO   SecurityService   Created user Nahoy
[1/30/12 1:52:17 PM EST]   INFO   SubsonicLdapBindAuthenticator   Created local user 'Nahoy' for DN CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:52:17 PM EST]   INFO   PlayerDao   Created player 41.
[1/30/12 1:56:20 PM EST]   INFO   SubsonicLdapBindAuthenticator   User 'nahoy' successfully authenticated in LDAP. DN: CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:56:20 PM EST]   INFO   SecurityService   Created user nahoy
[1/30/12 1:56:20 PM EST]   INFO   SubsonicLdapBindAuthenticator   Created local user 'nahoy' for DN CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:56:21 PM EST]   INFO   PlayerDao   Created player 42.


Looks like Subsonic creates a user each time there's a different uppercase / lowercase letter in the entered username at the login screen. I hope it helps for the next development release!

Dave
User avatar
DaveWut
 
Posts: 57
Joined: Fri Nov 11, 2011 12:29 am

Re: Windows LDAP Auth issue

Postby bushman4 » Mon Jan 30, 2012 7:51 pm

Makes sense, since Subsonic Usernames are case sensitive...

Sounds like Sindre should choose to either upcase or downcase when LDAP auth is turned on.

Glenn
Glenn Sullivan
Subsonic 5.2.1 (Standalone on Apache/Tomcat 6)
WHS 2003, Dual Core Athlon, 4 Gb RAM, 12 TB
50 regular Subsonic Users

Library as of 2016-03-21:
4,034 artists
16,595 albums
182,904 songs
4582.16 GB
21,558 hours
User avatar
bushman4
 
Posts: 867
Joined: Thu Dec 02, 2010 1:47 pm
Location: Massachusetts, USA

Re: Windows LDAP Auth issue

Postby fonsoy » Tue Jan 31, 2012 9:00 pm

Nice findings dave.

I've used LDAP too, but I've stepped off it, as it stopped working after a while. One of the causes was that I changed my administrator password, but after changing it in Subsonic, it still refused to work. I would be very very grateful if it would work seemless in the future :D
fonsoy
 
Posts: 38
Joined: Mon Jan 10, 2011 12:07 pm

Re: Windows LDAP Auth issue

Postby Citlali » Wed Feb 01, 2012 12:30 am

One of the causes was that I changed my administrator password, but after changing it in Subsonic, it still refused to work. I would be very very grateful if it would work seemless in the future


If this Administrator password is the same password you specified for the "LDAP manager DN", then that too would need to be changed. In fact, you may even need to disable and reenable LDAP authentication with the new account info.

In regards to the original question, I believe subsonic is just using a built-in tomcat/jetty method for authentication to LDAP. Doubt there is anything in the subsonic code that could address this. Perhaps there is a switch of some sort to encode the input into all lower-case though. I was off work 30 minutes ago though so I don't feel like looking into it.
Citlali
 
Posts: 12
Joined: Tue Aug 09, 2011 5:27 pm

Re: Windows LDAP Auth issue

Postby DaveWut » Wed Feb 01, 2012 8:33 pm

Well I guess that a simple use of the trim function in java can fix a lot. For the administrator password and existing users, well, additional verification must be done.

In the file SubsonicLdapBindAuthenticator.java, the function "authenticate" automatically creates subsonic logins if they not exist. At line 71, in a try catch statement, the user is authenticated with a BindAuthenticator variable and I guess that through this function, lower case and upper case user names aren't checked. In the early lines of the same function, user is first authenticated by the subsonic's SecurityService class and I guess it makes case sensitive verifications. Du to "wrong" logins by the SecurityService's class, the user will still be able to authenticate through LDAP and this will create another username.

Fixing this problem is really simple. The creator should fix this issue by his own, because he can apply an update without breaking anything else.
I hope it helps.

Dave
User avatar
DaveWut
 
Posts: 57
Joined: Fri Nov 11, 2011 12:29 am


Return to General

Who is online

Users browsing this forum: No registered users and 2 guests