Subsonic Forum

Here's an recently discovered issue with the authentication on a Windows LDAP server. I don't know if it's a known issue, but here's what I found.

Code: Select all

[1/30/12 1:52:17 PM EST]   INFO   SubsonicLdapBindAuthenticator   User 'Nahoy' successfully authenticated in LDAP. DN: CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:52:17 PM EST]   INFO   SecurityService   Created user Nahoy
[1/30/12 1:52:17 PM EST]   INFO   SubsonicLdapBindAuthenticator   Created local user 'Nahoy' for DN CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:52:17 PM EST]   INFO   PlayerDao   Created player 41.
[1/30/12 1:56:20 PM EST]   INFO   SubsonicLdapBindAuthenticator   User 'nahoy' successfully authenticated in LDAP. DN: CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:56:20 PM EST]   INFO   SecurityService   Created user nahoy
[1/30/12 1:56:20 PM EST]   INFO   SubsonicLdapBindAuthenticator   Created local user 'nahoy' for DN CN=Yohan,cn=Users,dc=windows,dc=ldap
[1/30/12 1:56:21 PM EST]   INFO   PlayerDao   Created player 42.

Looks like Subsonic creates a user each time there's a different uppercase / lowercase letter in the entered username at the login screen. I hope it helps for the next development release!

Dave

Makes sense, since Subsonic Usernames are case sensitive...

Sounds like Sindre should choose to either upcase or downcase when LDAP auth is turned on.

Glenn

Nice findings dave.

I've used LDAP too, but I've stepped off it, as it stopped working after a while. One of the causes was that I changed my administrator password, but after changing it in Subsonic, it still refused to work. I would be very very grateful if it would work seemless in the future

One of the causes was that I changed my administrator password, but after changing it in Subsonic, it still refused to work. I would be very very grateful if it would work seemless in the future

If this Administrator password is the same password you specified for the "LDAP manager DN", then that too would need to be changed. In fact, you may even need to disable and reenable LDAP authentication with the new account info.

In regards to the original question, I believe subsonic is just using a built-in tomcat/jetty method for authentication to LDAP. Doubt there is anything in the subsonic code that could address this. Perhaps there is a switch of some sort to encode the input into all lower-case though. I was off work 30 minutes ago though so I don't feel like looking into it.

Well I guess that a simple use of the trim function in java can fix a lot. For the administrator password and existing users, well, additional verification must be done.

In the file SubsonicLdapBindAuthenticator.java, the function "authenticate" automatically creates subsonic logins if they not exist. At line 71, in a try catch statement, the user is authenticated with a BindAuthenticator variable and I guess that through this function, lower case and upper case user names aren't checked. In the early lines of the same function, user is first authenticated by the subsonic's SecurityService class and I guess it makes case sensitive verifications. Du to "wrong" logins by the SecurityService's class, the user will still be able to authenticate through LDAP and this will create another username.

Fixing this problem is really simple. The creator should fix this issue by his own, because he can apply an update without breaking anything else.
I hope it helps.

Dave