8 Replies Latest reply: Feb 25, 2011 11:34 AM by stan25 RSS

    able to login with space in UID

    stan25
      Hello there,

      I have a user as 'uid=test,o=domain.com' but when i login with a space as uid= test,o=domain.com, LDAP let's me in with no issues.

      [22/Feb/2011:12:20:09 -0500] conn=6489 op=0 msgId=1 - BIND dn="uid= test,o=domain.com" method=128 version=3
      [22/Feb/2011:12:20:09 -0500] conn=6489 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=test,o=domain.com"


      ofcourse the user in LDAP db has no space, but when i login with space it simply lets me in. Is it a known behavior OR i have to configure to reject these kind of logins? Please let me know.

      We are running DSEE7.0

      Thanks!
        • 1. Re: able to login with space in UID
          Sylvain Duloutre-Oracle
          Hi,

          The behaviour is correct.

          The extra space occurs at the begining of the string value, so it is stripped out by the directory server to conform with http://tools.ietf.org/html/rfc4514
          Heading or trailing spaces must be escaped if you want them to be taken into account by the directory server (more details at http://tools.ietf.org/html/rfc4514)

          Hope this helps

          Sylvain
          • 2. Re: able to login with space in UID
            stan25
            The reason i am asking is, if a user logs in with space after domain.com 'user1@domain.com ' then LDAP should not authenticate because the user has leading space. How do i restrict such logins?
            • 3. Re: able to login with space in UID
              802907
              Is there a search that's being executed to find the user? If so, maybe there is something we can do with that. Can you paste access log snippets for a search that may precede the bind?
              • 4. Re: able to login with space in UID
                stan25
                Here is the access log..



                [23/Feb/2011:16:08:30 -0500] conn=72686 op=9486 msgId=9487 - SRCH base="o=domain.com" scope=2 filter="(uid=user1@domain.com)" attrs="userflag uid passwordblob objectClass"
                [23/Feb/2011:16:08:30 -0500] conn=72686 op=9486 msgId=9487 - RESULT err=0 tag=101 nentries=1 etime=0.000000


                [23/Feb/2011:16:08:30 -0500] conn=72687 op=45 msgId=46 - BIND dn="uid=user1@domain.com,ou=Users,o=domain.com" method=128 version=3
                [23/Feb/2011:16:08:30 -0500] conn=72687 op=45 msgId=46 - RESULT err=0 tag=97 nentries=0 etime=0.000000 dn="uid=user1@domain.com,ou=users,o=domain.com"


                I typed 'user1@domain.com ' in the login prompt with a space after .com but the above log does not even have any such space in the uid field.
                • 5. Re: able to login with space in UID
                  802907
                  I'm wondering if the LDAP client isn't removing the whitespace. Have you tried putting in the filter of an ldapsearch "(uid=user1@domain.com )" and seeing what gets returned and logged in the access log?
                  • 6. Re: able to login with space in UID
                    stan25
                    If i BIND using ldapsearch command then i can see the space in the access log but still i am able to BIND with no issues.

                    ldapsearch -D "uid= user1@domain.com,o=domain.com" -w password -b "uid= user1@domain.com,o=domain.com" -s base "objectclass=*"


                    Example1:
                    The below BIND is without space.

                    [22/Feb/2011:12:20:09 -0500] conn=6489 op=0 msgId=1 - BIND dn="uid=user1@domain.com,o=domain.com" method=128 version=3
                    [22/Feb/2011:12:20:09 -0500] conn=6489 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=user1@domain.com,o=domain.com"


                    Example2:
                    I logged in with space after uid=

                    [22/Feb/2011:12:20:17 -0500] conn=6491 op=0 msgId=1 - BIND dn="uid= user1@domain.com,o=domain.com" method=128 version=3
                    [22/Feb/2011:12:20:17 -0500] conn=6491 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.001000 dn="uid=user1@domain.com,o=domain.com"

                    Example3:
                    I logged in with space after uid name but before comma

                    [22/Feb/2011:12:20:28 -0500] conn=6493 op=0 msgId=1 - BIND dn="uid=user1@domain.com,o=domain.com" method=128 version=3
                    [22/Feb/2011:12:20:28 -0500] conn=6493 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.000000 dn="uid=user1@domain.com,o=domain.com"

                    Example4:
                    Logged in with space after uid name and space before o=domain.com

                    [22/Feb/2011:12:20:52 -0500] conn=6497 op=0 msgId=1 - BIND dn="uid=user1@domain.com,o=domain.com" method=128 version=3
                    [22/Feb/2011:12:20:52 -0500] conn=6497 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0.002000 dn="uid=user1@domain.com,o=domain.com"
                    • 7. Re: able to login with space in UID
                      802907
                      Yeah but as Sylvain said that's correct according to the RFC.

                      And anyway what you really want to fail is the search. The username the user entered isn't exactly what it's supposed to be, so the search should not be returning any entries. Once the search succeeds, the login application is just reusing the DN that's returned from the search, so unless something is very wrong the DN returned by the search should always exist on the server.

                      I suspect (but have not verified) that the exact match on the uid with the extra whitespace will probably fail. Can you verify that using ldapsearch?

                      Edit: I have verified that leading and trainling spaces in a filter are also ignored. This is probably per RFC as well. If you want to fail authentication inthis case, you may need to d something in the login applicaion itself.
                      • 8. Re: able to login with space in UID
                        stan25
                        ok, Thanks Chris. we are asking SiteMinder(CA) to handle this issue because LDAP just lets the user in even if they have a space.