Defect #5545

Active Directory user account with a password {space} failed LDAP authentication

Added by Hansen Ler over 11 years ago. Updated over 11 years ago.

Status:NewStart date:2010-05-18
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:LDAP
Target version:-
Resolution: Affected version:0.9.4

Description

Tested with Redmine v0.9.4.

Under Settings > Authentication
Minimum password length: 1

AD User: test
AD Password: {space}

LDAP Authentication failed.

I've tested with manual User account by creating a new user with a password {space} which works fine. Doesn't seem to have this issue if we are using {space} as password. LDAP authentication with {space} and one character causes an issue.

However, if we change the following:

Under Settings > Authentication
Minimum password length: 2

AD User: test
AD Password: {space}1
LDAP Authentication success!

Password has to be accompanied with a character if space has is to be used. Curious, I tried a special character as password for the AD using '@'. It passes.

I usually use space as password for test users, so it's easy for them to login.

Conclusion: Issue with parsing {space} password with AD?

History

#1 Updated by Hansen Ler over 11 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

D:\redmine\app\models\auth_source_ldap.rb
under the function authenticate, change the password.blank? to password.nil?
i.e:

def authenticate(login, password)
return nil if login.blank? || password.nil?

================
More Information ================
From http://api.rubyonrails.org/classes/Object.html,
blank?() - An object is blank if it‘s false, empty, or a whitespace string. For example, "", " ", nil, [], and {} are blank.

I wonder if it is alright to patch the redmine server or add as new functions. Anyways, that's the fix for now! Cheers!

#2 Updated by Felix Schäfer over 11 years ago

  • Status changed from Resolved to New

Thanks for the report and the possible fix, please don't set the status on "resolved" on redmine.org though, as this status is used for "committed to trunk but not in a release yet" issues.

The change seems sensible to me. Eric, I don't think you will want a patch for that, do you? ;-)

#3 Updated by Eric Davis over 11 years ago

I'm not sure what you're asking for here. Do you want Redmine and it's LDAP to support users with an empty password?

#4 Updated by Felix Schäfer over 11 years ago

A space is not empty, though String#blank? will treat it as empty. The better thing to test for would a emptiness rather than blankness.

#5 Updated by Hansen Ler over 11 years ago

For the latest Redmine v. 1.0.0, there is more than one password validation. That is in

redmine\app\models\auth_source_ldap.rb
line 34:
def authenticate(login, password)
return nil if login.blank? || password.blank?

@line 95: # Check if a DN (user record) authenticates with the password
def authenticate_dn(dn, password)
if dn.present? && password.present?
@

As the method .blank will remove white space and method .present = !blank, changing them to password.nil? at line 35 and !password.nil? at line 97 will allow single character {space} as the password.

Personally, I do think removing whitespaces for password is a good idea. This is because, for Microsoft LDAP, there is no enforcement to prevent spaces not to be used for leading or trailing. This maybe rare, but if a user did change it to this type, it's super hard to troubleshoot! Hence, .blank method may not be the best check.

That's the fix for now!

#6 Updated by Hansen Ler over 11 years ago

This fix applies to version 1.0.1 as well

*Note: I cannot change the Affected version properties. Anyone can advise? _

Also available in: Atom PDF