Project

General

Profile

Actions

Defect #6925

open

ldap authentication can fail when multiple entries are returned

Added by Bart Vanbrabant about 14 years ago. Updated over 13 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
LDAP
Target version:
-
Start date:
2010-11-17
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

I've setup redmine against the ldap directory that returns multiple entries for the "uid=<login>" query. The authentication code uses the dn of the latest entry to perform the ldap bind.

For some users the entry with the shadowAccount class is returned last, for other first and for them the authentication fails.

I have worked around this by changing the filter on line 106 of file app/models/auth_source_ldap.rb to

object_filter = Net::LDAP::Filter.eq( "objectClass", "shadowAccount" )

For openldap this is valid because you can not bind against a directory that does not have this entry. Normally we would not hit this because they are specified under a two different ou's under root. In this case we need to specify the rootdn as basedn because we need entries from a third ou.

The cleanest solution would be to add an extra filter that can be used in the ldap source configuration.

Actions

Also available in: Atom PDF