0002212: Users in LDAP with user+Password exceeding 41chars can't log into Web interface - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0002212	SOGo	Web General	public	2013-01-30 21:54	2013-02-04 19:04

Reporter	hrichter	Assigned To	~~jraby~~
Priority	normal	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	2.0.4a

Summary	0002212: Users in LDAP with user+Password exceeding 41chars can't log into Web interface
Description	When users in my LDAP directory with passwords longer than 11 bytes try to log in via web interface, they do not get any message regarding password failure, a redirect is happening and then they end up on the logon page again, except the url has changed to https://sogo.host.de/SOGo/so/user%40domain.de After several serial logon attempts the login works, but this is definitely annoying. Jan 29 23:06:46 sogod [15880]: <0x0x2ab99fd09948[NGLdapConnection]> Using ldap_init (deprecated) for LDAP host:port 127.0.0.1:389 Jan 29 23:06:46 sogod [15880]: <0x0x2ab99f141168[NGLdapConnection]> Using ldap_init (deprecated) for LDAP host:port 127.0.0.1:389 2013-01-29 23:06:46.740 sogod[15880] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search with at base filter for attrs `h an 29 23:06:46 sogod [15880]: <0x0x2ab99fd09948[NGLdapConnection]> Using ldap_init (deprecated) for LDAP host:port 127.0.0.1:389 Jan 29 23:06:46 sogod [15880]: SOGoRootPage successful login for user 'some@where.de' - expire = -1 grace = -1 First Phase of Auth attempt works,then with long password: Jan 29 23:06:46 sogod [15880]: <0x0x2ab99fc420c8[NGLdapConnection]> Using ldap_init (deprecated) for LDAP host:port 127.0.0.1:389 2013-01-29 23:06:46.753 sogod[15880] -[NGLdapConnection _searchAtBaseDN:qualifier:attributes:scope:]: search with at base filter for attrs `h 1.19.158.172 - - [29/Jan/2013:23:06:46 GMT] "POST /SOGo/connect HTTP/1.1" 200 27/74 0.023 - - 0 Jan 29 23:06:47 sogod [15880]: <0x0x2ab99f1b13d8[NGLdapConnection]> Using ldap_init (deprecated) for LDAP host:port 127.0.0.1:389 Jan 29 23:06:47 sogod [15880]: <0x0x2ab99f13acd8[LDAPSource]> <NSException: 0x2ab99fb50df8> NAME:LDAPException REASON:operation bind failed: Invalid credentials (0x31) INFO:{login = "uid=some,dc=where,dc=de"; } Jan 29 23:06:47 sogod [15880]: <0x0x2ab99f1b4e38[SOGoWebAuthenticator]> tried wrong password for user 'zjWxFWqXYqq73sXtuvpkJXtSWLejQwwWH9PnUe4Ahb9SwY61eb/Fn/h1IxwISRHjEm6eEfZUPZexRhL2WnQ5oQ=='! Then something goes wrong. I dont even know where this strange string comes from. The Part directly above is not showing on user logins with short passwords 31.19.158.172 - - [29/Jan/2013:23:06:47 GMT] "GET /SOGo/some@where.de HTTP/1.1" 200 4358/0 0.019 12340 64% 0 Also if i track LDAP in absulute verbose, this buffer read happens (the password was 'testpassword1234') 0040: 65 80 0b 74 65 73 74 70 61 73 73 77 6f 72 a0 1d e..testpasswor.. 0050: 30 1b 04 19 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 0...1.3.6.1.4.1. 0060: 34 32 2e 32 2e 32 37 2e 38 2e 35 2e 31 42.2.27.8.5.1 somehow the rest of the password gets eaten somewhere within sogo so somewhere within the login phase the long password gets cut
Additional Information	Also my Settings are bindAsCurrentUser = NO, so i don't know why sogo should try to bind as the current user Centos VServer from hosteurope.de no selinux Current SOGo repo version 2.0.4a but error exists since i installed, which was version 2.0.3a Linux version 2.6.18-028stab098.1 (root@rhel5-build-x64) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) 0000001 SMP Sat Feb 11 14:56:17 MSK 2012
Tags	ldap

hrichter 2013-02-01 12:03 reporter ~0005306 Last edited: 2013-02-01 12:12	I could trace the error deeper: I use bindFields = mail, because i haven't found a way to make multi-domain-config logins work with username@domain.com login names if there are equal usernames and passwords within different domains, only the first match gets logged in i created a test user within a different config with a very long username longusername_test-domain-long.com password testtest works password testtest1 shows the same strange behavior every password exceeding 8 chars is creating the strange behavior my conclusion: every combination of user+Password exceeding 41chars will produce this strange behavior with the web interface login screen. could someone confirm this on another machine?

hrichter 2013-02-01 12:17 reporter ~0005307	Is there a way to change the bug title? my new findings made the old obsolete, its more like any combination of "user+Password exceeding 41chars" thanks

Christian Mack 2013-02-04 10:44 developer ~0005321	Changed title as requested by bug reporter.

hrichter 2013-02-04 18:24 reporter ~0005326	Jean Raby answered my Mailing List Request. The answer: Confirmed. The problem occurs when the username:password exceeds 64 chars. The following patch should fix it, but it is a friday night patch, so YMMV. --- a/SoObjects/SOGo/SOGoWebAuthenticator.m +++ b/SoObjects/SOGo/SOGoWebAuthenticator.m @@ -388,7 +388,7 @@ // which will be XOR'ed with the user key. // sessionKey = [SOGoSession generateKeyForLength: 16]; userKey = [SOGoSession generateKeyForLength: 64]; userKey = [SOGoSession generateKeyForLength: 768]; NSString *value = [NSString stringWithFormat: @"%@:%@", username, password]; securedPassword = [SOGoSession securedValue: value usingKey: userKey];

~~jraby~~ 2013-02-04 19:04 viewer ~0005327	Different fix commited : https://github.com/inverse-inc/sogo/commit/3d90e3a5393ff45b4915a1c915edd4c24b21763c Will be part of 2.0.4b

Date Modified	Username	Field	Change
2013-01-30 21:54	hrichter	New Issue
2013-02-01 11:57	hrichter	Tag Attached: ldap
2013-02-01 12:03	hrichter	Note Added: 0005306
2013-02-01 12:12	hrichter	Note Edited: 0005306
2013-02-01 12:17	hrichter	Note Added: 0005307
2013-02-04 10:44	Christian Mack	Note Added: 0005321
2013-02-04 10:44	Christian Mack	Summary	Users in LDAP with Passwords longer than 11 chars can't log into Web interface => Users in LDAP with user+Password exceeding 41chars can't log into Web interface
2013-02-04 18:24	hrichter	Note Added: 0005326
2013-02-04 19:04	~~jraby~~	Note Added: 0005327
2013-02-04 19:04	~~jraby~~	Assigned To	=> jraby
2013-02-04 19:04	~~jraby~~	Status	new => resolved
2013-02-04 19:04	~~jraby~~	Resolution	open => fixed