Skip Menu |

This queue is for tickets about the Catalyst-Authentication-Store-LDAP CPAN distribution.

Report information
The Basics
Id: 127335
Status: new
Priority: 0/
Queue: Catalyst-Authentication-Store-LDAP

People
Owner: Nobody in particular
Requestors: marco.schumann [...] pyur.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: lookup_user croaks on multiple "user_fields"
Date: Wed, 10 Oct 2018 22:45:11 +0200
To: <bug-Catalyst-Authentication-Store-LDAP [...] rt.cpan.org>
From: Marco Schumann <marco.schumann [...] pyur.com>
Hi, we attempt to use a complex filter (like "(|(uid=%s)(mail=%s))" to allow customers to login with either their UID or their email address. We use a Catalyst config like this: Plugin::Authentication: default_realm: realm realms: realm: credential: class: Password password_field: password password_type: self_check store: binddn: ... bindpw: ... class: LDAP ldap_server: ... start_tls: 0 user_field: - 'uid' - 'mail' user_basedn: ... user_filter: '(!(uid=%s)(mail=%s))' According to https://metacpan.org/source/ILMARI/Catalyst-Authentication-Store-LDAP-1.016/lib/Catalyst/Authentication/Store/LDAP.pm#L219 the "user_field" may be an array. Unfortunately this is not true: Use of uninitialized value in lc at lib/Catalyst/Authentication/Store/LDAP/Backend.pm line 344. LDAP claims 'ARRAY(0x55839c32b820)' equals 'somebody' but results entry does not match.# Tests were run but no plan was declared and done_testing() was not seen. In lib/Catalyst/Authentication/Store/LDAP/Backend.pm (https://metacpan.org/source/ILMARI/Catalyst-Authentication-Store-LDAP-1.016/lib/Catalyst/Authentication/Store/LDAP/Backend.pm#L323) is asumed "user_field" is a string resulting in a wrong interpolation of a given array. Please review the appended prove of the issue and my proposal to make the package work as expected. Hints are very welcome as we plan to backport the Debian stretch version 0.1005 locally. Thank you -- Marco Schumann Platform Architect Tele Columbus Betriebs GmbH Kaiserin-Augusta-Allee 108 10553 Berlin E-Mail: marco.schumann@pyur.com Telefon: +49 30 3388 1233 Mobil: +49 176 19061115 Fax: +49 30 3388 913333 http://www.pyur.com/ Geschäftsführer: Timm Degenhardt, Eike Walters, Ludwig Modra Sitz der Gesellschaft: Kaiserin-Augusta-Allee 108, 10553 Berlin Amtsgericht Berlin-Charlottenburg HRB 176365 B

Message body is not shown because sender requested not to inline it.

Message body is not shown because sender requested not to inline it.

Subject: [rt.cpan.org #127335] Re: lookup_user croaks on multiple "user_fields"
Date: Thu, 11 Oct 2018 07:59:09 +0200
To: <bug-Catalyst-Authentication-Store-LDAP [...] rt.cpan.org>
From: Marco Schumann <marco.schumann [...] pyur.com>
Hello, Am 10.10.18 um 22:45 schrieb Marco Schumann: Show quoted text
> Hi, > > we attempt to use a complex filter (like "(|(uid=%s)(mail=%s))" to allow > customers to login with either their UID or their email address. We use > a Catalyst config like this:... > > According to > https://metacpan.org/source/ILMARI/Catalyst-Authentication-Store-LDAP-1.016/lib/Catalyst/Authentication/Store/LDAP.pm#L219 > the "user_field" may be an array. Unfortunately this is not true: > > Use of uninitialized value in lc at > lib/Catalyst/Authentication/Store/LDAP/Backend.pm line 344. > LDAP claims 'ARRAY(0x55839c32b820)' equals 'somebody' but results entry > does not match.# Tests were run but no plan was declared and > done_testing() was not seen. > > In lib/Catalyst/Authentication/Store/LDAP/Backend.pm > (https://metacpan.org/source/ILMARI/Catalyst-Authentication-Store-LDAP-1.016/lib/Catalyst/Authentication/Store/LDAP/Backend.pm#L323) > is asumed "user_field" is a string resulting in a wrong interpolation of > a given array. > > Please review the appended prove of the issue and my proposal to make > the package work as expected. Hints are very welcome as we plan to > backport the Debian stretch version 0.1005 locally.
if I read the solved issues correctly a similar discussion has already been there long time ago [https://rt.cpan.org/Public/Bug/Display.html?id=33200]. It was stated the "user_field" documentation was wrong, and looking at commit 1647b33a this is correct. Nevertheless I tend to disagree to parts of that commit. Measures were already taken to avoid ambiguous LDAP entries. If there is a more complex filter any of the filtering values should be considered. Thus the removed loop introduces a bug by not checking all of the filtering values. I would go one step further: if the "user_field" is not given at all it could be created automatically by extracting any attribute from the "user_filter" setting similar to my @user_fields = $self->user_filter =~ qr/([a-z0-9_])=%s/ig Do you have any opinions on that? Cheers -- Marco Schumann Platform Architect Tele Columbus Betriebs GmbH Kaiserin-Augusta-Allee 108 10553 Berlin E-Mail: marco.schumann@pyur.com Telefon: +49 30 3388 1233 Mobil: +49 176 19061115 Fax: +49 30 3388 913333 http://www.pyur.com/ Geschäftsführer: Timm Degenhardt, Eike Walters, Ludwig Modra Sitz der Gesellschaft: Kaiserin-Augusta-Allee 108, 10553 Berlin Amtsgericht Berlin-Charlottenburg HRB 176365 B