ldap login limitation + bug + fix

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
6/8/2017 9:26:57 AM
Gravatar
Total Posts 1

ldap login limitation + bug + fix

Hi.

I've just installed for the first time MOJO.

I found a potential bug.

The ldap configuration does not allow User Attribute key other than CN and UID, there is a drop down for the choice, that is, if the username attribute is stored in a different attribute than uid or cn you cannot "plug" ldap authentication.

For example in my company, the AD map the full name in the CN attribute and the username is mapped in the "samaccountname" attribute instead, so without having the possibility so choose "samaccountname" from the dropdown in the administration panel (in the ldap configuration), is not possible to configure correctly the ldap auth.

 

I've found a solution:

Going to the DB with a shell (Microsoft SQL Server Management Studio), I've found that the key parameter is a string of text inserted into the field "ldapuserDNkey" of the table "mp_sites".

I've tried to update the value to "samaccountname" (ovverriding in this way the limits of the dropdown menu) but the field is a nvarchar(10) so cannon contain the string "samaccountname".

So I've modified the schema with a SQL command "alter table mp_sites alter column ldapuserDNkey nvarchar(100)" then I was able to insert the value "samaccountname".

 

Now the ldap module is working correctly.

 

I ask you please to fix this bug and allow the users to enter manually the attribute or the LDAP filter ( a text field) that match their domain setup.

 

Regards.

 

 

 

6/8/2017 3:00:42 PM
Gravatar
Total Posts 1188
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: ldap login limitation + bug + fix

We're using Active Directory with mojoPortal in production, and I've actually worked on this core code before (adding the option to do database authentication, with fallback to LDAP authentication).

Before making your changes, did you try using the stock setting that was shown (CN)? I contend that it would have worked for you as delivered.

First off, the setting text is a little bit misleading. In reality, the code only uses the UserDNKey value to determine whether to do an LDAP login, or an Active Directory login, like this:

if (ldapSettings.UserDNKey == "uid") //OpenLDAP
{
      return LdapStandardLogin(ldapSettings, uid, password);
}
else //Active Directory
{
      return ActiveDirectoryLogin(ldapSettings, uid, password);   
}

Second, the ActiveDirectoryLogin() code uses a hard coded value of sAMAccountname for the search, like this:

ds.Filter = "(&(sAMAccountName=" + uid + "))";

So, long story short, I don't believe your database changes could have had any effect on the outcome. Joe, if you think it's worthwhile, in the next release you could change the User Attribute Key setting description to "Directory Type" and the drop-down text to "LDAP" and "Active Directory" to avoid confusion.

Jamie