Skip to content

LDAP authentication fails when special characters are contained within the user's `uid`

Zendesk Ticket: https://gitlab.zendesk.com/agent/tickets/13350

Description of issue

When special characters like Å, Ä, Ö, å, ä, ö are used in the common names of LDAP users that authenticate for HTTP cloning, it seems that GitLab is not parsing them properly, causing a 401 Unauthorized error on the end-user. WebUI authentication works as normal with these characters and it used to work for Git via HTTP prior to the 8.x upgrade.

Replication

I was able to replicate this using our test AD server, an account I created with special characters and a GitLab EE test server. The request returns 401, when it should succeed.

Steps to reproduce

Given that there is a user with the name John Åström in LDAP with the following details:

  • Username: jastrom
  • Password: p@assw0rd123456 (it's irrelevant)
  • LDAP uid: CN=John Åström,CN=Users,DC=xxx,DC=com
  • Email: jastrom@example.com

The user is able to sign in, create projects, etc.

Running wget https://X:Y@gitlab.example.com/foo/bar.git/info/refs?service=upload-pack fails with:

--2015-12-09 10:25:13--  http://jastrom:*password*@patricio-ee.gitlap.com/open-source/gitlab-test.git/info/refs?service=upload-pack
Resolving patricio-ee.gitlap.com... 104.131.18.33
Connecting to patricio-ee.gitlap.com|104.131.18.33|:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm=""
Reusing existing connection to patricio-ee.gitlap.com:80.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

Running the same command against http://localhost:8080 fails with:

--2015-12-09 10:27:02--  http://jastrom:*password*@localhost:8080/open-source/gitlab-test.git/info/refs?service=upload-pack
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.

Trying the LDAP authentication method Gitlab::LDAP::Authentication.login(login, password) via the Rails console returns nil for this user's credentials, but it works for the git user that has no special characters anywhere.

Running auth.login from here returns the following:

irb(main):008:0> auth.login('jastrom', 'xxxxxxxxxx')
=> #<Net::LDAP::Entry:0x000000077f3008 @myhash={:dn=>["CN=John \xC3\x85str\xC3\xB6m,CN=Users,DC=Vosmaer,DC=com"], :objectclass=>["top", "person", "organizationalPerson", "user"], :cn=>["John \xC3\x85str\xC3\xB6m"], :sn=>["\xC3\x85str\xC3\xB6m"], :givenname=>["John"], :distinguishedname=>["CN=John \xC3\x85str\xC3\xB6m,CN=Users,DC=Vosmaer,DC=com"], :instancetype=>["4"], :whencreated=>["20150129221028.0Z"], :whenchanged=>["20151207201526.0Z"], :displayname=>["John \xC3\x85str\xC3\xB6m"], :usncreated=>["70672"], :memberof=>["CN=SecurityGroup,OU=Groups,DC=Vosmaer,DC=com", "CN=DistributionGroup,OU=Groups,DC=Vosmaer,DC=com"], :usnchanged=>["195279"], :name=>["John \xC3\x85str\xC3\xB6m"], :objectguid=>["\xB3=X\x95\xCD\x8A\x11C\x96\xD8\xB2\xED\e?\xAAj"], :useraccountcontrol=>["66048"], :badpwdcount=>["0"], :codepage=>["0"], :countrycode=>["0"], :badpasswordtime=>["130943398549870843"], :lastlogoff=>["0"], :lastlogon=>["130943398660475603"], :pwdlastset=>["130939929148142676"], :primarygroupid=>["513"], :objectsid=>["\x01\x05\x00\x00\x00\x00\x00\x05\x15\x00\x00\x00\xEB\xD8\xF3!]\xF3\x93\xD0!\xFF\b\xD2t\x04\x00\x00"], :accountexpires=>["9223372036854775807"], :logoncount=>["0"], :samaccountname=>["jastrom"], :samaccounttype=>["805306368"], :userprincipalname=>["jastrom@Vosmaer.com"], :objectcategory=>["CN=Person,CN=Schema,CN=Configuration,DC=Vosmaer,DC=com"], :dscorepropagationdata=>["16010101000000.0Z"], :lastlogontimestamp=>["130939929267951436"], :"msds-supportedencryptiontypes"=>["0"]}>

But auth.user is nil.

auth.ldap_user is valid, but the ldap_user.dn needed for auth.user to return a valid user is not properly encoded: CN=John \xC3\x85str\xC3\xB6m,CN=Users,DC=Vosmaer,DC=com when it should be CN=John Åström,CN=Users,DC=Vosmaer,DC=com

This leads to Gitlab::LDAP::User.find_by_uid_and_provider(auth.ldap_user.dn, provider) to return nil.

Next questions

This is where my expertise with LDAP ends. I know where the error is coming from, but no idea why it is happening, or how to fix it.

@jacobvosmaer any insights?

cc @rdavila