Error auth encoding in LDAP
IdentySergey opened this issue · comments
Expected Behavior
It is expected that it will be possible to use Cyrillic characters in DN.
Current Behavior
Unable to login via LDAP with account following DN
sAMAccountName: i.ivanov
CN=Иванов Иван,OU=Users,DC=home,DC=local (Cyrillic symbols)
Upon request to
http://minio.local:9000/?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=i.ivanov&LDAPPassword=*****&Version=2011-06-15
We receive the following error:
<?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<Error>
<Type></Type>
<Code>InvalidParameterValue</Code>
<Message>LDAP server error: LDAP auth failed for DN cn=**\d0\98\d0\b2\d0\b0\d0\bd\d0\be\d0\b2 \d0\98\d0\b2\d0\b0\d0\bd**,ou=Users,dc=home,dc=local: LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 </Message>
</Error>
<RequestId>17D0040BD4CB1718</RequestId>
</ErrorResponse>
where \d0\98\d0\b2\d0\b0\d0\bd\d0\be\d0\b2 \d0\98\d0\b2\d0\b0\d0\bd - wrong encoding.
When using CN=test,OU=Users,DC=home,DC=local
<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleWithLDAPIdentityResult>
<Credentials>
<AccessKeyId>...</AccessKeyId>
<SecretAccessKey>...</SecretAccessKey>
<SessionToken>...</SessionToken>
<Expiration>...</Expiration>
</Credentials>
</AssumeRoleWithLDAPIdentityResult>
<ResponseMetadata>
<RequestId>..</RequestId>
</ResponseMetadata>
</AssumeRoleWithLDAPIdentityResponse>
Your Environment
running in docker signle node.
minio version RELEASE.2024-05-10T01-41-38Z (commit-id=b5984027386ec1e55c504d27f42ef40a189cdb55)
Runtime: go1.22.3 linux/amd64
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.
Linux 6207cee3b5da 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
upd 17.05.24: running as service ubuntu, behavior is the same.
@IdentySergey any MinIO server log ?
trace:
sts.AssumeRoleWithLDAPIdentity 400 Bad Request
service stdout:
no errors.
logs
No logs to display
upd:
I installed on ubuntu with locales the problem remains the same.
https://ldapwiki.com/wiki/Wiki.jsp?page=Common%20Active%20Directory%20Bind%20Errors
are you using Active Directory ? your error simply means you password is incorrect
your error simply means you password is incorrect
Thanks for the link, we looked at it in detail and checked the important assumption.
The password is correct and has been verified.
For testing, we set the password to 12345678Qq, so as not to make a mistake.
The error only occurs when Cyrillic characters are used in CN