Error auth encoding in LDAP

Question

Error auth encoding in LDAP

IdentySergey opened this issue 22 days ago · comments

Expected Behavior

It is expected that it will be possible to use Cyrillic characters in DN.

Current Behavior

Unable to login via LDAP with account following DN
sAMAccountName: i.ivanov
CN=Иванов Иван,OU=Users,DC=home,DC=local (Cyrillic symbols)

Upon request to
http://minio.local:9000/?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=i.ivanov&LDAPPassword=*****&Version=2011-06-15

We receive the following error:

<?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
    <Error>
        <Type></Type>
        <Code>InvalidParameterValue</Code>
        <Message>LDAP server error: LDAP auth failed for DN cn=**\d0\98\d0\b2\d0\b0\d0\bd\d0\be\d0\b2 \d0\98\d0\b2\d0\b0\d0\bd**,ou=Users,dc=home,dc=local: LDAP Result Code 49 &#34;Invalid Credentials&#34;: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 </Message>
    </Error>
    <RequestId>17D0040BD4CB1718</RequestId>
</ErrorResponse>

where \d0\98\d0\b2\d0\b0\d0\bd\d0\be\d0\b2 \d0\98\d0\b2\d0\b0\d0\bd - wrong encoding.

When using CN=test,OU=Users,DC=home,DC=local

<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
    <AssumeRoleWithLDAPIdentityResult>
        <Credentials>
            <AccessKeyId>...</AccessKeyId>
            <SecretAccessKey>...</SecretAccessKey>
            <SessionToken>...</SessionToken>
            <Expiration>...</Expiration>
        </Credentials>
    </AssumeRoleWithLDAPIdentityResult>
    <ResponseMetadata>
        <RequestId>..</RequestId>
    </ResponseMetadata>
</AssumeRoleWithLDAPIdentityResponse>

Your Environment

running in docker signle node.

minio version RELEASE.2024-05-10T01-41-38Z (commit-id=b5984027386ec1e55c504d27f42ef40a189cdb55)
Runtime: go1.22.3 linux/amd64
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.

Linux 6207cee3b5da 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

upd 17.05.24: running as service ubuntu, behavior is the same.

Anis Eleuch · Answer 1 · Fri May 17 2024 17:34:50 GMT+0800 (China Standard Time)

@IdentySergey any MinIO server log ?

Sergey Zhiganov · Answer 2 · Fri May 17 2024 18:08:19 GMT+0800 (China Standard Time)

@vadmeste

trace:
sts.AssumeRoleWithLDAPIdentity 400 Bad Request

service stdout:
no errors.

logs
No logs to display

upd:
I installed on ubuntu with locales the problem remains the same.

Anis Eleuch · Answer 3 · Fri May 17 2024 18:21:27 GMT+0800 (China Standard Time)

https://ldapwiki.com/wiki/Wiki.jsp?page=Common%20Active%20Directory%20Bind%20Errors

are you using Active Directory ? your error simply means you password is incorrect

Sergey Zhiganov · Answer 4 · Fri May 17 2024 18:44:15 GMT+0800 (China Standard Time)

your error simply means you password is incorrect

Thanks for the link, we looked at it in detail and checked the important assumption.

The password is correct and has been verified.

For testing, we set the password to 12345678Qq, so as not to make a mistake.

The error only occurs when Cyrillic characters are used in CN