Bug 65373 - LDAP authentication failing for some characters in 8.5.66 but works in 8.5.65
Summary: LDAP authentication failing for some characters in 8.5.66 but works in 8.5.65
Status: NEEDINFO
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.66
Hardware: All Linux
: P2 critical (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-11 13:05 UTC by Satya
Modified: 2021-06-13 10:09 UTC (History)
0 users



Attachments
attachement for LDAP users (45.06 KB, image/png)
2021-06-12 14:24 UTC, Satya
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Satya 2021-06-11 13:05:09 UTC
LDAP Authentication fails for  below credentials in Tomcat 8.5.66. But this is working in Tomcat 8.5.65
User:Testing\+Username , Password:Testing+Password

LDAP Authentication works for  below credentials in Tomcat 8.5.66 and also works in Tomcat 8.5.65
User:ldapuser1 ,  password:ldapuser1

Below configuration used in our environment:

1.Realm Configuration in server.xml
-----------------------------------
<Realm className="package.DefaultLockOutRealm">
		&realm;
</Realm>

2.Realm.XML
-----------
<Realm className="org.apache.catalina.realm.CombinedRealm">
	<Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://XX:XX:XX:XX:389" useStartTls="true" userPattern="uid={0},ou=people,ou=accounts,dc=netact,dc=net"/>
	<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
Comment 1 Felix Schumacher 2021-06-12 07:38:55 UTC
Newer Tomcat versions will escape the attribute values (that is the user name). A backslash '\' and a plus '+' will be encoded as '\22' and '\2B' respectively.

Is the user name really 'Testing\+username' or is this already hand escaped and the users name in LDAP would be 'Testing+username'?
Comment 2 Satya 2021-06-12 14:22:50 UTC
username in the ldap is Testing+Username.

'Testing\+username' is authenticated successfully in 8.565 but failed in 8.5.66

please find the attached screen shot
Comment 3 Satya 2021-06-12 14:24:45 UTC
Created attachment 37895 [details]
attachement for LDAP users
Comment 4 Felix Schumacher 2021-06-12 15:15:48 UTC
If the username is 'Testing+Username', try to use it in the authentication process. Tomcat will add the backslash for you. Currently there is no switch to bring back the old behaviour.

Are there any reasons (except informing your users) to not use the variant without the backslash?
Comment 5 Satya 2021-06-12 15:24:19 UTC
i will test and post the results soon.

This new change is broken the backward compatibility. 

As per the above description, 8.6.55 has the faulty code and fixed in 8.5.66. is my understanding correct?
Comment 6 Mark Thomas 2021-06-12 18:33:23 UTC
See bug 65224 for details
Comment 7 Satya 2021-06-13 03:58:26 UTC
one more case i have tested and below are results.

Below user exists in LDAP
UserName:    <>+="#;,rrr
Password:    <>+="#;,rrr


8.5.65 : our Application sends below credentials and authentication successful
UserName:   \<\>\+\=\"\#\;\,rrr  and   Password:  <>+="#;,rrr

8.5.66 : After discussions with you, modified username like below and authentication failed
UserName:   <>+="#;,rrr  and    Password:    <>+="#;,rrr
Comment 8 Felix Schumacher 2021-06-13 06:40:06 UTC
You may try to escape the hash sign '#' and the equals sign '='.

Tomcat will only escape it, if it is the first char of a value. We tried to model out escaping after RFC 4514. There the '#' and '=' signs are part of group of 'may be escaped' characters only.

Out of curiosity, are these test cases of your own?
Comment 9 Felix Schumacher 2021-06-13 07:07:22 UTC
To be more precise: Tomcat will not escape the '#' sign if it is not the first character of a value, i.e. '#abc' => it will be escaped, 'a#bc' => it will not be escaped.
Comment 10 Mark Thomas 2021-06-13 08:54:34 UTC
I've just added this exact example to the Tomcat test cases and it passes.
https://github.com/apache/tomcat/commit/356c8ecc

I'll note that you need to be VERY careful setting up these tests to ensure that values are correctly escaped and that escapes are applied in the correct order.

I'll also note that not all LDAP servers seem to follow all of the requirements of RFC 2254 and RFC 4514.

To summarise the escaping requirements:

Original String:                <>+="#;,rrr
Original + Java escapes:        <>+=\"#;,rrr
Original + LDAP escapes:        \3C\3E\2B=\22#\3B\2Crrr
Original + LDAP + Java escapes: \\3C\\3E\\2B=\\22#\\3B\\2Crrr

I haven't yet seen anything to confirm that there is a Tomcat bug here.
Comment 11 Satya 2021-06-13 10:09:01 UTC
Hi Thomas,

Below user exists in LDAP
UserName:    <>+="#;,rrr
Password:    <>+="#;,rrr


8.5.65 : our Application sends below credentials and LDAP authentication successful
UserName:   \<\>\+\=\"\#\;\,rrr  and   Password:  <>+="#;,rrr

8.5.66 : As per above mail, modified username like below and LDAP authentication failed
UserName:   <>+=\"#;,rrr  and    Password:    <>+=\"#;,rrr

could you please suggest any issues.

what was the modification from 8.5.65 to 8.5.66 ?? we are planning to upgrade to 8.5.66