LDAP Authentication fails for below credentials in Tomcat 8.5.66. But this is working in Tomcat 8.5.65 User:Testing\+Username , Password:Testing+Password LDAP Authentication works for below credentials in Tomcat 8.5.66 and also works in Tomcat 8.5.65 User:ldapuser1 , password:ldapuser1 Below configuration used in our environment: 1.Realm Configuration in server.xml ----------------------------------- <Realm className="package.DefaultLockOutRealm"> &realm; </Realm> 2.Realm.XML ----------- <Realm className="org.apache.catalina.realm.CombinedRealm"> <Realm className="org.apache.catalina.realm.JNDIRealm" connectionURL="ldap://XX:XX:XX:XX:389" useStartTls="true" userPattern="uid={0},ou=people,ou=accounts,dc=netact,dc=net"/> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm>
Newer Tomcat versions will escape the attribute values (that is the user name). A backslash '\' and a plus '+' will be encoded as '\22' and '\2B' respectively. Is the user name really 'Testing\+username' or is this already hand escaped and the users name in LDAP would be 'Testing+username'?
username in the ldap is Testing+Username. 'Testing\+username' is authenticated successfully in 8.565 but failed in 8.5.66 please find the attached screen shot
Created attachment 37895 [details] attachement for LDAP users
If the username is 'Testing+Username', try to use it in the authentication process. Tomcat will add the backslash for you. Currently there is no switch to bring back the old behaviour. Are there any reasons (except informing your users) to not use the variant without the backslash?
i will test and post the results soon. This new change is broken the backward compatibility. As per the above description, 8.6.55 has the faulty code and fixed in 8.5.66. is my understanding correct?
See bug 65224 for details
one more case i have tested and below are results. Below user exists in LDAP UserName: <>+="#;,rrr Password: <>+="#;,rrr 8.5.65 : our Application sends below credentials and authentication successful UserName: \<\>\+\=\"\#\;\,rrr and Password: <>+="#;,rrr 8.5.66 : After discussions with you, modified username like below and authentication failed UserName: <>+="#;,rrr and Password: <>+="#;,rrr
You may try to escape the hash sign '#' and the equals sign '='. Tomcat will only escape it, if it is the first char of a value. We tried to model out escaping after RFC 4514. There the '#' and '=' signs are part of group of 'may be escaped' characters only. Out of curiosity, are these test cases of your own?
To be more precise: Tomcat will not escape the '#' sign if it is not the first character of a value, i.e. '#abc' => it will be escaped, 'a#bc' => it will not be escaped.
I've just added this exact example to the Tomcat test cases and it passes. https://github.com/apache/tomcat/commit/356c8ecc I'll note that you need to be VERY careful setting up these tests to ensure that values are correctly escaped and that escapes are applied in the correct order. I'll also note that not all LDAP servers seem to follow all of the requirements of RFC 2254 and RFC 4514. To summarise the escaping requirements: Original String: <>+="#;,rrr Original + Java escapes: <>+=\"#;,rrr Original + LDAP escapes: \3C\3E\2B=\22#\3B\2Crrr Original + LDAP + Java escapes: \\3C\\3E\\2B=\\22#\\3B\\2Crrr I haven't yet seen anything to confirm that there is a Tomcat bug here.
Hi Thomas, Below user exists in LDAP UserName: <>+="#;,rrr Password: <>+="#;,rrr 8.5.65 : our Application sends below credentials and LDAP authentication successful UserName: \<\>\+\=\"\#\;\,rrr and Password: <>+="#;,rrr 8.5.66 : As per above mail, modified username like below and LDAP authentication failed UserName: <>+=\"#;,rrr and Password: <>+=\"#;,rrr could you please suggest any issues. what was the modification from 8.5.65 to 8.5.66 ?? we are planning to upgrade to 8.5.66
I'm afraid there is insufficient information here to help you. You show strings that appear to be using Java escaping but the context in which you use those strings is not clear. The user should enter their username and password exactly as it is stored in LDAP. ie. in this case: <>+="#;,rrr The user should not be responsible for any escaping. If the username and/or password are used in code, a configuration file or similar then you may need to escape them according to the conventions for the code/configuration file you are using. Without a test case that demonstrates an issue this issue will be resolved as invalid. See the link to the commit in comment #10 for an example of how to construct a test case.
LDAP: ----- i have created below new user DN(uid=\<\>\+=\"#\;\,rrrr,ou=people,ou=accounts,dc=netact,dc=net) in LDAP cn : <>+="#;,rrrr sn : <>+="#;,rrrr uid : <>+="#;,rrrr userpassword : <>+="#;,rrrr entryDN : uid=\3c\3e\2b=\22#\3b\2crrrr,ou=people,ou=accounts,dc=netact,dc=net Application which using Tomcat 8.5.66: -------------------------------------- provide below user authentication(username / passwd) details <>+="#;,rrrr / <>+="#;,rrrr LDAP authentication successful. could you please explain the medication details between Tomcat Tomcat 8.5.65 and 8.5.66
https://github.com/apache/tomcat/commits/8.5.x/java/org/apache/catalina/realm/JNDIRealm.java The relevant changes from those from 2021-04-09 to 2021-05-16 inclusive