CDash icon indicating copy to clipboard operation
CDash copied to clipboard
verified publisher icon Kitware

non ldap but already registered user can't login when ldap authentication is activated.

Open vlebourl opened this issue 1 year ago • 1 comments

Bug report

Expected Behavior

being able to login with both ldap and local user

Actual Behavior

ldap user is logging in correctly but existing local user can't login.

CDash Version

v3.2.3

Additional Information

in the .env file, using this:

[email protected]
CDASH_ROOT_ADMIN_PASS=<password>
# USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true

# CDASH_AUTHENTICATION_PROVIDER=ldap
# LDAP_HOSTS=sub.host.com
# LDAP_BASE_DN="cn=users,dc=host,dc=com"
# LDAP_USERNAME="cn=cdash,cn=users,dc=host,dc=com"
# LDAP_PASSWORD=${DB_PASSWORD}
# LDAP_BIND_USERS_BY=userPrincipalName
# LDAP_PROVIDER=activedirectory

can login correctly,

Using

[email protected]
CDASH_ROOT_ADMIN_PASS=<password>
USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true

CDASH_AUTHENTICATION_PROVIDER=ldap
LDAP_HOSTS=sub.host.com
LDAP_BASE_DN="cn=users,dc=host,dc=com"
LDAP_USERNAME="cn=cdash,cn=users,dc=host,dc=com"
LDAP_PASSWORD=${DB_PASSWORD}
LDAP_BIND_USERS_BY=userPrincipalName
LDAP_PROVIDER=activedirectory

An ldap user can correctly login, but user [email protected] can't login anymore. The testing.INFO logs shows

cdash           | [Fri Feb 16 14:38:53.058313 2024] [php:notice] [pid 477] [client 10.10.10.51:63205] [2024-02-16 15:38:53] testing.INFO: LDAP (ldap://sub.host.com.com:389) - Connection: default - Operation: Binding - Username: cn=cdash,cn=users,dc=host,dc=com  \n, referer: https://cdash.host.com/index.php?project=Project
cdash           | [Fri Feb 16 14:38:53.093743 2024] [php:notice] [pid 477] [client 10.10.10.51:63205] [2024-02-16 15:38:53] testing.INFO: LDAP (ldap://sub.host.com.com:389) - Connection: default - Operation: Bound - Username: cn=cdash,cn=users,dc=host,dc=com  \n, referer: https://cdash.host.com/index.php?project=Project
cdash           | [Fri Feb 16 14:38:53.097430 2024] [php:notice] [pid 477] [client 10.10.10.51:63205] [2024-02-16 15:38:53] testing.INFO: LDAP (ldap://sub.host.com.com:389) - Connection: default - Operation: Search - Base DN: cn=users,dc=host,dc=com - Filter: (&(objectclass=user)(objectcategory=person)(!(objectclass=contact))([email protected])) - Selected: (*,objectguid) - Time Elapsed: 2  \n, referer: https://cdash.host.com/index.php?project=Project

My understanding was that USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true would allow to log in with the non ldap user even though ldap authentication is activated. But I guess I'm wrong. How could I circumvent that? Thanks very much for the help.

vlebourl avatar Feb 16 '24 14:02 vlebourl

My understanding was that USERNAME_PASSWORD_AUTHENTICATION_ENABLED=true would allow to log in with the non ldap user even though ldap authentication is activated. But I guess I'm wrong. How could I circumvent that? Thanks very much for the help.

Unfortunately as you discovered, CDash's LDAP authentication currently blocks "regular" (database) authentication when it is enabled. We'll keep your use case in mind as we work to improve and expand our authentication support in CDash.

zackgalbreath avatar Mar 01 '24 14:03 zackgalbreath