Mailing List Archive: Wikipedia: Mediawiki

LDAP Lookup Behavior

Index | Next | Previous | View Threaded

jeff at cotse

Sep 14, 2005, 11:46 AM

Post #1 of 3 (532 views)
Permalink

LDAP Lookup Behavior

Hello,
I'm using the 1.0 LdapAuthentication plugin with version 1.5rc4.
I'm seeing some strange behavior binding for a certain name.
Authentication works fine for most users, except the user Nicolae.
I used tcpdump to watch the bind request and see none for Nicolae.
No problem seeing bind request for Nicola, icolae, Micolae, Ricolae,
Nicolaebean.
No bind attempted for Nicolae. All users are in the same part of the tree.
$wgLDAPUseLocal = false;
This looks like some sort of input validation.
Any suggestions where I can start tracking this down?

Thanks,

Jeff
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

jeff at cotse

Sep 14, 2005, 3:17 PM

Post #2 of 3 (514 views)
Permalink

Re: LDAP Lookup Behavior [In reply to]

Dear List,
(Replying to my own post)
This seems simply related to the password min length limit.
It is interesting to note, however, if you create a user in LDAP and
have a 7 character password, a bind will still be tried, and if
successful, an new user is added to the wiki users table. It still won't
log the user in, but a new record is created. After the record is
created, no more attempts will be made to bind to the directory.

It looks like the User.php code is trying to avoid even submitting the
form if the password is too short. I'm not sure this is being done when
the LdapAuthentication plugin is used.

I'm not really sure what this means, or even if it is a problem, though
it certainly confused me in tracking down why a particular login didn't
work.
This is how I reproduced it.
Set $wgMinimalPasswordLength = 8;
Create a user in LDAP that has a 7 character user name and a 7 char
password.
Try to login with the 7 char passwd.
Check the wiki users table.

I'm thinking that an ldap bind, and new record addtion should not be
made if the password is less than the minimum specified.

Jeff

Jeff Mandel wrote:

> Hello,
> I'm using the 1.0 LdapAuthentication plugin with version 1.5rc4.
> I'm seeing some strange behavior binding for a certain name.
> Authentication works fine for most users, except the user Nicolae.
> I used tcpdump to watch the bind request and see none for Nicolae.
> No problem seeing bind request for Nicola, icolae, Micolae, Ricolae,
> Nicolaebean.
> No bind attempted for Nicolae. All users are in the same part of the
> tree.
> $wgLDAPUseLocal = false;
> This looks like some sort of input validation.
> Any suggestions where I can start tracking this down?
>
> Thanks,
>
> Jeff
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l[at]Wikimedia.org
> http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

sy1234 at gmail

Sep 15, 2005, 5:30 AM

Post #3 of 3 (517 views)
Permalink

Re: LDAP Lookup Behavior [In reply to]

The LdapAuthentication plugin author might be interested to know your
findings. I've dropped a note on the talk page for that plugin:

http://meta.wikimedia.org/wiki/Talk:LDAP_Authentication#password_min_length_limit_curiosity

It has references to this thread, for their reference.
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]Wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/mediawiki-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com