LDAP Authentication Failure

[merktnichts]

Hey Max! Here are the log excerpts: (tested with r5419@tp (orig r5291))

deki-api.log:

Code:

2007-08-24 08:46:03,971 [-1235104848] WARN  MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 
LdapException: Matched DN:

info.log:

Code:

2007-08-24 08:46:03,971 [-1235104848] WARN  MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 
LdapException: Matched DN:

trace.log:

Code:

2007-08-24 08:46:03,971 [-1235104848] WARN  MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 
LdapException: Matched DN:

warning.log:

Code:

2007-08-24 08:46:03,971 [-1235104848] WARN  MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893 
LdapException: Matched DN:

This was tested with the account "Administrator" with a password containing a $ in a Windows 2000 Advanced Server Active Directory Domain.

In the meantime I changed my passwords in our AD anyway to get rid of the $-problem, so that bug is of minor importance for me now (thank god there are enough other signs on the keyboard one can choose from *g*).
But I changed the Administrator password temporarily back to supply the logs for you. So the bug is not touching us anymore, but whenever you like me something to test, just shoot, that's no problem. I'm sure other users (like e.g. jspohrer) still might profit from a fix and I'm happy to contribute some feedback to this open source project.

[merktnichts]

Just to make double-sure: I even tried your test with "Administrator/pa$$word" now - same result, Deki complains about bad credentials as reported above.

One more note: I doubt that it's important to mention, but who knows. It's a German W2K Advanced Server.

[SteveB]

Ah, it's a _German_ Win2K server!!! did you try € (euro) instead of $? Maybe it's biased...

[merktnichts]

Ah, it's a _German_ Win2K server!!! did you try € (euro) instead of $? Maybe it's biased...

LOL! Nope, Deki doesn't like € either. Now come on, admit it, you coded it to behave like that cause it's open source.

[MaxM]

Can you take a look at your trace.log for statements starting with "Performing LDAP lookup". This should contain your username/password handed off to the ldap library for binding. Can you make sure this is the correct value as you've typed it in?

You may need to modify your log4net settings at mindtouch.host.exe.config.. At the bottom of this file change <level value="INFO"/> to <level value="TRACE"/>

[merktnichts]

I just checked trace.log as suggested. Guess what - the $ becomes a %24, that's why it fails.

[MaxM]

I just checked trace.log as suggested. Guess what - the $ becomes a %24, that's why it fails.

Ok at last a solid lead for this! For some reason on my system (windows and linux) it comes in just fine. Can you tell me which mono and apache versions you're using? Windows or Linux?

I checked in more logging code at an earlier stage of authentication. Please update to the deki-1.8.2 branch to get this. Look for a trace logging statements like "Authenticating" and let me know if the password is encoded here as well.

Max

[merktnichts]

Code:

Mono JIT compiler version 1.2.2.1, (C) 2002-2006 Novell, Inc and Contributors. www.mono-project.com
        TLS:           normal
        GC:            Included Boehm (with typed GC)
        SIGSEGV:       normal
        Disabled:      none

Code:

Server version: Apache/2.2.3
Server built:   Jun 17 2007 20:24:06

That's all on a fully patched Debian Etch, I wouldn't wanna update to Debian Lenny yet as it's still marked as "testing" and that Debian Deki is running on is our "production Unix".

I can't find a deki-1.8.2 branch. I saw someone of the crew mentioning in another post already and checked it some days ago. I checked again now and can't find it on https://dekiwiki.svn.sourceforge.net/svnroot/dekiwiki/. Could it be that you don't mirror it to SF, only the trunk seems to be public.
The Mindtouch SVN server isn't accessible from the outside anymore either, as it seems. (svn://dev.opengarden.org/svn only contains a ReadMe.) So there's no chance to get 1.8.2 sources for "the outside".

...Or you know a public URL I don't know yet. ;-)

[PeteE]

Code:

Mono JIT compiler version 1.2.2.1, (C) 2002-2006 Novell, Inc and Contributors. www.mono-project.com
        TLS:           normal
        GC:            Included Boehm (with typed GC)
        SIGSEGV:       normal
        Disabled:      none

Code:

Server version: Apache/2.2.3
Server built:   Jun 17 2007 20:24:06

That's all on a fully patched Debian Etch, I wouldn't wanna update to Debian Lenny yet as it's still marked as "testing" and that Debian Deki is running on is our "production Unix".

I can't find a deki-1.8.2 branch. I saw someone of the crew mentioning in another post already and checked it some days ago. I checked again now and can't find it on https://dekiwiki.svn.sourceforge.net/svnroot/dekiwiki/. Could it be that you don't mirror it to SF, only the trunk seems to be public.
The Mindtouch SVN server isn't accessible from the outside anymore either, as it seems. (svn://dev.opengarden.org/svn only contains a ReadMe.) So there's no chance to get 1.8.2 sources for "the outside".

...Or you know a public URL I don't know yet. ;-)

merktnichts - We just created the 1.8.2 branch to do our development on and we haven't setup the sync to SF.net quite yet. Hopefully we'll have that branch mirrored to SF.net within the next 2 days.

Thanks,
pete

[MaxM]

Meanwhile if you have the ability to rebuild deki using build.sh you can apply this small patch and give it a shot.

Code:

Index: D:/MindTouch/branches/deki-1.8.2/src/services/Deki/Logic/AuthBL.cs
===================================================================
--- D:/MindTouch/branches/deki-1.8.2/src/services/Deki/Logic/AuthBL.cs	(revision 5336)
+++ D:/MindTouch/branches/deki-1.8.2/src/services/Deki/Logic/AuthBL.cs	(revision 5337)
@@ -94,6 +94,8 @@
             // check if a username was provided
             if (!string.IsNullOrEmpty(userName)) {
 
+                LogUtils.LogTrace(DekiContext.Current.Log, context.Feature.VerbSignature, string.Format("Authenticating ({0}) Username: '{1}' pw: '{2}'", context.Feature.VerbSignature, userName, password));
+
                 //Case 2: Given username + password
                 if (authService == null) {