View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
14108 | Feature requests | Plugins | public | 2018-09-28 10:06 | 2023-04-24 16:33 |
Reporter | halliballi123 | Assigned To | DenisChenu | ||
Priority | none | Severity | feature | ||
Status | closed | Resolution | fixed | ||
Summary | 14108: No error proper error message when LDAP<>LimeSurvey login fails due to case-sensitivity | ||||
Description | I uses LDAP plugin for authentication in LimeSurvey. When there is a user that has a username like HeyYou123 and the user wants to login and uses heyyou123. The user has to pay attention to upper and lower case. But ldap does not care about upper and lower case. It seems as if the username has to be exactly the same like it is in LimeSurvey Database. Moreover there is no error about invalid credentials, if the password is correct but the username is written completly in lowercase. | ||||
Additional Information | It looks like limesurvey uses LDAP, gets the ok from LDAP-server and than can not find the user? | ||||
Tags | No tags attached. | ||||
Bug heat | 16 | ||||
Story point estimate | |||||
Users affected % | |||||
I think the severity of the bug should be higher |
|
So, if the user has the the user name Foo in limesurvey and he logs in using 'foo' with LDP Auth what happens exactly? |
|
It takes quite long and the login screen is reloaded and no error is shown. (If the password is incorrect, an error is shown) |
|
I have same problem in 3.17.1 (build 190408) . |
|
The issue is more the no error ? No ? |
|
Yeah, I think that the problem is the missing error message. I am bit skeptical about forcing uppercase/lowercase because it will certainly affect existing users. |
|
No, in my opinion the problem is that LimeSurvey considers the the username case sensitive, when using LDAP. If you use internal database login that is not the case, you can write the username uppercase or lowercase or whataver. By the way I don't know hardly any system that cares about case sensitivness considering the username. Why should you force uppercase or lowercase? isn't this a database query where you can ignore the case? |
|
And if you have : … you have a security issue … |
|
@halliball123: That is not true. THe interal DB admin login is also case-sensitive. |
|
Username in database "user" and "USER" the same user (not case sensitive) but password will be case-sensitive |
|
@c_schmitz: sorry, you are right. Was this always like that? Non the less I don't think that usernames that are casesensitive are a good idea. I know that this is standard in the linux/unix world. Windows and MacOS users who are using LimeSurvey backend are just not used to that. |
|
@dplazade: I am not sure what version you are using but the latest LimeSurvey version is case-sensitive regarding username. |
|
@c_schmitz
Please, tell me what line I should change in my code. I will register the users always in uppercase for LDAP. I need that any login user (LDAP) always validates it in upper case. In file: \application\core\plugins\AuthLDAP\AuthLDAP.php Thanks! |
|
You must do the search with SQL UCASE too :). Good to know than we can not have 2 user with same login :) :+1: |
|
Thanks @DenisChenu. How? SQL UCASE? Where? In conditions? |
|
In my database the table definition looks like users_name must be unique and collation is utf8mb4_unicode_ci Therefore a call of touppercase or tolowercase before comparing usernames would not be a security issue, in my opinion. |
|
Thanks @halliballi123 I will revise that :) |
|
any news on this bug? |
|
A PR is being discussed here: https://github.com/LimeSurvey/LimeSurvey/pull/1363 |
|
so no sollution? |
|
The PR is obviously dead so unless someone invests time to code it (or money so that someone else codes it) this issue will stay open. |
|
I'd like this feature too. When verifying LDAP usernames, the comparison is preferred to be case-insensitive. |
|
My solution :
|
|
IN fact : we can not set username with uppercase or lowercase.
I didn't check with other way to create an user on MS SQL |
|
Tested on MSSQL + MARIADB + PGSQL, can not create 2 user with same login name and differnt case. |
|
@halliballi123 Can you test the following change, please? https://github.com/LimeSurvey/LimeSurvey/pull/2692/files |
|
@ollehar, this is just great. Tested in LimeSurvey 3.28.37+221108 and in LimeSurvey 5.6.0+230116 |
|
Thank Denis :) |
|
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=34498 |
|
Fixed in Release 6.0.3+230424 |
|
LimeSurvey: master f8cb2b20 2023-04-18 15:55:19 Committer: GitHub Details Diff |
Fixed issue 14108: No error proper error message when LDAP login fails due to case-sensitivity (#2692) Dev: fix it by get the real username found |
Affected Issues 14108 |
|
mod - application/core/plugins/AuthLDAP/AuthLDAP.php | Diff File |
Date Modified | Username | Field | Change |
---|---|---|---|
2018-09-28 10:06 | halliballi123 | New Issue | |
2018-10-18 07:14 | halliballi123 | Note Added: 49357 | |
2018-10-19 16:23 | c_schmitz | Assigned To | => c_schmitz |
2018-10-19 16:23 | c_schmitz | Status | new => feedback |
2018-10-19 16:23 | c_schmitz | Note Added: 49377 | |
2018-10-22 09:02 | halliballi123 | Note Added: 49396 | |
2018-10-22 09:02 | halliballi123 | Status | feedback => assigned |
2019-04-25 14:01 | dplazade | Issue Monitored: dplazade | |
2019-04-25 14:05 | dplazade | Note Added: 51580 | |
2019-04-26 10:27 | DenisChenu | Note Added: 51585 | |
2019-04-26 10:42 | c_schmitz | Note Added: 51587 | |
2019-04-26 10:47 | halliballi123 | Note Added: 51588 | |
2019-04-26 10:50 | DenisChenu | Note Added: 51589 | |
2019-04-26 10:54 | c_schmitz | Note Added: 51590 | |
2019-04-26 11:08 | dplazade | Note Added: 51591 | |
2019-04-26 11:12 | halliballi123 | Note Added: 51592 | |
2019-04-26 11:13 | c_schmitz | Note Added: 51593 | |
2019-04-26 11:52 | dplazade | Note Added: 51596 | |
2019-04-26 12:58 | DenisChenu | Note Added: 51597 | |
2019-04-26 13:18 | dplazade | Note Added: 51599 | |
2019-04-26 13:27 | halliballi123 | Note Added: 51600 | |
2019-04-26 13:30 | dplazade | Note Added: 51601 | |
2019-04-26 13:52 | c_schmitz | Summary | username for login via LDAP plugin should not be case sensitive. => No error proper error message when LDAP<>LimeSurvey login fails due to case-sensitivity |
2019-11-19 16:11 | halliballi123 | Note Added: 54694 | |
2020-01-10 15:51 | ollehar | Note Added: 55201 | |
2021-03-26 07:28 | halliballi123 | Note Added: 63635 | |
2021-03-26 09:03 | c_schmitz | Assigned To | c_schmitz => |
2021-03-26 09:03 | c_schmitz | Status | assigned => confirmed |
2021-03-26 09:05 | c_schmitz | Note Added: 63641 | |
2021-09-06 09:42 | c_schmitz | Project | Bug reports => Feature requests |
2022-02-15 19:45 | mhladun | Note Added: 68315 | |
2022-02-15 19:45 | mhladun | Bug heat | 12 => 14 |
2022-10-29 11:57 | DenisChenu | Assigned To | => DenisChenu |
2022-10-29 11:57 | DenisChenu | Status | confirmed => assigned |
2022-10-29 11:57 | DenisChenu | Severity | @50@ => feature |
2022-10-29 12:05 | DenisChenu | Note Added: 72476 | |
2022-10-31 15:52 | DenisChenu | Note Added: 72494 | |
2022-11-03 16:45 | DenisChenu | Assigned To | DenisChenu => |
2022-11-03 16:45 | DenisChenu | Status | assigned => ready for code review |
2022-11-03 16:46 | DenisChenu | Note Added: 72533 | |
2023-04-18 14:14 | ollehar | Note Added: 74519 | |
2023-04-18 14:16 | ollehar | Assigned To | => ollehar |
2023-04-18 14:16 | ollehar | Status | ready for code review => feedback |
2023-04-18 15:42 | halliballi123 | Note Added: 74524 | |
2023-04-18 15:42 | halliballi123 | Status | feedback => assigned |
2023-04-18 15:54 | ollehar | Note Added: 74525 | |
2023-04-18 15:55 | DenisChenu | Changeset attached | => LimeSurvey master f8cb2b20 |
2023-04-18 15:55 | DenisChenu | Note Added: 74526 | |
2023-04-18 15:55 | DenisChenu | Assigned To | ollehar => DenisChenu |
2023-04-18 15:55 | DenisChenu | Resolution | open => fixed |
2023-04-18 15:55 | ollehar | Status | assigned => resolved |
2023-04-24 16:33 | LimeBot | Note Added: 74613 | |
2023-04-24 16:33 | LimeBot | Status | resolved => closed |
2023-04-24 16:33 | LimeBot | Bug heat | 14 => 16 |