View Issue Details

This bug affects 1 person(s).
 14
IDProjectCategoryView StatusLast Update
14108Feature requestsPluginspublic2022-11-03 16:46
Reporterhalliballi123 Assigned To 
PrioritynoneSeverityfeature 
Status ready for code reviewResolutionopen 
Summary14108: No error proper error message when LDAP<>LimeSurvey login fails due to case-sensitivity
Description

I uses LDAP plugin for authentication in LimeSurvey. When there is a user that has a username like HeyYou123 and the user wants to login and uses heyyou123. The user has to pay attention to upper and lower case. But ldap does not care about upper and lower case. It seems as if the username has to be exactly the same like it is in LimeSurvey Database.

Moreover there is no error about invalid credentials, if the password is correct but the username is written completly in lowercase.

Additional Information

It looks like limesurvey uses LDAP, gets the ok from LDAP-server and than can not find the user?

TagsNo tags attached.
Bug heat14
Story point estimate
Users affected %

Users monitoring this issue

User List dplazade

Activities

halliballi123

halliballi123

2018-10-18 07:14

reporter   ~49357

I think the severity of the bug should be higher

c_schmitz

c_schmitz

2018-10-19 16:23

administrator   ~49377

So, if the user has the the user name Foo in limesurvey and he logs in using 'foo' with LDP Auth what happens exactly?

halliballi123

halliballi123

2018-10-22 09:02

reporter   ~49396

It takes quite long and the login screen is reloaded and no error is shown.

(If the password is incorrect, an error is shown)

dplazade

dplazade

2019-04-25 14:05

reporter   ~51580

I have same problem in 3.17.1 (build 190408) .

DenisChenu

DenisChenu

2019-04-26 10:27

developer   ~51585

The issue is more the no error ? No ?

c_schmitz

c_schmitz

2019-04-26 10:42

administrator   ~51587

Yeah, I think that the problem is the missing error message. I am bit skeptical about forcing uppercase/lowercase because it will certainly affect existing users.

halliballi123

halliballi123

2019-04-26 10:47

reporter   ~51588

No, in my opinion the problem is that LimeSurvey considers the the username case sensitive, when using LDAP. If you use internal database login that is not the case, you can write the username uppercase or lowercase or whataver.

By the way I don't know hardly any system that cares about case sensitivness considering the username.

Why should you force uppercase or lowercase? isn't this a database query where you can ignore the case?

DenisChenu

DenisChenu

2019-04-26 10:50

developer   ~51589

And if you have :
One DB user with UserName and his password in DB with AuthDB true
One LDAP user with username and his another password and AuthDB+AuthLDAP true

… you have a security issue …

c_schmitz

c_schmitz

2019-04-26 10:54

administrator   ~51590

@halliball123: That is not true. THe interal DB admin login is also case-sensitive.

dplazade

dplazade

2019-04-26 11:08

reporter   ~51591

Username in database "user" and "USER" the same user (not case sensitive) but password will be case-sensitive
I only test it in LDAP login.

halliballi123

halliballi123

2019-04-26 11:12

reporter   ~51592

@c_schmitz: sorry, you are right. Was this always like that?

Non the less I don't think that usernames that are casesensitive are a good idea.

I know that this is standard in the linux/unix world. Windows and MacOS users who are using LimeSurvey backend are just not used to that.
I think you can configure that in your LDAP Server as well and .... .... ... of course it's your system and if nobody else has a problem with that ... ... then Dennis is right, there should be at least a message.

c_schmitz

c_schmitz

2019-04-26 11:13

administrator   ~51593

@dplazade: I am not sure what version you are using but the latest LimeSurvey version is case-sensitive regarding username.
For example if you have a user 'admin' you will not be able to log in with 'Admin' (and same password)

dplazade

dplazade

2019-04-26 11:52

reporter   ~51596

@c_schmitz
Sorry I meant me, I think it would be a good performance:

  • login with internal DB, casesensitive
  • login with LDAP, not casesensitive

Please, tell me what line I should change in my code. I will register the users always in uppercase for LDAP. I need that any login user (LDAP) always validates it in upper case.

In file: \application\core\plugins\AuthLDAP\AuthLDAP.php
I changed line 429:
$username = strtoupper($this->getUsername());
But I have same issue :)

Thanks!

DenisChenu

DenisChenu

2019-04-26 12:58

developer   ~51597

You must do the search with SQL UCASE too :).

Good to know than we can not have 2 user with same login :) :+1:

dplazade

dplazade

2019-04-26 13:18

reporter   ~51599

Thanks @DenisChenu.

How? SQL UCASE? Where? In conditions?

halliballi123

halliballi123

2019-04-26 13:27

reporter   ~51600

In my database the table definition looks like users_name must be unique and collation is utf8mb4_unicode_ci
so there can't be two users that have the same username with different upper/lower case versions.

Therefore a call of touppercase or tolowercase before comparing usernames would not be a security issue, in my opinion.

dplazade

dplazade

2019-04-26 13:30

reporter   ~51601

Thanks @halliballi123 I will revise that :)

halliballi123

halliballi123

2019-11-19 16:11

reporter   ~54694

any news on this bug?

ollehar

ollehar

2020-01-10 15:51

administrator   ~55201

A PR is being discussed here: https://github.com/LimeSurvey/LimeSurvey/pull/1363

halliballi123

halliballi123

2021-03-26 07:28

reporter   ~63635

so no sollution?

c_schmitz

c_schmitz

2021-03-26 09:05

administrator   ~63641

The PR is obviously dead so unless someone invests time to code it (or money so that someone else codes it) this issue will stay open.

mhladun

mhladun

2022-02-15 19:45

reporter   ~68315

I'd like this feature too. When verifying LDAP usernames, the comparison is preferred to be case-insensitive.

DenisChenu

DenisChenu

2022-10-29 12:05

developer   ~72476

My solution :

  1. Add a option "Search with casesensitive" , uncheck by default (avoid security issue about User with AuthDB and LDAP) : some instance have only LDAP account and one DB account (initial superadmin)
  2. Compare casesensitive if it's checked.
DenisChenu

DenisChenu

2022-10-31 15:52

developer   ~72494

Yeah, I think that the problem is the missing error message. I am bit skeptical about forcing uppercase/lowercase because it will certainly affect existing users.

IN fact : we can not set username with uppercase or lowercase.

  1. If you already have MyLogin, you can not create mylogin (manually via admin GUI) (tested on mariadb + MS sql server)
  2. We manually check for AuthDB See https://github.com/LimeSurvey/LimeSurvey/blob/73ef7087b344ea55b44629ba596708e540d15838/application/core/plugins/Authdb/Authdb.php#L163

I didn't check with other way to create an user on MS SQL
Maybe it's better to force https://www.yiiframework.com/doc/api/1.1/CUniqueValidator#caseSensitive-detail to true ?

DenisChenu

DenisChenu

2022-11-03 16:46

developer   ~72533

Tested on MSSQL + MARIADB + PGSQL, can not create 2 user with same login name and differnt case.
Maybe must be set clearly ?

Issue History

Date Modified Username Field Change
2018-09-28 10:06 halliballi123 New Issue
2018-10-18 07:14 halliballi123 Note Added: 49357
2018-10-19 16:23 c_schmitz Assigned To => c_schmitz
2018-10-19 16:23 c_schmitz Status new => feedback
2018-10-19 16:23 c_schmitz Note Added: 49377
2018-10-22 09:02 halliballi123 Note Added: 49396
2018-10-22 09:02 halliballi123 Status feedback => assigned
2019-04-25 14:01 dplazade Issue Monitored: dplazade
2019-04-25 14:05 dplazade Note Added: 51580
2019-04-26 10:27 DenisChenu Note Added: 51585
2019-04-26 10:42 c_schmitz Note Added: 51587
2019-04-26 10:47 halliballi123 Note Added: 51588
2019-04-26 10:50 DenisChenu Note Added: 51589
2019-04-26 10:54 c_schmitz Note Added: 51590
2019-04-26 11:08 dplazade Note Added: 51591
2019-04-26 11:12 halliballi123 Note Added: 51592
2019-04-26 11:13 c_schmitz Note Added: 51593
2019-04-26 11:52 dplazade Note Added: 51596
2019-04-26 12:58 DenisChenu Note Added: 51597
2019-04-26 13:18 dplazade Note Added: 51599
2019-04-26 13:27 halliballi123 Note Added: 51600
2019-04-26 13:30 dplazade Note Added: 51601
2019-04-26 13:52 c_schmitz Summary username for login via LDAP plugin should not be case sensitive. => No error proper error message when LDAP<>LimeSurvey login fails due to case-sensitivity
2019-11-19 16:11 halliballi123 Note Added: 54694
2020-01-10 15:51 ollehar Note Added: 55201
2021-03-26 07:28 halliballi123 Note Added: 63635
2021-03-26 09:03 c_schmitz Assigned To c_schmitz =>
2021-03-26 09:03 c_schmitz Status assigned => confirmed
2021-03-26 09:05 c_schmitz Note Added: 63641
2021-09-06 09:42 c_schmitz Project Bug reports => Feature requests
2022-02-15 19:45 mhladun Note Added: 68315
2022-02-15 19:45 mhladun Bug heat 12 => 14
2022-10-29 11:57 DenisChenu Assigned To => DenisChenu
2022-10-29 11:57 DenisChenu Status confirmed => assigned
2022-10-29 11:57 DenisChenu Severity @50@ => feature
2022-10-29 12:05 DenisChenu Note Added: 72476
2022-10-31 15:52 DenisChenu Note Added: 72494
2022-11-03 16:45 DenisChenu Assigned To DenisChenu =>
2022-11-03 16:45 DenisChenu Status assigned => ready for code review
2022-11-03 16:46 DenisChenu Note Added: 72533