Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap-bind with AD fails when username contains character 'ß' (LATIN SMALL LETTER SHARP S) #393

Open
gupta-kanika-dev opened this issue Apr 29, 2021 · 0 comments
Open

ldap-bind with AD fails when username contains character 'ß' (LATIN SMALL LETTER SHARP S) #393

gupta-kanika-dev opened this issue Apr 29, 2021 · 0 comments

Comments

@gupta-kanika-dev
Copy link

Issue:

ldap-bind with AD fails when username contains character 'ß' (LATIN SMALL LETTER SHARP S)
For e.g.:
username: "Üßàùªñ1"
password: "something"
domain: ABC
ldap binding fails.

LDAP bind result comes like this:
#<OpenStruct extended_response=nil, code=0, error_message="", matched_dn="", message="Success">.
Failed with result code: 49 and error message: 8009030C: LdapErr: DSID-0C090597, comment: AcceptSecurityContext error, data 52e, v4563

Platform and gems:

Rails: 6.0.3.6
Ruby: 2.7.2
rubyntlm: 0.6.3
net-ldap: 0.16.3 (also tested with latest version 0.17.0)

More about scenario:

According to LDAP bind result:
#<OpenStruct extended_response=nil, code=0, error_message="", matched_dn="", message="Success">.
Failed with result code: 49 and error message: 8009030C: LdapErr: DSID-0C090597, comment: AcceptSecurityContext error, data 52e, v4563

  • result code: 49 means "Invalid credentials", and data code: 52e means ERROR_LOGON_FAILURE
  • While I am sure that username named "Üßàùªñ1" exists in AD. Hence, username and password being passed are correct.
  • Via debugging I have confirmed that domain, netbios, username, password inside Net::LDAP is correct but binding with AD fails inside Net::LDAP::AuthAdapter::Sasl#bind .
  • The :mechanism => "GSS-SPNEGO" and :method => :sasl is being used for ldap bind here.

Note: It should be noted that binding works well in our setup with normal unicode characters.
However it fails when username contains 'ß' (LATIN SMALL LETTER SHARP S- a unicode character only)

Debugging results:

I could figure out following difference between Rails 5.2 and Rails 6.0(as in Rails 5.2 binding works but not in Rails 6.0):
Till Rails 5.2, ActiveSupport::Multibyte::Chars#upcase was being maintained by Rails community and it provides casemapping for character 'ß' like this:

  • "Üßàùªñ1".mb_chars.upcase.to_s => "ÜßÀÙªÑ1"
    notice upper case-mapping for char 'ß' is 'ß' only.

Since Rails 6.0, ActiveSupport::Multibyte::Chars#upcase is deprecated and started calling String#upcase (https://rubydoc.info/stdlib/core/String#upcase-instance_method) internally instead of maintaining its own implementation. It provides case-mapping for character 'ß' like this in Rails 6.0:

  • "Üßàùªñ1".mb_chars.upcase.to_s => "ÜSSÀÙªÑ1"
    notice upper case-mapping for char 'ß' is 'SS' only.

Once again we should note here that String#upcase is following case-mapping according to Unicode standards(https://unicode.org/) only. So ideally NTLM authentication should work with it(use of String#upcase) in the authentication process. But its not the case here with ruby net-ldap.

It would be great to have any other thoughts or views about this issue and what can be the ways to fix it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gupta-kanika-dev