Weird authentication issue - username + password not working with RBT

19 views
Skip to first unread message

Eric Johnson

unread,
Jul 23, 2019, 1:53:30 AM7/23/19
to revie...@googlegroups.com
I'm not even sure where / how to troubleshoot this issue.

I've got clients of the server that I'm managing that have no problem accessing the ReviewBoard website with a standard username and password login.

(Note, as it may be relevant to understanding / diagnosing the issue:
  • I server multiple instances of ReviewBoard from the same server - each gets a separate database - but they are all sharing the same memcached instance.
  • I've got a custom authentication handler, as I need to be able to authenticate against two possible LDAP servers.
)

Weirdly, for some users, for some ReviewBoard instances (but not all of them), the "rbt" tool now no longer works with username + password for authentication.

So far, users have been able to get back to work using API tokens for authentication instead. The question remains, though:

Why is it that only some users can no longer use "rbt" with username + password authentication, but the same username + password works when logging into the website directly?

Any suggestions for how to troubleshoot this / reproduce the problem?

Eric.

Paul Mansfield

unread,
Jul 23, 2019, 6:03:45 AM7/23/19
to Review Board Community
just a thought, but do your users have complex passwords with interesting punctuation? are they using single or double quotes when providing usernames/passwords and require complex escaping of punctuation?



Christian Hammond

unread,
Jul 23, 2019, 6:36:40 AM7/23/19
to revie...@googlegroups.com
Generally speaking, the contents of a password should never be a problem. We don't store passwords, just hashes (we use Django's implementation of the PBKDF2 algorithm), and compare against those. This is assuming that the auth backend isn't doing anything special with the password, but I know there's a custom backend in play here.

Two possibilities spring to mind:

1) If the server is internal to the network, but the users are using HTTP proxies, they should try passing --disable-proxy when running `rbt post`, see if that solves anything. We've seen cases in the past where some proxy servers have interfered with authentication or have messed with headers.

2) Given that you have a custom auth backend, it's always possible that it's not quite doing what you expect for some of these users.

My suspicions are that #2 is the issue. The reason is that auth tokens do not go through the auth backend, but do use the Authorization HTTP header, so it's *probably* not the proxy server. Auth tokens are handled at a different layer, which compares them against the user's list of generated tokens. If they're working, but a username/password for the same user is failing, it means that the auth backend is rejecting the credentials at some level, so perhaps either the auth backend itself is doing something wrong (maybe handling the string types incorrectly and breaking with special characters, or the credentials are being passing to the wrong LDAP server, or something), or there's a configuration issue somewhere involving the LDAP server or your Review Board server's config for it.

We do offer assistance with debugging in-house extensions and customizations in a Premium Support contract, if you're interested in hearing more about that. I'm not sure about your operation, but if you're managing a number of servers for different clients and maintaining customizations, and part of your business depends on all this working without interruption, you might find it to be valuable. Support is confidential and generally is going to be much faster than on here. We can find something that works for you, if you'd like me to reach out with more details and put together a quote.

Christian

On Tue, Jul 23, 2019 at 3:03 AM Paul Mansfield <paul.ma...@agileanalog.com> wrote:
just a thought, but do your users have complex passwords with interesting punctuation? are they using single or double quotes when providing usernames/passwords and require complex escaping of punctuation?



--
Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
---
You received this message because you are subscribed to the Google Groups "Review Board Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/reviewboard/fa6ac324-a504-486e-89f1-310db3a7a5b6%40googlegroups.com.


--
Christian Hammond
President/CEO of Beanbag
Makers of Review Board
Reply all
Reply to author
Forward
0 new messages