LDAP Authentication filter not support Non-English characters ?

[jet lam]

ENVIRONMENT

centos 7.5 x86_64

gitblit-1.9.1.tar.gz

JDK1.8 

OpenLDAP 2.4.47

I configured the gitblit realm.ldap.accountPattern  and it's working not well.

English characters ，gitblit LDAP Authentication is ok

realm.ldap.accountPattern = (&(uid=${username})(issystemuser=no))

Non-English characters ，gitblit LDAP Authentication is error

realm.ldap.accountPattern = (&(uid=${username})(issystemuser=管理员))

Looking forward to your reply .

[Florian Zschocke]

A unit test using the embedded in-memory LDAP server shows this is working. So it seems not to be a inherent problem in the code but rather in the connection to the OpenLDAP server.

This is working for you when you use a command line client to query the OpenLDAP server? Did you have to provide special client connection parameters for it to work? 

I haven't tried this with an OpenLDAP server, yet. I actually would expect it to work, since LDAPv3 is UTF-8 by default, and LDAPv3 is nothing new.

[jet lam]

Thank you so much for your help.

I only use gitblit to connect to OpenLDAP server, not a command line client to query.

It is normal to connect to openldap on other platforms, such as zabbix, jenkins, etc.

在 2020年5月30日星期六 UTC+8上午4:48:06，Florian Zschocke写道：

[Florian Zschocke]

It turns out, this is not a LDAP problem. Gitblit is reading the properties file from an InputStream, which means that the character set is assumed to be ISO-8859-1.

That means that you have to write characters, that are not in Latin-1, as Unicode escape sequences. In your case that would for example be:

realm.ldap.accountPattern = (&(uid=${username})(issystemuser=\u7ba1\u7406\u5458))

Which Java version are you using? This is supposedly changed in Java 9 onwards when the default for properties changed to UTF-8. But I didn't check that.

[islan...@gmail.com]

I tried your method before and it won't work.

My JDK version is Oracle jdk1.8.0_152, also tried OpenJDK 14 version

gitblit log display:

[WARN ] Failed login attempt for xxx, invalid credentials from y.y.y.y  

[Florian Zschocke]

Hmm, this is weird. I tested this and that is how I made it work.

You can turn on debug output for the LDAP client by setting the following JVM properties when starting Gitblit to investigate.

-Dcom.unboundid.ldap.sdk.debug.enabled=true -Dcom.unboundid.ldap.sdk.debug.level=FINE

[islan...@gmail.com]

In fact, I also tried to turn on the debug mode before, and nothing was found.

My gitblit.service configuration :

Environment="ARGS=-server -Xmx2048M -Djava.awt.headless=true -Dcom.unboundid.ldap.sdk.debug.enabled=true -Dcom.unboundid.ldap.sdk.debug.level=FINE -cp"

gitblit log display:  

2020-06-23 10:13:05 [WARN ] could not authenticate aaaa (/x.x.x.x:53349) for SSH using the supplied password

2020-06-23 10:13:05 [INFO ] closed ssh session from /x.x.x.x:53349

2020-06-23 10:13:32 [WARN ] Failed login attempt for bbbb, invalid credentials from y.y.y.y

2020-06-23 10:16:51 [INFO ] Starting user and group sync with ldap service

2020-06-23 10:16:51 [INFO ] Synchronizing with LDAP @ ldap://z.z.z.z:1389

2020-06-23 10:16:51 [INFO ] Finished user and group sync with ldap service

BTW:

gitblit configuration

realm.ldap.synchronize = true

realm.ldap.syncPeriod = 5 MINUTES

but users.conf does not see LDAP sync account information.

Why does gitblit want to cache LDAP user data? I think this is not a good way, or maybe it is to avoid the interference of the authentication connection failure, right?

[Florian Zschocke]

That is certainly not enough debug output.  Where are you checking the output? Since the LDAP library has its own logging it might not end up in the log file, but on the console. 

As long as no one can log in, Gitblit is probably not able to find users in LDAP and hence no users get synchronised. There is a little bit of debug logging regarding LDAP in Gitblit, but not much.

The benefit of caching can be if you want to assign rights to a user or a team, before that user has logged in. Otherwise Gitblit doesn't know about that user until she logs in the first time.

[islan...@gmail.com]

Just now I manually ran gitblit, 

java -server -Xmx2048M -Djava.awt.headless=true -Dcom.unboundid.ldap.sdk.debug.enabled=true -Dcom.unboundid.ldap.sdk.debug.level=FINE -cp gitblit.jar:ext/* com.gitblit.GitBlitServer --httpsPort $GITBLIT_HTTPS_PORT --httpPort $GITBLIT_HTTP_PORT --baseFolder $GITBLIT_BASE_FOLDER

and the debug information did show that the non-English characters in the LDAP connection were garbled.

Just like you said last time

realm.ldap.accountPattern = (&(uid=${username})(issystemuser=\u7ba1\u7406\u5458))

This way is effective