← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #10243

[Bug 1044168] [NEW] Users can not log in via LDAP using a different remote username

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Private security bug reported:

Version: master
Platform: ubuntu, postgres, apache2, php5, and OpenLDAP server
Browsers: Chrome, FF

Assumptions:
 - an internal mahara account: u01 using Internal auth
 - an institution: A which allow LDAP auth with User Attribute = uid (named A: My LDAP)
 - an LDAP account: uid='john'

Actions:
 1. Site admin opened "Account settings" of account: u01
 2. Admin changed 'Authentication method' to A: My LDAP
 3. Admin updated 'Username for external authentication' to 'john', clicked "Save changes", finally logged out
 4. In Login box, entered username=u01, password=<LDAP password for account john>, then clicked "Login"

Expected results:
 - Logged in as user: u01

Actual results:
 - Failed to login. Error message: "You have not provided the correct credentials to log in. Please check your username and password are correct."

** Affects: mahara
     Importance: Undecided
         Status: New


** Tags: authentication

** Visibility changed to: Private

** This bug has been flagged as a security vulnerability

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1044168

Title:
  Users can not log in via LDAP using a different remote username

Status in Mahara ePortfolio:
  New

Bug description:
  Version: master
  Platform: ubuntu, postgres, apache2, php5, and OpenLDAP server
  Browsers: Chrome, FF

  Assumptions:
   - an internal mahara account: u01 using Internal auth
   - an institution: A which allow LDAP auth with User Attribute = uid (named A: My LDAP)
   - an LDAP account: uid='john'

  Actions:
   1. Site admin opened "Account settings" of account: u01
   2. Admin changed 'Authentication method' to A: My LDAP
   3. Admin updated 'Username for external authentication' to 'john', clicked "Save changes", finally logged out
   4. In Login box, entered username=u01, password=<LDAP password for account john>, then clicked "Login"

  Expected results:
   - Logged in as user: u01

  Actual results:
   - Failed to login. Error message: "You have not provided the correct credentials to log in. Please check your username and password are correct."

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1044168/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next