provectus/kafka-ui

LDAP Auth + OTP (Yubi key) doesn't work: Password length?

Open

#2512 opened on Sep 1, 2022

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Java (7,799 stars) (977 forks)batch import
area/authgood first issuescope/backendstatus/acceptedtype/bug

Description

Hello,

Describe the bug If we enable OTP for LDAP auth on our usermanagment (webadm), then login fails with LDAP OK, but OTP failed.

Set up

  • Version: v0.4.0
  • Puppet / Yaml config:
...
    env:
    ... 
      - SPRING_LDAP_URLS=ldap://%{hiera('yubiauth_host')}:389
      - SPRING_LDAP_USERFILTER_SEARCHBASE=ou=People,dc=example,dc=com
      - SPRING_LDAP_USERFILTER_SEARCHFILTER=(&(uid={0})(objectClass=inetOrgPerson))
      - SPRING_LDAP_ADMINUSER=cn=webadmin,ou=Accounts,dc=example,dc=com
      - SPRING_LDAP_ADMINPASSWORD=%{hiera('global_ldap_webadmin')}

Enable OTP for Useraccount, on LDAP, so it looks like: userpasswordLooooooonnnnnnggggggYubiOTP string

So the string is based on the LDAP userpassword + OTP which is 45 chars long. The password can than be up to 80 chars long or longer. I can see on the LDAP logs, that the user is found, so admin password and search works. I will try later to disable OTP for my account to see, if it help, but it could be possible, that there is a char limit for the password field.

cu denny

Contributor guide

Tech stack
javaspring
Domain
backendauthenticationsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
knowledge of Spring Securityfamiliarity with LDAP authentication
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Examine the password length constraints in LDAP authentication code, particularly in Spring Security's LDAP provider. Look for any maximum length setting or truncation in the password field when combining userpassword and OTP. Check if there's a configuration property for password length. Consider testing with varying password lengths to confirm the limit.