provectus/kafka-ui

LDAP Auth + OTP (Yubi key) doesn't work: Password length?

Open

#2,512 opened on Sep 1, 2022

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Java (977 forks)batch import
area/authgood first issuescope/backendstatus/acceptedtype/bug

Repository metrics

Stars
 (7,799 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

Hello,

Describe the bug If we enable OTP for LDAP auth on our usermanagment (webadm), then login fails with LDAP OK, but OTP failed.

Set up

  • Version: v0.4.0
  • Puppet / Yaml config:
...
    env:
    ... 
      - SPRING_LDAP_URLS=ldap://%{hiera('yubiauth_host')}:389
      - SPRING_LDAP_USERFILTER_SEARCHBASE=ou=People,dc=example,dc=com
      - SPRING_LDAP_USERFILTER_SEARCHFILTER=(&(uid={0})(objectClass=inetOrgPerson))
      - SPRING_LDAP_ADMINUSER=cn=webadmin,ou=Accounts,dc=example,dc=com
      - SPRING_LDAP_ADMINPASSWORD=%{hiera('global_ldap_webadmin')}

Enable OTP for Useraccount, on LDAP, so it looks like: userpasswordLooooooonnnnnnggggggYubiOTP string

So the string is based on the LDAP userpassword + OTP which is 45 chars long. The password can than be up to 80 chars long or longer. I can see on the LDAP logs, that the user is found, so admin password and search works. I will try later to disable OTP for my account to see, if it help, but it could be possible, that there is a char limit for the password field.

cu denny

Contributor guide