By: David Kananen named 09 Oct 2024 at 12:37 p.m. CDT

24 Responses
David Kananen gravatar
We are standing up a new Gluu server with Postgres as the backing storage and have noticed that uid's are being treated as case sensitive during login whereas LDAP was treating them as case insensitive. In researching I discovered this ticket where it was discussed that uid's should not be case sensitive: https://support.gluu.org/authentication/9138/case-sensitive-uid/ Is there a way to change the Postgres-backed configuration so that uid's are not case sensitive during login?

By Mohib Zico Account Admin 09 Oct 2024 at 1:17 p.m. CDT

Mohib Zico gravatar
Interesting, I'll check it.

By David Kananen named 15 Oct 2024 at 10:10 a.m. CDT

David Kananen gravatar
Any word on this?

By Mohib Zico Account Admin 15 Oct 2024 at 10:16 p.m. CDT

Mohib Zico gravatar
Hello David, Sorry, i was side tracked. Going to start work on this again today...

By Mohib Zico Account Admin 16 Oct 2024 at 7:52 a.m. CDT

Mohib Zico gravatar
Hello again David, I just tried with latest 4.5.3 but couldn't reproduce the issue. I have created a test user for you to test... here it is: - https://mzico-wondrous-marlin.gluu.info/ - tester / tester@gluu.org

By David Kananen named 16 Oct 2024 at 8 a.m. CDT

David Kananen gravatar
I think you meant 4.5.5 as that's what your test server shows, and also what I'm running. This is interesting, because it's clearly different than the behavior we're seeing. I will try to stand up a new 4.5.5 server with a local Postgres install from the installation script to see if maybe it's a difference in the Postgres configuration of our pre-existing server. I'll let you know what I find.

By Mohib Zico Account Admin 16 Oct 2024 at 8:04 a.m. CDT

Mohib Zico gravatar
>> I think you meant 4.5.5 as that's what your test server shows, and also what I'm running. This is interesting, because it's clearly different than the behavior we're seeing. Sorry, yes: `gluu-server_4.5.5-3~ubuntu22.04` >> I will try to stand up a new 4.5.5 server with a local Postgres install from the installation script to see if maybe it's a difference in the Postgres configuration of our pre-existing server. I'll let you know what I find. Yes, let Gluu Server install postgres piece as well with setup script.

By David Kananen named 17 Oct 2024 at 12:37 p.m. CDT

David Kananen gravatar
When I install a new Gluu server with the local Postgres option, the admin user is then able to login with a case-insensitive user name as expected. I was also able to manually add a 2nd user and verify the same. However I discovered that the problem starts after this point, when I turn on cache refresh and configure it to load users from our company's LDAP and set the default authentication method to use that. Once I do that, I'm unable to log in with the original admin account at all, and all the users that are created from our company's LDAP must log in with a case sensitive match on their username. This is different from the behavior I see when using LDAP as the Gluu server's backing storage. In that case I am still able to log in with the original admin user and company users loaded from LDAP can log in with case-insensitive usernames.

By Mohib Zico Account Admin 17 Oct 2024 at 12:50 p.m. CDT

Mohib Zico gravatar
Hello David, >> Once I do that, I'm unable to log in with the original admin account at all,... That's normal because, your authentication mode is searching for user 'admin' in your company's LDAP and it don't see anything like that. >> .... and all the users that are created from our company's LDAP must log in with a case sensitive match on their username. That's not usual. I will check to load some users with Cache Refresh. >> This is different from the behavior I see when using LDAP as the Gluu server's backing storage. In that case I am still able to log in with the original admin user... May be your "Manage Authentication" section has some configuration than default one? Some script or some configuration which is reading both 'localhost' and 'remote company ldap'?

By David Kananen named 17 Oct 2024 at 1:25 p.m. CDT

David Kananen gravatar
When using LDAP as backing storage, we leave the original auth_ldap_server active as well as adding/activating a 2nd LDAP server for our company. In this way we are still able to log in with the original admin user. When using Postgres, it seems that deactivating the auth_ldap_server is required as we get errors on startup otherwise. So I'm assuming that's why we lose the ability to login with the admin user. In any case I'm not too worried about this part. The primary concern is the users created from our company's LDAP requiring case sensitive usernames.

By Mohib Zico Account Admin 21 Oct 2024 at 3:50 a.m. CDT

Mohib Zico gravatar
Hi David, >> When using Postgres, it seems that deactivating the auth_ldap_server is required as we get errors on startup otherwise. So I'm assuming that's why we lose the ability to login with the admin user. In any case I'm not too worried about this part. The primary concern is the users created from our company's LDAP requiring case sensitive usernames. I'll check the use case in my local setup.

By David Kananen named 24 Oct 2024 at 9:54 a.m. CDT

David Kananen gravatar
In my /opt/shibboleth-idp/logs/idp-process.log I noticed errors like this: ``` 2024-10-24 14:42:53,599 - 127.0.0.1 - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:233] - Service 'shibboleth.AttributeRegistryService': Reload for shibboleth.AttributeRegistryService failed net.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'siteDataConnector' defined in null: Could not resolve placeholder 'idp.attribute.resolver.sql.searchFilter' in value " %{idp.attribute.resolver.sql.searchFilter} "; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.attribute.resolver.sql.searchFilter' in value " %{idp.attribute.resolver.sql.searchFilter} " at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377) Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'siteDataConnector' defined in null: Could not resolve placeholder 'idp.attribute.resolver.sql.searchFilter' in value " %{idp.attribute.resolver.sql.searchFilter} "; nested exception is java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.attribute.resolver.sql.searchFilter' in value " %{idp.attribute.resolver.sql.searchFilter} " at org.springframework.beans.factory.config.PlaceholderConfigurerSupport.doProcessProperties(PlaceholderConfigurerSupport.java:230) Caused by: java.lang.IllegalArgumentException: Could not resolve placeholder 'idp.attribute.resolver.sql.searchFilter' in value " %{idp.attribute.resolver.sql.searchFilter} " ``` I'm not sure how to resolve this error but I found in the community-edition-setup repo here https://github.com/GluuFederation/community-edition-setup/blob/master/setup_app/installers/saml.py#L236 a line that looks relevant: Config.non_setup_properties['sql_search_filter'] = '''select * from "gluuPerson" where ((LOWER("uid") = '$requestContext.principalName') OR (LOWER("mail") = '$requestContext.principalName')) AND ("objectClass" = 'gluuPerson')''' So if my server does not have this sql_search_filter configured it won't know how to run this case-insensitive query.

By Mohib Zico Account Admin 24 Oct 2024 at 11:46 a.m. CDT

Mohib Zico gravatar
Hello David, I prepared my testbed last night and I definitely faced issue during login there with `auth_ldap_server`. `auth_ldap_server` connected to my backend LDAP. Checking further now...

By David Kananen named 24 Oct 2024 at 4:10 p.m. CDT

David Kananen gravatar
I resolved the idp.attribute.resolver.sql.searchFilter error by going to /opt/shibboleth-idp/conf and adding gluu-rdbm-bean.xml and datasource.properties. I think this was an artifact of using the LDAP to Postgres migration script provided in a different support ticket. This didn't help my original issue though, logging in still requires case sensitive usernames.

By Mohib Zico Account Admin 24 Oct 2024 at 10:33 p.m. CDT

Mohib Zico gravatar
Hi David, That's correct. I have created a github issue: https://github.com/GluuFederation/oxAuth/issues/1927

By Mohib Zico Account Admin 25 Oct 2024 at 11:33 a.m. CDT

Mohib Zico gravatar
OK, issue patched. We are going to release new war file on Monday. I'll let you know.

By Mohib Zico Account Admin 30 Oct 2024 at 2:16 p.m. CDT

Mohib Zico gravatar
Hi David, New version released in maven repo. We are doing final testing atm.

By Mohib Zico Account Admin 30 Oct 2024 at 10:10 p.m. CDT

Mohib Zico gravatar
**Update** Confirmed, this is the patched version: https://jenkins.gluu.org/maven/org/gluu/oxauth-server/4.5.6-SNAPSHOT/oxauth-server-4.5.6-SNAPSHOT.war If you need help to deploy this war, please let me know. Thanks!

By David Kananen named 31 Oct 2024 at 8:39 a.m. CDT

David Kananen gravatar
Thanks, confirmed my username login is now case insensitive. It seems to only address the login though. If I go to Users->Manage People and try searching for users, this is case sensitive where LDAP searching is case insensitive. Makes me wonder what other scenarios will also have unexpected username case sensitivity. I will try running this patch and see if we run into any other issues with it.

By Md Mostafejur Rahman staff 11 Nov 2024 at 8:25 a.m. CST

Md Mostafejur Rahman gravatar
Thanks David, We have created a Github Issue https://github.com/GluuFederation/oxTrust/issues/2444

By Mohib Zico Account Admin 27 Nov 2024 at 4:27 a.m. CST

Mohib Zico gravatar
**Status** Patched released, final QA going on.

By Mohib Zico Account Admin 29 Nov 2024 at 6:52 a.m. CST

Mohib Zico gravatar
Hi David, A quick question... Seems like this patch was issued for Gluu CE 4.5.6 ( which is going to be released on Dec first week ). Do you think you have liberty to use 4.5.6 or do you need us to backport this patch in 4.5.5 ( existing version )?

By David Kananen named 02 Dec 2024 at 12:30 p.m. CST

David Kananen gravatar
4.5.6 is fine for us

By Mohib Zico Account Admin 02 Dec 2024 at 12:40 p.m. CST

Mohib Zico gravatar
Thanks for confirmation, David.

By Mohib Zico Account Admin 13 Dec 2024 at 7:15 a.m. CST

Mohib Zico gravatar
Hi David, 4.5.6 stable released but unfortunately this fix wasn't included there in 4.5.6 so we had to release [4.5.7.Snapshot](https://maven.gluu.org/maven4/org/gluu/oxtrust-server/4.5.7-SNAPSHOT/oxtrust-server-4.5.7-SNAPSHOT.war) for oxTrust. Here is what you need to do: - Upgrade / install 4.5.6 - Get 4.5.7.Snapshot for oxTrust and use that.