[SOLVED] User corner shows a 500 error at login

[Marcus]

Hello,

I was having some unkown problem with one of the server I installed.

Most users were having a 500 error when they "succesfully" loged in to their user corner and that was about it.

Logs didn't returned any obvious problem...


Any ways,
I noticed that users, including mine, that were experiencing this issue had a file taged with their username in the /var/lib/zentyal-usercorner/sids

Solution;
Flush this directory using this command:

Code: [Select]

sudo rm -rf /var/lib/zentyal-usercorner/sids/*

Et voilà!  My users were happy campers once again.


Best,

Marcus

[Marcus]

Hello,

Just for your information => This is a bug

HowTo reproduce it (and get the usercorner's 500 error):
1) Head up to the usercorner
2) Enter your username with a trailing blank space (e.g. "marcus ")
3) Enter your password

Enjoy!

Ok, now that we just blew up the usercorner authentification, simply run this command in a terminal and everything will get back to normal:

Code: [Select]

sudo rm -rf /var/lib/zentyal-usercorner/sids/*
The solution seems pretty obvious.  Username should get trimmed.

In PHP it would be the "trim" fonction.

Best,

Marcus

[christian]

Although I can understand your frustration, on the principle performing any changes on what user types as login looks very strange and dangerous to me.
However, error code should not be "HTTP 500", you are correct here.

[jsalamero]

Can you report this in the trac?

[Marcus]

Hello christian and jsalamero,

There is no frustration here...  It is a simple report regarding a problem that could prevent your users from loging in.

The 500 error is a normal behavior according to the username. The problem is deeper...

Username should never have blank in it and should always be lowercase.
Otherwise accepting that kind of input in a username is risky.  I really don't know on how to describe it better.  Maybe with a Denial Of Service example?

Just kidding

It is quite easy and fast to resolve the problem by flushing the sessions files but while then, you can say "Tango DOWN!".

On my way to the trac!

Best,

Marcus

[christian]

Marcus,

I didn't check yet (I will later) for what concerns Zentyal implementation but as far as LDAP is concerned and as long as what you call "user name" is based on [UID] ldap attribute:
- this attribute is defined as CIS, standing for Case Insensitive String
- this attribute may contain blank in the middle

As a result, and again from LDAP standpoint only, "My Login", "my login" "MY LOGIN" are all (w/o quotes) valid and equivalent logins.

Long time ago  blank in the middle was not supported by Unix systems like HP-UX and Solaris and this prevented NIS-LDAP gateway to work properly reason why LDAP administrators where pushing to avoid such kind of UID but there is no LDAP limitation here (at least as long as standard LDAP server with standard schema is used.
This is slightly different with AD 

Reason why I was stating that "HTTP error 500" is, from my standpoint, a bug is that "user corner" application handles authentication process. Even is something goes wrong LDAP side, this should not be reported as "Err 500".
This being said, problem is maybe not with LDAP but then even if workaround is not to use blank in the middle and upper case, this is not the right technical solution, at least to me 

[christian]

Marcus,

I looked further at what you described. Indeed, this has nothing to do with LDAP and authentication stuff but "sids"
What you rightly highlight here is that access to this "user-corner" interface implements wrong (somewhat) process because, at least, it creates first file in /var/lib/zentyal-usercorner/sids/ matching what user typed as "login", even if such name doesn't exist in LDAP 
Don't you think that expectation here is to start with authentication and then proceed with next steps (could be error message if authentication fails)?