Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-13005

LDAP authentication against Active Directory fails if there are escaped double quotes in the user's CN

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 6.0
    • None
    • Customer: JIRA Standalone 3.7.1 on Java 1.5.0_09-b03 on Linux.
      Me: JIRA Standalone on Java 1.6.0_01-b06 on Windows 2003.

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      A customer has a problem with authentication against Active Directory. If a user's CN contains escaped double quote characters, then authentication fails with "Sorry, your username and password are incorrect - please try again", and the following in the log file (if you have log4j.category.com.opensymphony.user.provider.ldap = DEBUG):

      2007-07-03 12:10:56,734 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] 'fred' could be handled by LDAP
      2007-07-03 12:10:56,734 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] 'fred' could be handled by LDAP
      2007-07-03 12:10:56,734 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] 'fred' could be handled by LDAP
      2007-07-03 12:10:56,734 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] 'fred' could be handled by LDAP
      2007-07-03 12:10:56,734 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] 'fred' could be handled by LDAP
      2007-07-03 12:10:56,734 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] 'fred' could be handled by LDAP
      2007-07-03 12:10:56,750 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] Doing initial search (connected as CN=Administrator,CN=Users,DC=bamboo,DC=sydney,DC=atlassian,DC=com):base='CN=Users,DC=bamboo,DC=sydney,DC=atlassian,DC=com', filter='sAMAccountName=fred'
      2007-07-03 12:10:56,750 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] Doing initial search (connected as CN=Administrator,CN=Users,DC=bamboo,DC=sydney,DC=atlassian,DC=com): base='CN=Users,DC=bamboo,DC=sydney,DC=atlassian,DC=com', filter='sAMAccountName=fred'
      2007-07-03 12:10:56,750 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] Found user(s)
      2007-07-03 12:10:56,750 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] Found user(s)
      2007-07-03 12:10:56,765 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] User with dn 'CN=Fred \\"The Legend\\" Smith,CN=Users,DC=bamboo,DC=sydney,DC=atlassian,DC=com' found, but authentication failed.
      2007-07-03 12:10:56,765 http-8080-Processor23 DEBUG [user.provider.ldap.LDAPCredentialsProvider] User with dn 'CN=Fred \\"The Legend\\" Smith,CN=Users,DC=bamboo,DC=sydney,DC=atlassian,DC=com' found, but authentication failed.
      

      Note the escaped double quotes in the CN:

      CN=Fred \\"The Legend\\" Smith
      

      You can set this up in Active Directory by inserting something in double quotes in the full name when you create a user. You can remove it or modify it by right-clicking on the user and choosing Rename.

      I am able to reproduce the behaviour on my PC against Active Directory. (I have not tried against a different LDAP server.)

      If I remove the double quotes from the full name then restart JIRA, the user can log in successfully.

      The customer states that use of double quotes in the full name is "typical for our organization" and would like to know a timeframe for when it can be fixed, by a patch if necessary. It is a Critical support issue.

      Kind regards,
      Ian

        1. LDAPCredentialsProvider.java
          19 kB
          Ian Daniel [Atlassian]

            Unassigned Unassigned
            idaniel Ian Daniel [Atlassian]
            Votes:
            4 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: