LDAP login problem with mixed case mail addresses

Seafile Server
#1

@Jonathan @daniel.pan
We had a hard time debugging a problem related to a LDAP login problem. Very time consuming.
In the end we found out that apparently Seafile doesn’t recognize a user mail address from LDAP if it has either mixed case or uppercase letters.
We are not sure if this is related to the fact that the user was (maybe) logged in before with a lower case mail address. The user changed the mail address to mixed case “because of cosmetics” without telling anybody.

Suggestion to avoid any of these problems in future:

  • Always convert LDAP attributes, especially mail addresses to lower case
  • During login check with the username/mail address case type (as is) that the user entered as well as with converted lower case username/mail address

It may make sense to convert mail addresses for Seafile db/local users as well to lower case to avoid possible trouble there as well.

Please provide a quick fix for this soon. Thanks!

#2

Currently all emails are stored in lower cases in the user database. Can you provide more details about your problem?

  1. Which version of Seafile?
  2. What operations does the user do?
  3. What errors do you have from the interface and the relevant logs?
  4. Do you enable ldap syncing?
#3

Thanks for the quick reply.

Which version of Seafile?

CE 8.0.x and 9.0.4

Do you enable ldap syncing?

Not available in CE. We didn’t test this problem with PRO.

What operations does the user do?
What errors do you have from the interface and the relevant logs?

User tries to login, which fails with invalid credentials error.
As far as we could recreate the problem:

  1. User login worked fine with a lower case mail address in the LDAP ‘mail’ field
  2. User login is saved as lower case in the user database (as you confirmed)
  3. User changed the mail address now containing uppercase letters in the LDAP ‘mail’ field
  4. Login now fails
  5. Admin removes user from LDAP Seafile Group (user by LDAP filter)
  6. Admin removes user from imported LDAP list (we checked in the db, the user in the ldap (import) list was removed)
  7. User tries to login, which fails, log showing invalid credentials. In the imported LDAP list the previous user is listed in lower case with last login info from before the mail address change (where login worked fine)
  8. Changing the mail address in the LDAP ‘mail’ field back to lower case allows login again

We think that there might be a reference in the user db somewhere which links the same address to previous accounts even if removed before.
The login might fails because the users mail address is stored in mixed case in the LDAP ‘mail’ field while Seafile tries to authenticate with a lower case mail address.
This might be an LDAP problem after all (open LDAP in this case) but shouldn’t this be resolvable on the Seafile Auth side?

I guess that it might, yet again, come back to the problem that Seafile uses mail addresses as identifier for users instead of a username with changeable mail address.
Wouldn’t it be possible to allow adding multiple mail addresses for a user, adding a username or other unique identifier per user account in the backend?
This might allow logging in with username instead of mail address while mail addresses can be changed, even in the LDAP ‘mail’ field at will of the user or admin without causing any trouble.

Or is this a LDAP problem not accepting lower case mail addresses while the the LDAP ‘mail’ field contains a mixed case mail address?

Thanks for checking, appreciated!

#4

We tested locally with AD as the LDAP server but cannot reproduce the issue. Which LDAP server do you use? Would it be possible that the LDAP server is case sensitive to email attributes?

#5

Thanks for testing. That might be possible. We’re investigating further.

Do you in general also test OpenLdap and e.g. solutions like FreeIPA and UCS ?

#6

@Jonathan We have done more testing. It seems that even if the LDAP server always provides lower case attributes (be it mail or username) the Seafile login fails.

Can you please check if Seafile always converts the (via the webui/client) entered username/e-mail to lower case when checking with LDAP and the internal DB?
Meaning that the value that Seafile sends to the LDAP server should also always be lower case.
This could also be an LDAP setting being optional to not change the behavior in other Seafile instances.

Thanks!

#7

I may add that my Win2019 ADServer has a tendency to save the mail value Base64 encoded,
which is not the case with"userPrincipalName, at least that’s what ldapsearch shows:

userPrincipalName: nuser@.de
lockoutTime: 0
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=,DC=de
uid: nuser
mail:: bm92YXJ0aXN1c2VyQGFnZW5****GVubmlnLmRlCg==

mail-values like these don’t work in Seafile as login-attribute. So sad.