[LDAP] Login error (with specific characters in password)

[grazzianos]

Code of Conduct

• I agree to follow this project's Code of Conduct

Is there an existing issue for this?

• I have searched the existing issues

Version

10.0.17

Bug description

I have an Active Directory user with a password that has a specific number of three @'s. Recently, the user's password expired and was changed to one with four @'s (as suggested in the repro steps).

After changing the password, GLPI kept returning an invalid username/password when trying to log in. I was unable to capture logs for this event. Didn't find anything, after hour of searching.

As an attempt to perform tests, after suspecting that there was some error in the synchronization of the registry, I deleted the user and synchronized it again. Same error. The login with other users in the domain occurred perfectly.

As a last attempt, I changed the user's password to one with fewer @ characters (only one). The result was positive, there were no more login errors. I then interpreted that there was some kind of error in GLPI when handling this login data in communication with Active Directory.

Relevant log output

Page URL

No response

Steps To reproduce

1. Configure a new Active Directory authentication source with appropried filters
2. Add a new user to use for GLPI login
3. Set this user password: Abc@@@@1234
4. Try using this user to login

Your GLPI setup information

Information about system installation and configuration

GLPI 10.0.17 ( => /_dados/www/glpi-www)
Installation mode: TARBALL
Current language:en_GB

Server

 

Operating system: Linux svmacsd01 5.15.0-130-generic #​140-Ubuntu SMP Wed Dec 18 17:59:53 UTC 2024 x86_64

PHP 8.1.2-1ubuntu2.20 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bz2,

calendar, ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring,

mysqli, mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, soap, sockets, sodium, standard, sysvmsg, sysvsem,

sysvshm, tokenizer, xml, xmlreader, xmlwriter, xsl, zip, zlib)

Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files"

upload_max_filesize="2M" disable_functions=""

Software: Apache ()

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36 Edg/132.0.0.0

Server Software: Ubuntu 22.04

Server Version: 10.6.18-MariaDB-0ubuntu0.22.04.1

Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Parameters: glpi_siga@localhost/glpi_siga

Host info: Localhost via UNIX socket

PHP version (8.1.2-1ubuntu2.20) is supported.

Sessions configuration is OK.

Allocated memory is sufficient.

mysqli extension is installed.

Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.

curl extension is installed.

gd extension is installed.

intl extension is installed.

zlib extension is installed.

The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.

Database engine version (10.6.18) is supported.

No files from previous GLPI version detected.

The log file has been created successfully.

Write access to /_dados/www/glpi-data/files/_cache has been validated.

Write access to /_dados/www/glpi-data/files/_cron has been validated.

Write access to /_dados/www/glpi-data/files has been validated.

Write access to /_dados/www/glpi-data/files/_dumps has been validated.

Write access to /_dados/www/glpi-data/files/_graphs has been validated.

Write access to /_dados/www/glpi-data/files/_lock has been validated.

Write access to /_dados/www/glpi-data/files/_pictures has been validated.

Write access to /_dados/www/glpi-data/files/_plugins has been validated.

Write access to /_dados/www/glpi-data/files/_rss has been validated.

Write access to /_dados/www/glpi-data/files/_sessions has been validated.

Write access to /_dados/www/glpi-data/files/_tmp has been validated.

Write access to /_dados/www/glpi-data/files/_uploads has been validated.
Web server root directory configuration seems safe.

Sessions configuration is secured.

OS and PHP are relying on 64 bits integers.

exif extension is installed.

ldap extension is installed.

openssl extension is installed.

Following extensions are installed: bz2, Phar, zip.

Zend OPcache extension is installed.

Following extensions are installed: ctype, iconv, mbstring, sodium.

Write access to /_dados/www/glpi-www/marketplace has been validated.

Access to timezone database (mysql) is not allowed.

GLPI constants

 

GLPI_ROOT: "/_dados/www/glpi-www"

GLPI_CONFIG_DIR: "/_dados/www/glpi-data/config/"

GLPI_VAR_DIR: "/_dados/www/glpi-data/files"

GLPI_LOG_DIR: "/_dados/www/glpi-data/log"

GLPI_MARKETPLACE_DIR: "/_dados/www/glpi-www/marketplace"

GLPI_USE_CSRF_CHECK: "1"

GLPI_CSRF_EXPIRES: "7200"

GLPI_CSRF_MAX_TOKENS: "100"

GLPI_USE_IDOR_CHECK: "1"

GLPI_IDOR_EXPIRES: "7200"

GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false

GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\/\/[^@:]+(\/.*)?$/"]

GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"

GLPI_INSTALL_MODE: "TARBALL"

GLPI_NETWORK_MAIL: "[email protected]"

GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"

GLPI_MARKETPLACE_ALLOW_OVERRIDE: true

GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true

GLPI_USER_AGENT_EXTRA_COMMENTS: ""

GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"

GLPI_AJAX_DASHBOARD: "1"

GLPI_CALDAV_IMPORT_STATE: 0

GLPI_DEMO_MODE: "0"

GLPI_CENTRAL_WARNINGS: "1"

GLPI_TEXT_MAXSIZE: "4000"

GLPI_DOC_DIR: "/_dados/www/glpi-data/files"

GLPI_CACHE_DIR: "/_dados/www/glpi-data/files/_cache"

GLPI_CRON_DIR: "/_dados/www/glpi-data/files/_cron"

GLPI_DUMP_DIR: "/_dados/www/glpi-data/files/_dumps"

GLPI_GRAPH_DIR: "/_dados/www/glpi-data/files/_graphs"

GLPI_LOCAL_I18N_DIR: "/_dados/www/glpi-data/files/_locales"

GLPI_LOCK_DIR: "/_dados/www/glpi-data/files/_lock"

GLPI_PICTURE_DIR: "/_dados/www/glpi-data/files/_pictures"

GLPI_PLUGIN_DOC_DIR: "/_dados/www/glpi-data/files/_plugins"

GLPI_RSS_DIR: "/_dados/www/glpi-data/files/_rss"

GLPI_SESSION_DIR: "/_dados/www/glpi-data/files/_sessions"

GLPI_TMP_DIR: "/_dados/www/glpi-data/files/_tmp"

GLPI_UPLOAD_DIR: "/_dados/www/glpi-data/files/_uploads"

GLPI_INVENTORY_DIR: "/_dados/www/glpi-data/files/_inventories"

GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"

GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"

GLPI_I18N_DIR: "/_dados/www/glpi-www/locales"

GLPI_VERSION: "10.0.17"

GLPI_SCHEMA_VERSION: "10.0.17"

GLPI_MARKETPLACE_PRERELEASES: false

GLPI_MIN_PHP: "7.4.0"

GLPI_MAX_PHP: "8.4.0"

GLPI_YEAR: "2024"

Libraries

 

htmlawed/htmlawed version 1.2.14 in (/_dados/www/glpi-www/vendor/htmlawed/htmlawed)

phpmailer/phpmailer version 6.8.0 in (/_dados/www/glpi-www/vendor/phpmailer/phpmailer/src)

simplepie/simplepie version 1.5.8 in (/_dados/www/glpi-www/vendor/simplepie/simplepie/library)

tecnickcom/tcpdf version 6.7.5 in (/_dados/www/glpi-www/vendor/tecnickcom/tcpdf)

michelf/php-markdown in (/_dados/www/glpi-www/vendor/michelf/php-markdown/Michelf)

true/punycode in (/_dados/www/glpi-www/vendor/true/punycode/src)

iamcal/lib_autolink in (/_dados/www/glpi-www/vendor/iamcal/lib_autolink)

sabre/dav in (/_dados/www/glpi-www/vendor/sabre/dav/lib/DAV)

sabre/http in (/_dados/www/glpi-www/vendor/sabre/http/lib)

sabre/uri in (/_dados/www/glpi-www/vendor/sabre/uri/lib)

sabre/vobject in (/_dados/www/glpi-www/vendor/sabre/vobject/lib)

laminas/laminas-i18n in (/_dados/www/glpi-www/vendor/laminas/laminas-i18n/src)

laminas/laminas-servicemanager in (/_dados/www/glpi-www/vendor/laminas/laminas-servicemanager/src)

monolog/monolog in (/_dados/www/glpi-www/vendor/monolog/monolog/src/Monolog)

sebastian/diff in (/_dados/www/glpi-www/vendor/sebastian/diff/src)

donatj/phpuseragentparser in (/_dados/www/glpi-www/vendor/donatj/phpuseragentparser/src/UserAgent)

elvanto/litemoji in (/_dados/www/glpi-www/vendor/elvanto/litemoji/src)

symfony/console in (/_dados/www/glpi-www/vendor/symfony/console)

scssphp/scssphp in (/_dados/www/glpi-www/plugins/trademark/vendor/scssphp/scssphp/src)

laminas/laminas-mail in (/_dados/www/glpi-www/vendor/laminas/laminas-mail/src/Protocol)

laminas/laminas-mime in (/_dados/www/glpi-www/vendor/laminas/laminas-mime/src)

rlanvin/php-rrule in (/_dados/www/glpi-www/vendor/rlanvin/php-rrule/src)

ramsey/uuid in (/_dados/www/glpi-www/vendor/ramsey/uuid/src)

psr/log in (/_dados/www/glpi-www/vendor/psr/log/Psr/Log)

psr/simple-cache in (/_dados/www/glpi-www/vendor/psr/simple-cache/src)

psr/cache in (/_dados/www/glpi-www/vendor/psr/cache/src)

league/csv in (/_dados/www/glpi-www/vendor/league/csv/src)

mexitek/phpcolors in (/_dados/www/glpi-www/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)

guzzlehttp/guzzle in (/_dados/www/glpi-www/vendor/guzzlehttp/guzzle/src)

guzzlehttp/psr7 in (/_dados/www/glpi-www/vendor/guzzlehttp/psr7/src)

glpi-project/inventory_format in (/_dados/www/glpi-www/vendor/glpi-project/inventory_format/lib/php)

wapmorgan/unified-archive in (/_dados/www/glpi-www/vendor/wapmorgan/unified-archive/src)

paragonie/sodium_compat in (/_dados/www/glpi-www/vendor/paragonie/sodium_compat/src)

symfony/cache in (/_dados/www/glpi-www/vendor/symfony/cache)

html2text/html2text in (/_dados/www/glpi-www/vendor/html2text/html2text/src)

symfony/css-selector in (/_dados/www/glpi-www/vendor/symfony/css-selector)

symfony/dom-crawler in (/_dados/www/glpi-www/vendor/symfony/dom-crawler)

twig/twig in (/_dados/www/glpi-www/vendor/twig/twig/src)

twig/string-extra in (/_dados/www/glpi-www/vendor/twig/string-extra)

symfony/polyfill-ctype not found

symfony/polyfill-iconv not found

symfony/polyfill-mbstring not found

symfony/polyfill-php80 not found

symfony/polyfill-php81 not found

symfony/polyfill-php82 in (/_dados/www/glpi-www/vendor/symfony/polyfill-php82)

league/oauth2-client in (/_dados/www/glpi-www/vendor/league/oauth2-client/src/Provider)

league/oauth2-google in (/_dados/www/glpi-www/vendor/league/oauth2-google/src/Provider)

thenetworg/oauth2-azure in (/_dados/www/glpi-www/vendor/thenetworg/oauth2-azure/src/Provider)

LDAP directories

 

Server: 'ldap.sococoint.net', Port: '389', BaseDN: 'DC=sococoint,DC=net', Connection filter:

'(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(samaccountname=$))(!(memberof=CN=GLPI-No_Sync,OU=Grupos,OU=GLPI,OU=_Grupos,OU=_Administracao,DC=sococoint,DC=net)))',

RootDN: 'sococoint\svc_ldap', Use TLS: none

Server: 'ldap.sococo.ind.br', Port: '389', BaseDN: 'OU=AD_Geral,DC=sococo,DC=ind,DC=br', Connection filter:

'(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(samaccountname=$))(!(memberof=CN=GLPI-No_Sync,OU=Grupos,OU=GLPI,OU=_Grupos,OU=_Administracao,DC=sococo,DC=ind,DC=br)))',

RootDN: 'sococo\svc_ldap', Use TLS: none

SQL replicas

 

Not active

Notifications

 

Way of sending emails: SMTP+OAUTH (siga@[email protected])

Plugins list

 

news                 Name: Alertas                        Version: 1.12.4     State: Enabled

Install Method: Marketplace

fields               Name: Campos adicionais              Version: 1.21.18    State: Enabled

Install Method: Marketplace

behaviors            Name: Comportamentos                 Version: 2.7.3      State: Enabled

Install Method: Marketplace

accounts             Name: Contas                         Version: 3.0.4      State: Enabled

Install Method: Marketplace

databaseinventory    Name: Database Inventory             Version: 1.0.2      State: Enabled

Install Method: Marketplace

formcreator          Name: Form Creator                   Version: 2.13.9     State: Enabled

Install Method: Marketplace

gantt                Name: gantt                          Version: 1.1.0      State: Enabled

Install Method: Marketplace

gappessentials       Name: Gapp Essentials                Version: 2.3.0      State: Enabled

Install Method: Marketplace

tag                  Name: Gerenciamento de Etiquetas     Version: 2.12.1     State: Enabled

Install Method: Marketplace

genericobject        Name: Gerenciamento de objetos       Version: 2.14.11    State: Enabled

Install Method: Marketplace

glpiinventory        Name: GLPI Inventory                 Version: 1.4.0      State: Enabled

Install Method: Marketplace

datainjection        Name: Importação de dados            Version: 2.14.1     State: Enabled

Install Method: Marketplace

releases             Name: Liberações                     Version: 2.0.4      State: Enabled

Install Method: Marketplace

timelineticket       Name: Linha do tempo dos chamados    Version: 10.0+1.2   State: Enabled

Install Method: Marketplace

trademark            Name: Marca Comercial                Version: 1.3.0      State: Enabled

Install Method: Manual

metabase             Name: Metabase                       Version: 1.3.3      State: Enabled

Install Method: Marketplace

Anything else?

No response

[cconard96]

I cannot recreate the issue.
Tested with Active Directory on Windows Server 2016 with the exact password given and also tried doing a password reset with the provided password. In all cases, the user was able to log in to GLPI. I also tested on PHP 8.2 and PHP 8.1.

[grazzianos]

Well... curious. Here I have the WS 2008 R2 server (I don't think this can influence anything).

The password I provided was similar to the one I used. The exact one was Gra@@@@0044. Can you test with this one?