Yubico Forum

LDAP Validation Error in ROPIII (ver 3.0.1)
Page 1 of 1

Author:  Andrew_Aust [ Tue Sep 20, 2011 1:05 pm ]
Post subject:  LDAP Validation Error in ROPIII (ver 3.0.1)

I was having lots of trouble getting ROPIII to successfully validate to my LDAP. It was successfully validating my OTP, but then returning an 'access reject' message.
Checking the logs, it became clear that the validation of the OTP was succeeding, but the Username/Password combination was returning "Unable to bind to LDAP server".
After checking MANY times that the username password combination was indeed correct, I changed the logging to log the password being used. This revealed that the password being sent to LDAP had been converted to lower case somewhere in the bowels of the verification process, which, of course, was failing, as the true password contained a combination of upper and lower case - and LDAP was, quite correctly, refusing to accept "password" when the correct entry was "PaSSworD".
I was able to track the problem down to an erroneous setting in the "/usr/share/ykropval/ykropval-verify.php" file.
The error appears at line 23
$otp = strtolower(getHttpVal('otp', ''));

The fix is simple - remove the instruction to convert the string to lower case, by replacing the line as follows:
$otp = getHttpVal('otp', '');

the LDAP validation will now pass.

I hope this will save someone else some time!

I downloaded the file via the VMWare image, and it was numbered version 3.0.1. I note that the present file for download is numbered version 3.0.2, so it is possible this issue has been fixed - I have not re-tested to see if the newer version has the same issue

Author:  Andrew_Aust [ Tue Sep 20, 2011 1:12 pm ]
Post subject:  Re: LDAP Validation Error in ROPIII (ver 3.0.1)

Bye the way, the rest of the ROPIII image is MUCH better than ROPII, and the LDAP implementation works so much better - multi level LDAP and everything! I also really like the inclusion of the RADTest tab, and the new VMWare images work without having to be converted first - all great stuff.

Thanks guys for the updated version.

Now, if you could just fix the bug where you select a user, then click "Assign a new Yubikey" and it then completely forgets what user you just selected and you have to type it in again... ;)

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group