NULLs in idp.process.log with LDAP authn against ActiveDirectory

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

Problem: grep doesn't like the idp-process.log.

$ zgrep PATTERN  /var/log/shibboleth/idp-process-20180406-1100.log.gz
 Binary file (standard input) matches

This confused me because the file should not be binary. After some investigation, I found NULLs in the file and grep flags the file binary; it can find matches, but won't report them because the matches might include binary data (... won't report unless you supply --binary-files=text.) The message is presented if (1) the pattern matches somewhere and (2) the file includes NULLs; it does NOT require that the matches contain NULLs. If no line matches, grep does not complain; it exits silently without any output (though $? == 1).

We see frequent authn exceptions in our idp-process.log that include a NULL character. It's part of an authn exception report from org.ldaptive.auth when authenticating against an Active Directory service. The error, 52e, is "invalid credentials" [1], so it's no surprise that the report is common. The NULL is in the following serialization:

AcceptSecurityContext error, data 52e, v2580^@]

The caret-@ is a NULL in the log file.

I think it's appropriate to remove this NULL from the logging. Is that reasonable to the devs?

[I suppose grep should also be able to report matches if no match includes binary data. But that's S.E.P.]

Thanks for your time,

Paul
–
Paul Fardy
Shib Admin, Info Security, University of Toronto

Sample log text:

javax.security.auth.login.LoginException: Authentication failed: [org.ldaptive.auth.AuthenticationResponse@1530565030::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=CN=USERNAME,OU=USERS,DC=yada,DC=yada,DC=yada,DC=ca[]], accountState=null, result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@], controls=null]

[1] https://www-01.ibm.com/support/docview.wss?uid=swg21290631
"52e - invalid credentials"

Environment

None

Activity

Scott Cantor

October 5, 2018 at 3:58 PM

Added mention of system property to release notes and docs.

Scott Cantor

September 7, 2018 at 1:35 PM

Awesome, thank you.

Daniel Fisher

September 7, 2018 at 12:46 PM

Note that extra processing of the response message does not happen by default, a system property must be set to enable this.

Daniel Fisher

September 7, 2018 at 12:44 PM

Fix hit the master branch here: https://github.com/vt-middleware/ldaptive/issues/138

I'll patch it back into 1.0.x

Scott Cantor

August 31, 2018 at 3:53 PM

This is certainly not high priority so even if we didn't get a version with this fix for a while it would be a good eventual fix in 4.0 or whenever.

Resize work item view side panel

Fixed

Details

Assignee

Daniel Fisher

Reporter

Paul Fardy

Created April 6, 2018 at 7:23 PM

Updated October 9, 2018 at 6:26 PM

Resolved October 5, 2018 at 3:58 PM

NULLs in idp.process.log with LDAP authn against ActiveDirectory

Description

Environment

Activity

Details

Assignee

Reporter

Components

Fix versions

Affects versions