Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-57312

LDAP error {asn1_enum,87} from nested group search involving brackets

    XMLWordPrintable

Details

    • Bug
    • Resolution: User Error
    • Major
    • None
    • 7.1.4
    • ns_server
    • Okta LDAP Server.
    • Untriaged
    • 0
    • Unknown

    Description

      When we do a group search with 'traverse nested groups' enabled and one of the group names returned contains brackets, we get an error {asn1_enum,87}. It seems like this may be an issue with escaping the bracket characters.

       

      This can be reproduced with a trial Okta LDAP server as follows:

      On the LDAP Server create an LDAP interface configured to use Okta groups.
      Then create a group whose name contains brackets and a user which is placed in those groups.


      On a clean 1 node Couchbase Cluster first run the following diag/eval (required for TLS connection to Okta specifically):

      curl -X POST -u <username>:<password> 127.0.0.1:8091/diag/eval -d "ns_config:set_sub(ldap_settings, [{extra_tls_opts, [{middlebox_comp_mode, false}]}])."

      Then enter LDAP menu and populate settings to point to the LDAP server and bind with the details you used when creating the Okta trial account, as well as to use LDAP search for both authentication and authorization.


      Now we can test group search for the user in these groups. With nested group traversal disabled this succeeds.

      Whereas enabling nested group traversal we get the error {asn1_enum,87}.

      What is seen in the debug logs with the option disabled is,

      [ns_server:debug,2023-06-08T09:57:41.621Z,ns_1@127.0.0.1:<0.1719.1>:ldap_util:with_connection:143]Connected to LDAP server: "dev-74860138.ldap.okta.com" (port: 636, SSL: true)
      		 
      [ns_server:debug,2023-06-08T09:57:42.255Z,ns_1@127.0.0.1:<0.1719.1>:ldap_util:with_simple_bind:199]Simple bind for DN "<ud>uid=deacon.linkhorn@couchbase.com,ou=users,dc=dev-74860138,dc=okta,dc=com</ud>": ok
      		 
      [ns_server:debug,2023-06-08T09:57:42.255Z,ns_1@127.0.0.1:<0.1719.1>:ldap_auth:get_groups:181]Search groups for user "<ud>test.user@testdomain.com</ud>" using query "ou=groups,dc=dev-74860138,dc=okta,dc=com??one?(uniqueMember=%D)"
      		 
      [ns_server:debug,2023-06-08T09:57:42.256Z,ns_1@127.0.0.1:<0.1719.1>:ldap_auth:map_user_to_DN:124]Username->DN: using rule {<<"(.+)">>,
      		 
                                {query,<<"ou=users,dc=dev-74860138,dc=okta,dc=com??one?(uid={0})">>}} for "<ud>test.user@testdomain.com</ud>"
      		 
      [ns_server:debug,2023-06-08T09:57:42.552Z,ns_1@127.0.0.1:<0.1719.1>:ldap_util:eldap_search:275]LDAP search returned 1 entries
      		 
      [ns_server:debug,2023-06-08T09:57:42.552Z,ns_1@127.0.0.1:<0.1719.1>:ldap_auth:get_user_DN:103]Username->DN: Constructed DN: "<ud>uid=test.user@testdomain.com,ou=users,dc=dev-74860138,dc=okta,dc=com</ud>" for "<ud>test.user@testdomain.com</ud>" using query
      		 
      [ns_server:debug,2023-06-08T09:57:42.864Z,ns_1@127.0.0.1:<0.1719.1>:ldap_util:eldap_search:275]LDAP search returned 3 entries
      		 
      [ns_server:debug,2023-06-08T09:57:42.864Z,ns_1@127.0.0.1:<0.1719.1>:ldap_auth:get_groups:219]Groups search for "<ud>test.user@testdomain.com</ud>" returned 3 groups

      When the option is enabled we see,

      [ns_server:debug,2023-06-08T09:58:34.661Z,ns_1@127.0.0.1:<0.3336.1>:ldap_util:with_connection:143]Connected to LDAP server: "dev-74860138.ldap.okta.com" (port: 636, SSL: true)
      		 
      [ns_server:debug,2023-06-08T09:58:35.345Z,ns_1@127.0.0.1:<0.3336.1>:ldap_util:with_simple_bind:199]Simple bind for DN "<ud>uid=deacon.linkhorn@couchbase.com,ou=users,dc=dev-74860138,dc=okta,dc=com</ud>": ok
      		 
      [ns_server:debug,2023-06-08T09:58:35.346Z,ns_1@127.0.0.1:<0.3336.1>:ldap_auth:get_groups:181]Search groups for user "<ud>test.user@testdomain.com</ud>" using query "ou=groups,dc=dev-74860138,dc=okta,dc=com??one?(uniqueMember=%D)"
      		 
      [ns_server:debug,2023-06-08T09:58:35.347Z,ns_1@127.0.0.1:<0.3336.1>:ldap_auth:map_user_to_DN:124]Username->DN: using rule {<<"(.+)">>,
      		 
                                {query,<<"ou=users,dc=dev-74860138,dc=okta,dc=com??one?(uid={0})">>}} for "<ud>test.user@testdomain.com</ud>"
      		 
      [ns_server:debug,2023-06-08T09:58:35.640Z,ns_1@127.0.0.1:<0.3336.1>:ldap_util:eldap_search:275]LDAP search returned 1 entries
      		 
      [ns_server:debug,2023-06-08T09:58:35.640Z,ns_1@127.0.0.1:<0.3336.1>:ldap_auth:get_user_DN:103]Username->DN: Constructed DN: "<ud>uid=test.user@testdomain.com,ou=users,dc=dev-74860138,dc=okta,dc=com</ud>" for "<ud>test.user@testdomain.com</ud>" using query
      		 
      [ns_server:debug,2023-06-08T09:58:35.948Z,ns_1@127.0.0.1:<0.3336.1>:ldap_util:eldap_search:275]LDAP search returned 3 entries
      		 
      [ns_server:error,2023-06-08T09:58:36.111Z,ns_1@127.0.0.1:<0.3336.1>:ldap_util:eldap_search:282]LDAP search failed: {asn1_enum,87}
      		 
      [ns_server:error,2023-06-08T09:58:36.111Z,ns_1@127.0.0.1:<0.3336.1>:ldap_auth:get_groups:226]Groups search for "<ud>test.user@testdomain.com</ud>" returned error: {error,
      		 
                                                                             {ldap_search_failed,
      		 
                                                                              {asn1_enum,
      		 
                                                                               87}}}

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            Abhijeeth.Nuthan Abhijeeth Nuthan
            deacon.linkhorn Deacon Linkhorn
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty