Bug 46806 – [4.3] ucs-school-ntlm-auth is case sensitive for wlan access for hostnames

Bug 46806 - [4.3] ucs-school-ntlm-auth is case sensitive for wlan access for hostnames


Summary:	[4.3] ucs-school-ntlm-auth is case sensitive for wlan access for hostnames

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Radius
Version:	UCS@school 4.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.3 v3
Assigned To:	Sönke Schwardt-Krummrich
QA Contact:	Jürn Brodersen

URL:
Keywords:

Depends on:	45684
Blocks:	46924
	Show dependency tree / graph

Reported:	2018-04-11 13:04 CEST by Sönke Schwardt-Krummrich
Modified:	2018-06-04 15:27 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	4: Will affect most installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.411
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2018-04-11 13:04:20 CEST

Bug for UCS@school 4.3

+++ This bug was initially created as a clone of Bug #45684 +++

UCS@school 4.1 R2 v13 / paedML 7

Unfortunately the ucs-school-ntlm-auth is case sensitive for wlan access for hostnames.

The customer reported the issue and we reproduced the bug for following use cases:
Case 1: 
1. Create machine account "C06laptpo"
2. Joined the windows client 

Case 2: 
1. Joined the windows client "c06laptpo"
2. Machine account "C06LAPTPO" will be automatically created

For both machine accounts the wlan access failed because the windows clients send "host/c06laptpo.paedml-linux.lokal" and ucs-school-ntlm-auth-script failed with "user not found in any relevant group - access denied". Log attached.
But both machine accounts had all necessary WLAN-Requirements according to https://www.univention.de/2017/10/wlan-fuer-schultraeger-byod-gyod/
3.1 Internet rule with wlan=true
3.2 Created class
3.3 Added machine account to class
3.4 Assigned internet rule to class

Using c06laptpo worked like a charm!
Case 1: 
1. Create machine account "c06laptpo"
2. Joined the windows client 

The problem seems in loadInfo() during parsing of group membership.

Comment 1 Sönke Schwardt-Krummrich

2018-04-11 14:27:55 CEST

An internal comparison when assigning user/host names to WLAN groups was case-sensitive, which meant that access to the WLAN was not granted if the user/host name was spelled incorrectly.

The existing test cases 72_radius_authentication and 72_radius_machine_authentication have been extended and are now checking with given username, lowercase username, uppercase username and random case username.

0e08c72a Bug #46806: Merge branch 'sschwardt/46806/43/radius_hostnames' into 4.3
a5b721d6 Bug #46806: add changelog entry
60697637 Bug #46806: check if radius authentication also works with camel case usernames/hostnames
9d7c35fd Bug #46806: add advisory
f6548867 Bug #46806: add changelog entry
c8c28384 Bug #46806: remove case-sensitivity of hostnames/usernames in ucs-school-ntlm-auth

Package: ucs-school-radius-802.1x
Version: 7.0.0-8A~4.3.0.201804111426
Branch: ucs_4.3-0
Scope: ucs-school-4.3

Package: ucs-test-ucsschool
Version: 4.0.4-83A~4.2.0.201804111425
Branch: ucs_4.2-0
Scope: ucs-school-4.2

Comment 2 Jürn Brodersen

2018-04-18 18:14:11 CEST

The radius identity is not case sensitive anymore -> OK

YAML change:
[4.3 98d9f4e8] Bug #46806: YAML

-> Verified

Comment 3 Sönke Schwardt-Krummrich

2018-05-02 17:59:05 CEST

UCS@school 4.3 v3 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.3v3-de.html

If this error occurs again, please clone this bug.