Bug 47676 – SAML doesn't work with the ldap referral handling in uldap (_handle_referral)

Bug 47676 - SAML doesn't work with the ldap referral handling in uldap (_handle_referral)


Summary:	SAML doesn't work with the ldap referral handling in uldap (_handle_referral)

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-08-27 12:51 CEST by Jürn Brodersen
Modified:	2022-12-21 14:37 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018120421000308
Bug group (optional):	SAML
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jürn Brodersen

2018-08-27 12:51:08 CEST

SAML doesn't work with the ldap referral handling in uldap (_handle_referral)

The ldap referral handler in uldap.py only does a simple bind, which doesn't work with saml.

As a result the frontend is stuck in login loop because the actual saml login is successful but not the simple bind.

The referral handling is used for example then setting umc favorites on a slave.

See also bug 46516.

Note: changing your own password on slaves works with saml, because the old password is given and is used for the simple bind.

Comment 1 Jürn Brodersen

2018-12-05 13:36:03 CET

This prevents teachers to reset student passwords in multischool environments.

Comment 2 Jürn Brodersen

2018-12-05 21:11:09 CET

(In reply to Jürn Brodersen from comment #1)
> This prevents teachers to reset student passwords in multischool
> environments.

As long as ldap/master is set right, this is probably something else.
There might be something wrong with /etc/ldap/sasl2/slapd.conf on the master.

Comment 3 Erik Damrose

2019-01-15 16:19:49 CET

The actual issue on the initially referenced ticket 2018120421000308 was different (outdated registration of UMC services, fixed by re-downloading IdP metadata).
Removing school customer flags, TicketNr, lowering user pain.