incorrectly transmitted password with ldap (AD) resolver on 3.10.2 with Debian 12

sfoutrel · January 29, 2025, 1:57pm

Hello

I installed privacyidea 3.10.2 on a Debian 12 in a venv.

Setup went fine and tests with TOTP and SQL Table are ok.

I configured a LDAP resolver (Active Directory) associated with another realm and got my userlist.
Created a new token linked to my AD User. Setup of policies are done.
When trying connexions I always received a wrong otp pin (which mean my AD password is wrong.

I changed my AD password to a simpler one and it worked.

Is there a known problem with some symbols or letters in password ?

The problematic password was only made of 16 letters in A-Za-z0-9 and ending with !

I see that ldap3 lib version is pretty old. Do you plan on update the requirement libs ?

Thank you.

plettich · January 29, 2025, 4:40pm

We have had some problems with passwords coming in through FreeRADIUS in weird encodings. How did You test the authentication? When using curl on the command line the shell might try to interpret the !.
Unfortunately there is an open issue with current ldap3 releases which prevents us from updating: objectGUID contains "5c" makes the filter parser fails to parse · Issue #1000 · cannatag/ldap3 · GitHub