LDAP incorrectly authenticates user IDs that do not match letter case

Some LDAP implementations are case-insensitive, most notably Microsoft Active Directory. When using one of these LDAP distributions as a Pentaho Server authentication back end, you might run into an issue where a valid user name with invalid letter cases will improperly validate. For instance, if Bill is the valid user ID, and someone types in bILL at the User Console login screen, that name will authenticate, but it might have improper access to parts of the Pentaho Server.

Perform the following steps to force case-sensitivity for user names and fix this potential security risk:

Stop the Pentaho Server.
Edit the /pentaho/server/pentaho-server/pentaho-solutions/system/applicationContext-spring-security-ldap.xml file.
Find <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.DefaultLdapAuthenticationProvider">, and below the last </constructor-arg> element therein, and add the <property> definition shown in the following example:
```
<property name="userDetailsContextMapper">
    <ref bean="ldapContextMapper" />
</property>
```

After the </bean> tag for daoAuthenticationProvider, add the following bean definition, changing the ldapUsernameAttribute from samAccountName to the value that matches your environment:

<bean id="ldapContextMapper" class="org.pentaho.platform.engine.security.UseridAttributeLdapContextMapper">
    <property name="ldapUsernameAttribute" value="samAccountName" />
</bean>

Start the Pentaho Server.

The Pentaho Server will now force case sensitivity in LDAP user names.

PreviousWith LDAP authentication, the PDI Repository Explorer is empty NextConnection timeout issues when using CAS

Last updated 8 months ago

Was this helpful?