Error auth encoding in LDAP

[IdentySergey]

Expected Behavior

It is expected that it will be possible to use Cyrillic characters in DN.

Current Behavior

Unable to login via LDAP with account following DN
sAMAccountName: i.ivanov
CN=Иванов Иван,OU=Users,DC=home,DC=local (Cyrillic symbols)

Upon request to
http://minio.local:9000/?Action=AssumeRoleWithLDAPIdentity&LDAPUsername=i.ivanov&LDAPPassword=*****&Version=2011-06-15

We receive the following error:

<?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
    <Error>
        <Type></Type>
        <Code>InvalidParameterValue</Code>
        <Message>LDAP server error: LDAP auth failed for DN cn=**\d0\98\d0\b2\d0\b0\d0\bd\d0\be\d0\b2 \d0\98\d0\b2\d0\b0\d0\bd**,ou=Users,dc=home,dc=local: LDAP Result Code 49 &#34;Invalid Credentials&#34;: 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 52e, v4563 </Message>
    </Error>
    <RequestId>17D0040BD4CB1718</RequestId>
</ErrorResponse>

where \d0\98\d0\b2\d0\b0\d0\bd\d0\be\d0\b2 \d0\98\d0\b2\d0\b0\d0\bd - wrong encoding.

When using CN=test,OU=Users,DC=home,DC=local

<AssumeRoleWithLDAPIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
    <AssumeRoleWithLDAPIdentityResult>
        <Credentials>
            <AccessKeyId>...</AccessKeyId>
            <SecretAccessKey>...</SecretAccessKey>
            <SessionToken>...</SessionToken>
            <Expiration>...</Expiration>
        </Credentials>
    </AssumeRoleWithLDAPIdentityResult>
    <ResponseMetadata>
        <RequestId>..</RequestId>
    </ResponseMetadata>
</AssumeRoleWithLDAPIdentityResponse>

Your Environment

running in docker signle node.

minio version RELEASE.2024-05-10T01-41-38Z (commit-id=b5984027386ec1e55c504d27f42ef40a189cdb55)
Runtime: go1.22.3 linux/amd64
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.

Linux 6207cee3b5da 5.15.0-107-generic #117-Ubuntu SMP Fri Apr 26 12:26:49 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

upd 17.05.24: running as service ubuntu, behavior is the same.

[vadmeste]

@IdentySergey any MinIO server log ?

[IdentySergey]

@vadmeste

trace:
sts.AssumeRoleWithLDAPIdentity 400 Bad Request

service stdout:
no errors.

logs
No logs to display

upd:
I installed on ubuntu with locales the problem remains the same.

[vadmeste]

https://ldapwiki.com/wiki/Wiki.jsp?page=Common%20Active%20Directory%20Bind%20Errors

are you using Active Directory ? your error simply means you password is incorrect

[IdentySergey]

your error simply means you password is incorrect

Thanks for the link, we looked at it in detail and checked the important assumption.

The password is correct and has been verified.

For testing, we set the password to 12345678Qq, so as not to make a mistake.

The error only occurs when Cyrillic characters are used in CN

[fryshorts]

I can confirm the issue with a german Umlaut in the dn, where ä gets transformed to \c3\a4.

[harshavardhana]

@IdentySergey what is your user_dn_search_filter?

[IdentySergey]

@harshavardhana
MINIO_IDENTITY_LDAP_USER_DN_SEARCH_FILTER: (sAMAccountName=%s)

[harshavardhana]

Okay found the mistake, we need to communicate with LDAP via the actual DN instead of the normalized DN that we need for internal representation.

[harshavardhana]

Please try #19805 this PR in your environment.