-
Notifications
You must be signed in to change notification settings - Fork 232
Allow ldap auth via rest api #260
Comments
Comment by EugeneKay I'm confused; I am using LDAP authentication just fine? |
Comment by muff1nman Via an Android app? That would be surprising. |
Verified this is an issue today with the dsub app |
For some reason the DSub Variant from F-Droid works for me with LDAP auth. None of the other apps though. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Strangely, I can confirm @thallian statement: D-Sub from F-Droid works fine with airsonic 10.1.2 and LDAP, but D-Sub from play market doesn't |
Dsub from fdroid is stalled at version 5.0.3. Current version is 5.4.2 on his github releases page and should be the same on the play store. |
Yep, that's the reason. I've compiled 5.4.2 floss version from sources and it's not working. If I will have enough spare time I'll try to pinpoint exact version of D-Sub when this stopped working and peek and the diff involved, maybe I'll get some insights regarding the issue. |
I've narrowed the cause down to a change between v5.2.2 and v5.3 of DSub. Hope that helps... |
cc @daneren2005 |
This issue has been automatically marked as stale because it has not had recent activity. Thank you for your contributions. |
Same problem here, can't connect with Dsub from Play Store and LDAP auth configured... Just sent a mail to @daneren2005 about this. Hope it will be patched soon ! |
@PoGo606 The problem can be found here: popeen/Booksonic-App#68 (comment) I'm not sure how to fix it however I used nginx subfilter to change the response and got it working.
|
Thank you @hjone72 for your answer. Actually, I think I have a different issue here. Here is the request made by DSUB App: Response: Same with official Subsonic app: Response: Both App are working well with official Subsonic server. |
There is GET request that the app does to find out what capabilities the server has. If the server returns 'subsonic' the app thinks the server supports (GET + Encrypted + Salted). When the server responds with 'madsonic' it uses the old method. It was a while ago that I found these bits and pieces so I'm just working from memory here. I believe it could be fixed either at the app end or the server end. I didn't have time to figure it out so just put a dirty hack in place. :) |
The challenge-response mechanism of sending This isn't so tragic. Sending plain-text passwords over HTTPS is arguably much more secure than storing them in a database, and everyone should be using HTTPS by now, so I'd recommend deprecating this authentication mechanism. Hopefully it will make at least some clients switch to the other, ironically more modern, method. EDIT: By the way, the MD5-based auth isn't even a passable challenge-response scheme. The main purpose of such a scheme is to make it harder to get the password by packet sniffing. You may, however, notice that there's no "challenge" phase in Subsonic's auth mechanism. Since the nonce is chosen by the client, there's nothing preventing a replay attack by simply sending both |
what are you suggesting to deprecate ? LDAP auth or md5(password + nonce) ? |
Sorry I wasn't clear, the |
Does the trick, just add |
This issue has been automatically marked as stale because it has not had recent activity. Thank you for your contributions. |
This issue has been automatically marked as stale because it has not had recent activity. Thank you for your contributions. |
An old issue, I know. I've just got everything up and running with LDAPS authentication but can't get DSub authenticating. Can you or anyone else clarify where I put this into the Nginx configuration? I guess that in reality this is an issue that needs looking at within the DSub code itself? |
DSub v. 5.5.2 has been recently pushed to F-Droid instead of v 5.0.3 with a lot of change but it's now not able to connect to Airsonic server when LDAP is used as set here in yunohost package. See airsonic/airsonic#260 for details. The changes use sub_filter directive to make the server think it's madsonic and use old auth method. SSOWAT user panel has been disable since it contains also a sub_filter_once directive
Issue by muff1nman
Saturday Feb 25, 2017 at 23:47 GMT
Originally opened as https://github.com/Libresonic/libresonic/issues/258
When I was fixing up the ldap auth a week or so back I noticed that the REST api stuff uses a different authentication mechanism which makes it so that ldap authentication does not work via the REST api and by extension android apps. We should really change the auth mechanism on the REST endpoints to use the same auth as the rest of the app. This might be work that should be done along with #69.
The text was updated successfully, but these errors were encountered: