Bug #56734 User Search Pattern in MEM/LDAP overrides User Search Attribute Pattern method
Submitted: 12 Sep 2010 2:55 Modified: 28 Jan 2011 22:39
Reporter: Jonathon Coombes Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Server Severity:S2 (Serious)
Version:2.2.3.1745 OS:Any
Assigned to: Mark Matthews CPU Architecture:Any
Tags: active directory, authorisation, LDAP, mem

[12 Sep 2010 2:55] Jonathon Coombes 
Description:
The User Search Pattern when defined in MEM/LDAP Bind as User method of authentication overrides the User Search Attribute Pattern method, even though it shows as greyed out.

This is testing MEM against an Active Directory server.

How to repeat:
The included log shows the steps taken:

1. Define the User Search Pattern. In this test case I added something nonsensical to avoid any confusion of subtrees etc. In this case I used the string 'This is the User Search Pattern string' as my pattern.

2. I change the method to use User Search Attribute Pattern and enter a valid search string (proven to work previously), and the User Search Pattern is greyed out, but still showing the string I defined. Save.

3. Log out of admin account and attempt to log in again using the ldap account details and the log shows the remaining name in the bind attempt as 'This is the User Search Pattern string'.

Suggested fix:
Disable appropriately when greyed out.
[12 Sep 2010 2:57] MySQL Verification Team 
Snippet of MEM error log showing the mis-matched string

Attachment: ldap_error_report.txt (text/plain), 9.74 KiB.
[13 Sep 2010 0:58] MySQL Verification Team 
There appears to be something more to this issue in that the User Search Attribute Pattern is not being recognised after restart of MEM. Here is how to reproduce having verified that User Search Attribute Pattern method had been working:

1. Restart MEM

2. Attempt to login with the same LDAP credentials that worked previously - it fails.

3. Login as admin and you must change the User Search Pattern field and save, then revert to empty and save.

4. Change to User Search Attribute Pattern again and save.

5. Logout and try again to login - login now works.

Note: Simply changing the User Search Attribute Pattern and then back again and saving did not work.
[4 Oct 2010 20:03] Enterprise Tools JIRA Robot 


Attachment: 10460_EM-4786setup.JPG (image/jpeg, text), 41.29 KiB.
[4 Oct 2010 21:30] Enterprise Tools JIRA Robot 


Attachment: 10464_mysql-monitor.log (text/plain), 125.05 KiB.
[5 Oct 2010 21:19] Enterprise Tools JIRA Robot 
Mark Matthews writes: 
Pushed to 2.2, 2.3 and 3.0.
[7 Oct 2010 19:22] Enterprise Tools JIRA Robot 
Andy Bang writes: 
In build 2.3.0.2030.
[8 Oct 2010 15:47] Enterprise Tools JIRA Robot 
Marcos Palacios writes: 
Verified fixed in Monitor build 2.3.0.2030.

Tests:
1. Use valid pattern in DN method (this method selected) => auth success
2. Use invalid pattern in DN method (this method selected) => auth failure
3. Use valid pattern in DN method (this method not selected)
     & use valid patterns in Attribute method (this method selected)=> auth success
4. Use invalid pattern in DN method (this method not selected)
     & use valid patterns in Attribute method (this method selected)=> auth success
5. Use valid pattern in DN method (this method not selected)
     & use invalid patterns in Attribute method (this method selected)=> auth failure
6. Use invalid pattern in DN method (this method not selected)
     & use invalid patterns in Attribute method (this method selected)=> auth failure
[28 Jan 2011 22:39] John Russell 
Added to 2.2.4 and 2.3.0 change log:

The User Search Pattern when defined in MEM/LDAP Bind as User method
of authentication overrode the User Search Attribute Pattern method,
even though it shows as greyed out.