LDAP authentication via Workhorse fails when special characters are used.
Zendesk Ticket: https://gitlab.zendesk.com/agent/tickets/13350
Description of issue
When special characters like Å, Ä, Ö, å, ä, ö are used in the common names of LDAP users that authenticate via Workhorse for HTTP cloning, it seems that Workhorse is not parsing them properly, causing a 401 Unauthorized error on the end-user. WebUI authentication works as normal with these characters and it used to work for Git via HTTP prior to the 8.x upgrade.
Replication
I was able to replicate this using our test AD server, an account I created with special characters and a GitLab EE test server. The request returns 401, when it should succeed.
Steps to reproduce
Given that there is a user with the name John Åström in LDAP with the following details:
- Username:
jastrom - Password:
p@assw0rd123456(it's irrelevant) - LDAP uid:
CN=John Åström,CN=Users,DC=xxx,DC=com - Email:
jastrom@example.com
The user is able to sign in, create projects, etc.
Running wget https://X:Y@gitlab.example.com/foo/bar.git/info/refs?service=upload-pack fails with:
--2015-12-09 10:25:13-- http://jastrom:*password*@patricio-ee.gitlap.com/open-source/gitlab-test.git/info/refs?service=upload-pack
Resolving patricio-ee.gitlap.com... 104.131.18.33
Connecting to patricio-ee.gitlap.com|104.131.18.33|:80... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm=""
Reusing existing connection to patricio-ee.gitlap.com:80.
HTTP request sent, awaiting response... 401 Unauthorized
Username/Password Authentication Failed.Running the same command against http://localhost:8080 fails with:
--2015-12-09 10:27:02-- http://jastrom:*password*@localhost:8080/open-source/gitlab-test.git/info/refs?service=upload-pack
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Connecting to localhost (localhost)|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Username/Password Authentication Failed.Next questions
@jacobvosmaer do you have any idea where this request might be going wrong? I am not familiar with the workhorse codebase at all.