AD integration not working when password has special char &

[WillemDH]

Hello,

The new ad integration component is really nice. But I'm getting reports from users for who it does not seem to work. After some debugging it seems when a password contains a special character like ampersant '&' they are not able to log in. ("The URL submitted has disallowed characters")

I made a bug report for this issue => http://tracker.nagios.com/view.php?id=739

Willem

[jolson]

You might try accessing the following file: /var/www/html/nagioslogserver/application/config/config.php

Change:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-*,';

To:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-*,&';

Note that I'm not aware of the security complications of making this change, but it will likely resolve the issue regarding your users using ampersands in their passwords. You may also add any other character that is necessary.

[WillemDH]

Jesse,

Just got the confirmation it is still not working after editing /var/www/html/nagioslogserver/application/config/config.php

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-*,&';

Anything I'm missing?

Grtz

[jolson]

As far as I can tell, there isn't anything missing. Did you test a password with only an ampersand - 12345password& for instance?

For any other special character, it will likely need to be added to the config.php file mentioned as well. I'm currently double-checking my logic with a developer to ensure that this is the proper solution - expect me to get back to you about that soon.

[WillemDH]

Ok, Jesse. And I will change my password as soon as I have some time to confirm this user's issue.

[jolson]

After speaking with one of our NLS developers and doing some testing of my own, I could not find a single special character that did not work. I am on NLS version 2015R2.1, using a Windows Server 2008R2 as an Active Directory server.

I tested the following characters:

Code: Select all

!@#
success

$%^
success

&*(
success

)_+
success

=-`
success

~[]
success

{}\
success

|;'
success

:",
success

<.>
success

/?
success

abc123!@#$%^&*()-=_+[]{}\|;:'",<.>/?`~
success

Did you find anything out on your end? Maybe a few examples of non-working passwords would be good so that I might reproduce this on my end.

[WillemDH]

Jesse,

Ok, I changed my own password to Jip&Janneke1? and tried logging into NLS.
First attempt after 10 sec => Invalid credentials
Second attempt after 30 sec => Invalid credentials
Third attempt with my old password after 40 sec => Successful login
So it seem like ad account replication is quite slow, so I waited another 2 minutes and tried loggign in in againw ith my old password => Invalid credentials
Tried again with the new password Jip&Janneke1? => Invalid credentials
So I tried a few more times after a full yum update and reboot, still doesn't work with the Jip&Janneke1? password.
Our AD domain controllers are 2008 R2, but our domain functional level is still 2003.

Grtz

Willem

[lmiltchev]

Willem,

I believe the issue is with treating "&" as a html character. It needs to be escaped somehow. Try this "workaround" - log in:

username: <your username>
password: Jip&Janneke1?

I will talk to our devs to see if they can fix the issue.

[jolson]

From our development team:

in the config.php in his application/config folder there is a setting called "global_xss_filtering" he needs to turn to FALSE

Code: Select all

vi /var/www/html/nagioslogserver/application/config/config.php

Change:
$config['global_xss_filtering'] = TRUE;

To:
$config['global_xss_filtering'] = FALSE;

This worked for me - I suggest giving it a shot! Make that change on all of your NLS nodes - this config file is not overwritten by our upgrade script, so you won't have to be concerned about that.

Thanks!

[WillemDH]

I can confirm setting

Code: Select all

$config['global_xss_filtering'] = FALSE;

enables us to use '&' in passwords.

Thanks all for the help and feedback. this thread can be closed.

Grtz

Willem