Bug #13749

Getting avatar from openldap seems to be broken

Added by Dirk Götz over 2 years ago. Updated 24 days ago.

Status:New
Priority:Normal
Assigned To:-
Category:Authentication
Target version:-
Difficulty: Bugzilla link:1573243
Found in release:1.15.0 Pull request:
Story points-
Velocity based estimate-

Description

I created a user with the following ldif:

dn: cn=dgoetz,ou=users,dc=localdomain
objectClass: inetOrgPerson
cn: dgoetz
sn: Goetz
description: Dirk Goetz
userPassword: {SSHA}SmI4N/QECJfMFprv9sMnTD7KZUq46Yw8
givenName: Dirk
mail: dgoetz@localdomain
uid: dgoetz
jpegPhoto:< file:///root/dgoetz.jpg

When I login with the user the avatar is downloaded and the file is created but is not a valid picture.

# file /var/lib/foreman/public/assets/avatars/6e15a0e85405ddd9f25abc3aee0b212ea2ca6bfb.jpg 
/var/lib/foreman/public/assets/avatars/6e15a0e85405ddd9f25abc3aee0b212ea2ca6bfb.jpg: data

If I search the ldap I get:

# dgoetz, users, localdomain
dn: cn=dgoetz,ou=users,dc=localdomain
objectClass: inetOrgPerson
cn: dgoetz
sn: Goetz
description: Dirk Goetz
userPassword:: e1NTSEF9U21JNE4vUUVDSmZNRnBydjlzTW5URDdLWlVxNDZZdzg=
givenName: Dirk
mail: dgoetz@localdomain
uid: dgoetz
jpegPhoto:: /9j/4AAQSkZJRgABAQEBZwFnAAD/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAA
 BtbnRyUkdCIFhZWiAHzgACAAkABgAxAABhY3NwTVNGVAAAAABJRUMgc1JHQgAAAAAAAAAAAAAAAQA
 A9tYAAQAAAADTLUhQICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAABFjcHJ0AAABUAAAADNkZXNjAAABhAAAAGx3dHB0AAAB8AAAABRia3B0AAACBAAAABRyWFlaA
 AACGAAAABRnWFlaAAACLAAAABRiWFlaAAACQAAAABRkbW5kAAACVAAAAHBkbWRkAAACxAAAAIh2dW
 VkAAADTAAAAIZ2aWV3AAAD1AAAACRsdW1pAAAD+AAAABRtZWFzAAAEDAAAACR0ZWNoAAAEMAAAAAx
 yVFJDAAAEPAAACAxnVFJDAAAEPAAACAxiVFJDAAAEPAAACAx0ZXh0AAAAAENvcHlyaWdodCAoYykg
 MTk5OCBIZXdsZXR0LVBhY2thcmQgQ29tcGFueQAAZGVzYwAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yL
 jEAAAAAAAAAAAAAABJzUkdCIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWFlaIAAAAAAAAPNRAAEAAAABFsxYWVogAAAAAAAAAAAAAAA
 AAAAAAFhZWiAAAAAAAABvogAAOPUAAAOQWFlaIAAAAAAAAGKZAAC3hQAAGNpYWVogAAAAAAAAJKAA
 AA+EAAC2z2Rlc2MAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5jaAAAAAAAAAAAAAAAFklFQyBod
 HRwOi8vd3d3LmllYy5jaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAABkZXNjAAAAAAAAAC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHN
 SR0IAAAAAAAAAAAAAAC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHNS
 R0IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAsUmVmZXJlbmNlIFZpZXdpbmcgQ29uZ
 Gl0aW9uIGluIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdG
 lvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHZpZXcAAAAAABOk/gA
 UXy4AEM8UAAPtzAAEEwsAA1yeAAAAAVhZWiAAAAAAAEwJVgBQAAAAVx/nbWVhcwAAAAAAAAABAAAA
 AAAAAAAAAAAAAAAAAAAAAo8AAAACc2lnIAAAAABDUlQgY3VydgAAAAAAAAQAAAAABQAKAA8AFAAZA
 B4AIwAoAC0AMgA3ADsAQABFAEoATwBUAFkAXgBjAGgAbQByAHcAfACBAIYAiwCQAJUAmgCfAKQAqQ
 CuALIAtwC8AMEAxgDLANAA1QDbAOAA5QDrAPAA9gD7AQEBBwENARMBGQEfASUBKwEyATgBPgFFAUw
 BUgFZAWABZwFuAXUBfAGDAYsBkgGaAaEBqQGxAbkBwQHJAdEB2QHhAekB8gH6AgMCDAIUAh0CJgIv
 AjgCQQJLAlQCXQJnAnECegKEAo4CmAKiAqwCtgLBAssC1QLgAusC9QMAAwsDFgMhAy0DOANDA08DW
 gNmA3IDfgOKA5YDogOuA7oDxwPTA+AD7AP5BAYEEwQgBC0EOwRIBFUEYwRxBH4EjASaBKgEtgTEBN
 ME4QTwBP4FDQUcBSsFOgVJBVgFZwV3BYYFlgWmBbUFxQXVBeUF9gYGBhYGJwY3BkgGWQZqBnsGjAa
 dBq8GwAbRBuMG9QcHBxkHKwc9B08HYQd0B4YHmQesB78H0gflB/gICwgfCDIIRghaCG4IggiWCKoI
 vgjSCOcI+wkQCSUJOglPCWQJeQmPCaQJugnPCeUJ+woRCicKPQpUCmoKgQqYCq4KxQrcCvMLCwsiC
 zkLUQtpC4ALmAuwC8gL4Qv5DBIMKgxDDFwMdQyODKcMwAzZDPMNDQ0mDUANWg10DY4NqQ3DDd4N+A
 4TDi4OSQ5kDn8Omw62DtIO7g8JDyUPQQ9eD3oPlg+zD88P7BAJECYQQxBhEH4QmxC5ENcQ9RETETE
 RTxFtEYwRqhHJEegSBxImEkUSZBKEEqMSwxLjEwMTIxNDE2MTgxOkE8UT5RQGFCcUSRRqFIsUrRTO
 FPAVEhU0FVYVeBWbFb0V4BYDFiYWSRZsFo8WshbWFvoXHRdBF2UXiReuF9IX9xgbGEAYZRiKGK8Y1
 Rj6GSAZRRlrGZEZtxndGgQaKhpRGncanhrFGuwbFBs7G2MbihuyG9ocAhwqHFIcexyjHMwc9R0eHU
 cdcB2ZHcMd7B4WHkAeah6UHr4e6R8THz4faR+UH78f6iAVIEEgbCCYIMQg8CEcIUghdSGhIc4h+yI
 nIlUigiKvIt0jCiM4I2YjlCPCI/AkHyRNJHwkqyTaJQklOCVoJZclxyX3JicmVyaHJrcm6CcYJ0kn
 eierJ9woDSg/KHEooijUKQYpOClrKZ0p0CoCKjUqaCqbKs8rAis2K2krnSvRLAUsOSxuLKIs1y0ML
 UEtdi2rLeEuFi5MLoIuty7uLyQvWi+RL8cv/jA1MGwwpDDbMRIxSjGCMbox8jIqMmMymzLUMw0zRj
 N/M7gz8TQrNGU0njTYNRM1TTWHNcI1/TY3NnI2rjbpNyQ3YDecN9c4FDhQOIw4yDkFOUI5fzm8Ofk
 6Njp0OrI67zstO2s7qjvoPCc8ZTykPOM9Ij1hPaE94D4gPmA+oD7gPyE/YT+iP+JAI0BkQKZA50Ep
 QWpBrEHuQjBCckK1QvdDOkN9Q8BEA0RHRIpEzkUSRVVFmkXeRiJGZ0arRvBHNUd7R8BIBUhLSJFI1
 0kdSWNJqUnwSjdKfUrESwxLU0uaS+JMKkxyTLpNAk1KTZNN3E4lTm5Ot08AT0lPk0/dUCdQcVC7UQ
 ZRUFGbUeZSMVJ8UsdTE1NfU6pT9lRCVI9U21UoVXVVwlYPVlxWqVb3V0RXklfgWC9YfVjLWRpZaVm
 4WgdaVlqmWvVbRVuVW+VcNVyGXNZdJ114XcleGl5sXr1fD19hX7NgBWBXYKpg/GFPYaJh9WJJYpxi
 8GNDY5dj62RAZJRk6WU9ZZJl52Y9ZpJm6Gc9Z5Nn6Wg/aJZo7GlDaZpp8WpIap9q92tPa6dr/2xXb
 K9tCG1gbbluEm5rbsRvHm94b9FwK3CGcOBxOnGVcfByS3KmcwFzXXO4dBR0cHTMdSh1hXXhdj52m3
 b4d1Z3s3gReG54zHkqeYl553pGeqV7BHtje8J8IXyBfOF9QX2hfgF+Yn7CfyN/hH/lgEeAqIEKgWu
 BzYIwgpKC9INXg7qEHYSAhOOFR4Wrhg6GcobXhzuHn4gEiGmIzokziZmJ/opkisqLMIuWi/yMY4zK
 jTGNmI3/jmaOzo82j56QBpBukNaRP5GokhGSepLjk02TtpQglIqU9JVflcmWNJaflwqXdZfgmEyYu
 JkkmZCZ/JpomtWbQpuvnByciZz3nWSd0p5Anq6fHZ+Ln/qgaaDYoUehtqImopajBqN2o+akVqTHpT
 ilqaYapoum/adup+CoUqjEqTepqaocqo+rAqt1q+msXKzQrUStuK4trqGvFq+LsACwdbDqsWCx1rJ
 LssKzOLOutCW0nLUTtYq2AbZ5tvC3aLfguFm40blKucK6O7q1uy67p7whvJu9Fb2Pvgq+hL7/v3q/
 9cBwwOzBZ8Hjwl/C28NYw9TEUcTOxUvFyMZGxsPHQce/yD3IvMk6ybnKOMq3yzbLtsw1zLXNNc21z
 jbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk2OjZbNnx2nba+9uA3AXcit
 0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/nqegy6LzpRunQ6lvq5etw6/v
 shu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb794r4Gfio+Tj5x/pX+uf7d/wH
 /Jj9Kf26/kv+3P9t////2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQD
 Q4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFB
 QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wgARCAAeAB4DAREAAhEBAxEB/8Q
 AGwAAAQQDAAAAAAAAAAAAAAAACAMFBgcAAgT/xAAUAQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIQ
 AxAAAAEqTjFxUwq8mg+Feg1CwTYAYxGpIT//xAAfEAABBAICAwAAAAAAAAAAAAAFAQMEBgACBxIQE
 RT/2gAIAQEAAQUCz6O0jTfsvgsm7RsSyujGWm8Dao21d4djKD+XZQ4hWbeOtbB+a6TNonrOuBDEkF
 J//8QAFBEBAAAAAAAAAAAAAAAAAAAAQP/aAAgBAwEBPwEH/8QAFBEBAAAAAAAAAAAAAAAAAAAAQP/
 aAAgBAgEBPwEH/8QAKRAAAgEDAgQFBQAAAAAAAAAAAQIDAAQRITEFEBITIiMyUWFDUnGBof/aAAgB
 AQAGPwKjCmrKMt8URsw59yLvPcHGFjbHh+aEjPI7OPq7jli4fu3RGVto/Ufz7CpZuNPNYhdYGtCcg
 fb+6lxbCXhhPlwE+JF23pns3IkT1wyaMtX11KcvJMx/ugrUZ5PNbP0OydBx7V//xAAhEAEAAQMDBQ
 EAAAAAAAAAAAABEQAhMRBBUWFxgZHBsf/aAAgBAQABPyGohA6ZiDipTNyfdYU2KYscHN6G0G0N5h9
 ukyGTQNn9D4mhWchwy7TPVzxRCeSPMAi+7EsmVoAdEbu43OpTM7wOCzsAB4q8gs5xUqeskijIflf/
 2gAMAwEAAgADAAAAEIBJBJJIBP/EABQRAQAAAAAAAAAAAAAAAAAAAED/2gAIAQMBAT8QB//EABQRA
 QAAAAAAAAAAAAAAAAAAAED/2gAIAQIBAT8QB//EAB0QAQEAAgIDAQAAAAAAAAAAAAERACExYRBBUZ
 H/2gAIAQEAAT8QzhIjdTppqx61zgv7AdtHgPsd/j88mGSFiSuhFBbtwLMaiEaB34tg7tFqKdMj7GM
 QmJH+EYqhXKyfriMZJ8dnIbYLCVxzogN3CCivsTgY6xhJuzNA6ZPgw1uKCor7nYY7QAKVPrs5/9k=

And if I copy the base64 string to a file, join the lines and decode it, I get a valid jpeg back.

# cat /tmp/base64 | base64 -d > /tmp/dgoetz.jpg
# file /tmp/dgoetz.jpg 
/tmp/dgoetz.jpg: JPEG image data, JFIF standard 1.01

So something seems to be broken, but looking in the code I have no idea what. When I tried to remove the decoding and output the file in binary I already got some content not maching the base64 string and if output was not written binary I got an empty file. Also removing the to_utf8 for testing showed the same result.


Related issues

Duplicated by Foreman - Bug #15127: Photo attribute configured for LDAP source, image not dis... Duplicate 05/22/2016

History

#1 Updated by John Beranek about 1 year ago

I'm seeing this issue too, the avatars obtained from our Active Directory are not being saved correctly:

$ od -c /var/lib/foreman/public/assets/avatars/54cf8135e2114eb915bcbfaf162f324eeab26293.jpg [18:14:38]
0000000 $ R 005 034 p 276 \b 257 ( 270 %
0000013

There is also another issue, as when the Foreman pages try to download the avatar image they get a 404:

foreman-ssl_access_ssl.log:10.4.4.48 - - [22/Apr/2017:18:12:44 +0100] "GET /images/avatars/54cf8135e2114eb915bcbfaf162f324eeab26293.jpg HTTP/1.1" 404 1564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"

This is with Foreman 1.14.3/Katello 3.3.1

#2 Updated by Thomas Steudten 12 months ago

  • Priority changed from Low to Normal
  • Found in release changed from 1.10.1 to 1.15.0

Hi
foreman-1.15.0 contains the same bug. I tried a little bit to find out what happen.
My fix is this:
Edit in this file: /usr/share/foreman/app/models/auth_sources/auth_source_ldap.rb like this:
def store_avatar(avatar)
#avatar = avatar.to_utf8
avatar_hash = Digest::SHA1.hexdigest(avatar)
avatar_file = "#{avatar_path}/#{avatar_hash}.jpg"
unless FileTest.exist? avatar_file
FileUtils.mkdir_p(avatar_path)
#File.open(avatar_file, 'wb') { |f| f.write(Base64.decode64(avatar)) }
File.open(avatar_file, 'wb') { |f| f.write(avatar) }
end
avatar_hash
end

Maybe you have to add one more symbolic-link here: /var/lib/foreman/public/images -> assets.
Keep sure, to set the owner and group to foreman:foreman.

Restart foreman and httpd and it will give you the avatar picture back.

file 4043ebc4b8943415326ff6d78f887c7a040ebb62.jpg
4043ebc4b8943415326ff6d78f887c7a040ebb62.jpg: JPEG image data, JFIF standard 1.01

Thomas

#3 Updated by Tomer Brisker 6 months ago

  • Duplicated by Bug #15127: Photo attribute configured for LDAP source, image not displayed added

#4 Updated by Dirk Götz 3 months ago

I can confirm the mentioned fix works.

For the code change I could create a pull request, but I have no idea where the symlink has to be created or if it would be better to change the URL instead (where I could not find the origin of).

#5 Updated by Derek Wright about 1 month ago

Did some testing on this and the issue appears to be that net/ldap will automatically convert the base64 data to binary representation (Net::BER::BerIdentifiedString). We can check the type by doing the following in app/models/auth_sources/auth_source_ldap.rb(line 218):

avatar = avatar.instance_of?(Net::BER::BerIdentifiedString) ? avatar : avatar.to_utf8

Now, where I'm getting hung up is how we want to handle writing the data, I don't want to move the base64 decode up sooner in the logic as it will increase overhead on every login. There is also the possibility to maybe use MimeMagic and detect the current filetype and if its not image/jpeg, overwrite the file (this will also have a small performance penalty). Looking for some thoughts on how best to implement that part from the Devs.

app/models/auth_sources/auth_source_ldap.rb(line 224):

      File.open(avatar_file, 'wb') { |f| f.write(Base64.decode64(avatar)) } # This base64 will only need to be done if its NOT instance_of Net::BER::BerIdentifiedString

#6 Updated by Suraj Patil 24 days ago

  • Bugzilla link set to 1573243

Also available in: Atom PDF