Bug #13749

Getting avatar from openldap seems to be broken

Added by Dirk Götz about 2 years ago. Updated 13 days ago.

Status:New
Priority:Normal
Assigned To:-
Category:Authentication
Target version:-
Difficulty: Bugzilla link:
Found in release:1.15.0 Pull request:
Story points-
Velocity based estimate-

Description

I created a user with the following ldif:

dn: cn=dgoetz,ou=users,dc=localdomain
objectClass: inetOrgPerson
cn: dgoetz
sn: Goetz
description: Dirk Goetz
userPassword: {SSHA}SmI4N/QECJfMFprv9sMnTD7KZUq46Yw8
givenName: Dirk
mail: dgoetz@localdomain
uid: dgoetz
jpegPhoto:< file:///root/dgoetz.jpg

When I login with the user the avatar is downloaded and the file is created but is not a valid picture.

# file /var/lib/foreman/public/assets/avatars/6e15a0e85405ddd9f25abc3aee0b212ea2ca6bfb.jpg 
/var/lib/foreman/public/assets/avatars/6e15a0e85405ddd9f25abc3aee0b212ea2ca6bfb.jpg: data

If I search the ldap I get:

# dgoetz, users, localdomain
dn: cn=dgoetz,ou=users,dc=localdomain
objectClass: inetOrgPerson
cn: dgoetz
sn: Goetz
description: Dirk Goetz
userPassword:: e1NTSEF9U21JNE4vUUVDSmZNRnBydjlzTW5URDdLWlVxNDZZdzg=
givenName: Dirk
mail: dgoetz@localdomain
uid: dgoetz
jpegPhoto:: /9j/4AAQSkZJRgABAQEBZwFnAAD/4gxYSUNDX1BST0ZJTEUAAQEAAAxITGlubwIQAA
 BtbnRyUkdCIFhZWiAHzgACAAkABgAxAABhY3NwTVNGVAAAAABJRUMgc1JHQgAAAAAAAAAAAAAAAQA
 A9tYAAQAAAADTLUhQICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAABFjcHJ0AAABUAAAADNkZXNjAAABhAAAAGx3dHB0AAAB8AAAABRia3B0AAACBAAAABRyWFlaA
 AACGAAAABRnWFlaAAACLAAAABRiWFlaAAACQAAAABRkbW5kAAACVAAAAHBkbWRkAAACxAAAAIh2dW
 VkAAADTAAAAIZ2aWV3AAAD1AAAACRsdW1pAAAD+AAAABRtZWFzAAAEDAAAACR0ZWNoAAAEMAAAAAx
 yVFJDAAAEPAAACAxnVFJDAAAEPAAACAxiVFJDAAAEPAAACAx0ZXh0AAAAAENvcHlyaWdodCAoYykg
 MTk5OCBIZXdsZXR0LVBhY2thcmQgQ29tcGFueQAAZGVzYwAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yL
 jEAAAAAAAAAAAAAABJzUkdCIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWFlaIAAAAAAAAPNRAAEAAAABFsxYWVogAAAAAAAAAAAAAAA
 AAAAAAFhZWiAAAAAAAABvogAAOPUAAAOQWFlaIAAAAAAAAGKZAAC3hQAAGNpYWVogAAAAAAAAJKAA
 AA+EAAC2z2Rlc2MAAAAAAAAAFklFQyBodHRwOi8vd3d3LmllYy5jaAAAAAAAAAAAAAAAFklFQyBod
 HRwOi8vd3d3LmllYy5jaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 AAAABkZXNjAAAAAAAAAC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHN
 SR0IAAAAAAAAAAAAAAC5JRUMgNjE5NjYtMi4xIERlZmF1bHQgUkdCIGNvbG91ciBzcGFjZSAtIHNS
 R0IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAsUmVmZXJlbmNlIFZpZXdpbmcgQ29uZ
 Gl0aW9uIGluIElFQzYxOTY2LTIuMQAAAAAAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdG
 lvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHZpZXcAAAAAABOk/gA
 UXy4AEM8UAAPtzAAEEwsAA1yeAAAAAVhZWiAAAAAAAEwJVgBQAAAAVx/nbWVhcwAAAAAAAAABAAAA
 AAAAAAAAAAAAAAAAAAAAAo8AAAACc2lnIAAAAABDUlQgY3VydgAAAAAAAAQAAAAABQAKAA8AFAAZA
 B4AIwAoAC0AMgA3ADsAQABFAEoATwBUAFkAXgBjAGgAbQByAHcAfACBAIYAiwCQAJUAmgCfAKQAqQ
 CuALIAtwC8AMEAxgDLANAA1QDbAOAA5QDrAPAA9gD7AQEBBwENARMBGQEfASUBKwEyATgBPgFFAUw
 BUgFZAWABZwFuAXUBfAGDAYsBkgGaAaEBqQGxAbkBwQHJAdEB2QHhAekB8gH6AgMCDAIUAh0CJgIv
 AjgCQQJLAlQCXQJnAnECegKEAo4CmAKiAqwCtgLBAssC1QLgAusC9QMAAwsDFgMhAy0DOANDA08DW
 gNmA3IDfgOKA5YDogOuA7oDxwPTA+AD7AP5BAYEEwQgBC0EOwRIBFUEYwRxBH4EjASaBKgEtgTEBN
 ME4QTwBP4FDQUcBSsFOgVJBVgFZwV3BYYFlgWmBbUFxQXVBeUF9gYGBhYGJwY3BkgGWQZqBnsGjAa
 dBq8GwAbRBuMG9QcHBxkHKwc9B08HYQd0B4YHmQesB78H0gflB/gICwgfCDIIRghaCG4IggiWCKoI
 vgjSCOcI+wkQCSUJOglPCWQJeQmPCaQJugnPCeUJ+woRCicKPQpUCmoKgQqYCq4KxQrcCvMLCwsiC
 zkLUQtpC4ALmAuwC8gL4Qv5DBIMKgxDDFwMdQyODKcMwAzZDPMNDQ0mDUANWg10DY4NqQ3DDd4N+A
 4TDi4OSQ5kDn8Omw62DtIO7g8JDyUPQQ9eD3oPlg+zD88P7BAJECYQQxBhEH4QmxC5ENcQ9RETETE
 RTxFtEYwRqhHJEegSBxImEkUSZBKEEqMSwxLjEwMTIxNDE2MTgxOkE8UT5RQGFCcUSRRqFIsUrRTO
 FPAVEhU0FVYVeBWbFb0V4BYDFiYWSRZsFo8WshbWFvoXHRdBF2UXiReuF9IX9xgbGEAYZRiKGK8Y1
 Rj6GSAZRRlrGZEZtxndGgQaKhpRGncanhrFGuwbFBs7G2MbihuyG9ocAhwqHFIcexyjHMwc9R0eHU
 cdcB2ZHcMd7B4WHkAeah6UHr4e6R8THz4faR+UH78f6iAVIEEgbCCYIMQg8CEcIUghdSGhIc4h+yI
 nIlUigiKvIt0jCiM4I2YjlCPCI/AkHyRNJHwkqyTaJQklOCVoJZclxyX3JicmVyaHJrcm6CcYJ0kn
 eierJ9woDSg/KHEooijUKQYpOClrKZ0p0CoCKjUqaCqbKs8rAis2K2krnSvRLAUsOSxuLKIs1y0ML
 UEtdi2rLeEuFi5MLoIuty7uLyQvWi+RL8cv/jA1MGwwpDDbMRIxSjGCMbox8jIqMmMymzLUMw0zRj
 N/M7gz8TQrNGU0njTYNRM1TTWHNcI1/TY3NnI2rjbpNyQ3YDecN9c4FDhQOIw4yDkFOUI5fzm8Ofk
 6Njp0OrI67zstO2s7qjvoPCc8ZTykPOM9Ij1hPaE94D4gPmA+oD7gPyE/YT+iP+JAI0BkQKZA50Ep
 QWpBrEHuQjBCckK1QvdDOkN9Q8BEA0RHRIpEzkUSRVVFmkXeRiJGZ0arRvBHNUd7R8BIBUhLSJFI1
 0kdSWNJqUnwSjdKfUrESwxLU0uaS+JMKkxyTLpNAk1KTZNN3E4lTm5Ot08AT0lPk0/dUCdQcVC7UQ
 ZRUFGbUeZSMVJ8UsdTE1NfU6pT9lRCVI9U21UoVXVVwlYPVlxWqVb3V0RXklfgWC9YfVjLWRpZaVm
 4WgdaVlqmWvVbRVuVW+VcNVyGXNZdJ114XcleGl5sXr1fD19hX7NgBWBXYKpg/GFPYaJh9WJJYpxi
 8GNDY5dj62RAZJRk6WU9ZZJl52Y9ZpJm6Gc9Z5Nn6Wg/aJZo7GlDaZpp8WpIap9q92tPa6dr/2xXb
 K9tCG1gbbluEm5rbsRvHm94b9FwK3CGcOBxOnGVcfByS3KmcwFzXXO4dBR0cHTMdSh1hXXhdj52m3
 b4d1Z3s3gReG54zHkqeYl553pGeqV7BHtje8J8IXyBfOF9QX2hfgF+Yn7CfyN/hH/lgEeAqIEKgWu
 BzYIwgpKC9INXg7qEHYSAhOOFR4Wrhg6GcobXhzuHn4gEiGmIzokziZmJ/opkisqLMIuWi/yMY4zK
 jTGNmI3/jmaOzo82j56QBpBukNaRP5GokhGSepLjk02TtpQglIqU9JVflcmWNJaflwqXdZfgmEyYu
 JkkmZCZ/JpomtWbQpuvnByciZz3nWSd0p5Anq6fHZ+Ln/qgaaDYoUehtqImopajBqN2o+akVqTHpT
 ilqaYapoum/adup+CoUqjEqTepqaocqo+rAqt1q+msXKzQrUStuK4trqGvFq+LsACwdbDqsWCx1rJ
 LssKzOLOutCW0nLUTtYq2AbZ5tvC3aLfguFm40blKucK6O7q1uy67p7whvJu9Fb2Pvgq+hL7/v3q/
 9cBwwOzBZ8Hjwl/C28NYw9TEUcTOxUvFyMZGxsPHQce/yD3IvMk6ybnKOMq3yzbLtsw1zLXNNc21z
 jbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk2OjZbNnx2nba+9uA3AXcit
 0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/nqegy6LzpRunQ6lvq5etw6/v
 shu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb794r4Gfio+Tj5x/pX+uf7d/wH
 /Jj9Kf26/kv+3P9t////2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQD
 Q4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFB
 QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT/wgARCAAeAB4DAREAAhEBAxEB/8Q
 AGwAAAQQDAAAAAAAAAAAAAAAACAMFBgcAAgT/xAAUAQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIQ
 AxAAAAEqTjFxUwq8mg+Feg1CwTYAYxGpIT//xAAfEAABBAICAwAAAAAAAAAAAAAFAQMEBgACBxIQE
 RT/2gAIAQEAAQUCz6O0jTfsvgsm7RsSyujGWm8Dao21d4djKD+XZQ4hWbeOtbB+a6TNonrOuBDEkF
 J//8QAFBEBAAAAAAAAAAAAAAAAAAAAQP/aAAgBAwEBPwEH/8QAFBEBAAAAAAAAAAAAAAAAAAAAQP/
 aAAgBAgEBPwEH/8QAKRAAAgEDAgQFBQAAAAAAAAAAAQIDAAQRITEFEBITIiMyUWFDUnGBof/aAAgB
 AQAGPwKjCmrKMt8URsw59yLvPcHGFjbHh+aEjPI7OPq7jli4fu3RGVto/Ufz7CpZuNPNYhdYGtCcg
 fb+6lxbCXhhPlwE+JF23pns3IkT1wyaMtX11KcvJMx/ugrUZ5PNbP0OydBx7V//xAAhEAEAAQMDBQ
 EAAAAAAAAAAAABEQAhMRBBUWFxgZHBsf/aAAgBAQABPyGohA6ZiDipTNyfdYU2KYscHN6G0G0N5h9
 ukyGTQNn9D4mhWchwy7TPVzxRCeSPMAi+7EsmVoAdEbu43OpTM7wOCzsAB4q8gs5xUqeskijIflf/
 2gAMAwEAAgADAAAAEIBJBJJIBP/EABQRAQAAAAAAAAAAAAAAAAAAAED/2gAIAQMBAT8QB//EABQRA
 QAAAAAAAAAAAAAAAAAAAED/2gAIAQIBAT8QB//EAB0QAQEAAgIDAQAAAAAAAAAAAAERACExYRBBUZ
 H/2gAIAQEAAT8QzhIjdTppqx61zgv7AdtHgPsd/j88mGSFiSuhFBbtwLMaiEaB34tg7tFqKdMj7GM
 QmJH+EYqhXKyfriMZJ8dnIbYLCVxzogN3CCivsTgY6xhJuzNA6ZPgw1uKCor7nYY7QAKVPrs5/9k=

And if I copy the base64 string to a file, join the lines and decode it, I get a valid jpeg back.

# cat /tmp/base64 | base64 -d > /tmp/dgoetz.jpg
# file /tmp/dgoetz.jpg 
/tmp/dgoetz.jpg: JPEG image data, JFIF standard 1.01

So something seems to be broken, but looking in the code I have no idea what. When I tried to remove the decoding and output the file in binary I already got some content not maching the base64 string and if output was not written binary I got an empty file. Also removing the to_utf8 for testing showed the same result.


Related issues

Duplicated by Foreman - Bug #15127: Photo attribute configured for LDAP source, image not dis... Duplicate 05/22/2016

History

#1 Updated by John Beranek 10 months ago

I'm seeing this issue too, the avatars obtained from our Active Directory are not being saved correctly:

$ od -c /var/lib/foreman/public/assets/avatars/54cf8135e2114eb915bcbfaf162f324eeab26293.jpg [18:14:38]
0000000 $ R 005 034 p 276 \b 257 ( 270 %
0000013

There is also another issue, as when the Foreman pages try to download the avatar image they get a 404:

foreman-ssl_access_ssl.log:10.4.4.48 - - [22/Apr/2017:18:12:44 +0100] "GET /images/avatars/54cf8135e2114eb915bcbfaf162f324eeab26293.jpg HTTP/1.1" 404 1564 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36"

This is with Foreman 1.14.3/Katello 3.3.1

#2 Updated by Thomas Steudten 9 months ago

  • Priority changed from Low to Normal
  • Found in release changed from 1.10.1 to 1.15.0

Hi
foreman-1.15.0 contains the same bug. I tried a little bit to find out what happen.
My fix is this:
Edit in this file: /usr/share/foreman/app/models/auth_sources/auth_source_ldap.rb like this:
def store_avatar(avatar)
#avatar = avatar.to_utf8
avatar_hash = Digest::SHA1.hexdigest(avatar)
avatar_file = "#{avatar_path}/#{avatar_hash}.jpg"
unless FileTest.exist? avatar_file
FileUtils.mkdir_p(avatar_path)
#File.open(avatar_file, 'wb') { |f| f.write(Base64.decode64(avatar)) }
File.open(avatar_file, 'wb') { |f| f.write(avatar) }
end
avatar_hash
end

Maybe you have to add one more symbolic-link here: /var/lib/foreman/public/images -> assets.
Keep sure, to set the owner and group to foreman:foreman.

Restart foreman and httpd and it will give you the avatar picture back.

file 4043ebc4b8943415326ff6d78f887c7a040ebb62.jpg
4043ebc4b8943415326ff6d78f887c7a040ebb62.jpg: JPEG image data, JFIF standard 1.01

Thomas

#3 Updated by Tomer Brisker 3 months ago

  • Duplicated by Bug #15127: Photo attribute configured for LDAP source, image not displayed added

#4 Updated by Dirk Götz 13 days ago

I can confirm the mentioned fix works.

For the code change I could create a pull request, but I have no idea where the symlink has to be created or if it would be better to change the URL instead (where I could not find the origin of).

Also available in: Atom PDF