9 Replies Latest reply on Oct 20, 2014 8:48 AM by wimdecorte

    FileMaker Server External Authentication problem

    SBerger

      Hi all,

       

      I'm wondering if anyone experienced the same problem we just noticed today :

       

      - logging into a file (using FMP Advanced 12.0V5 on OS X 10.9.5), hosted on FMS Advanced (12V04), authenticated using external authentication(Mac OS X 10.9.5 Server).

      - by mistake, put a space character in front of username.

      - LDAP server authenticated user successfully !!!

      - Get(Accountname ) shows space in front of the name.!?

      - user can not see any related records where relationship is based on Account name.

       

      Problem :

       

      System Fields (created_by, modified_by) are showing incorrect name - with leading and trailing spaces.

      User is confused by not being able to see his stats, DB is being populated with incorrect data.

       

      Question #1 : Is it by design, or something is wrong with LDAP authentication, when it allows authentication to user name with leading

      and trailing spaces?

       

      Question # 2: If LDAP ignores spaces before and after username, why is FileMaker accepting username as it's typed in, instead of taking correct name from LDAP?

       

       

      Appreciate your answers.

        • 1. Re: FileMaker Server External Authentication problem
          wimdecorte

          SBerger wrote:

           

           

          Question # 2: If LDAP ignores spaces before and after username, why is FileMaker accepting username as it's typed in, instead of taking correct name from LDAP?

           

           

          AFAIK it is by design, when you authenticate to a domain (OD or AD) you can use one of many syntaxes to authenticate:

           

          username (which sort of assumes that the OS will send the domain part to the authenticating authority)

          DOMAIN\username

          username@domain

           

          any of these 3 will work and FM's Get(AccountName) will return whatever the user types in.  This is documented going back to when External Authentication was introduced back in 2007

          http://help.filemaker.com/app/answers/detail/a_id/6822

           

          It is up to you to Trim() and parse the relevant bits out and to use that in your records...

          • 2. Re: FileMaker Server External Authentication problem
            SBerger

            Wim, thank you for your answer.

             

            I understand I can create auto-enter calculated field, and trim extra spaces from the Account name using calculation engine.

             

            But, if I use the other available option, to auto-populate the field with Creation Account Name / Modification Account Name,

            I would still get account name with all leading&trailing spaces.

             

            There is a solution, I agree, but there is also a potential risk, to populate fields with unwanted values, using available options.

             

            • 3. Re: FileMaker Server External Authentication problem
              wimdecorte

              SBerger wrote:

               

               

              But, if I use the other available option, to auto-populate the field with Creation Account Name / Modification Account Name,

              I would still get account name with all leading&trailing spaces.

               

              There is a solution, I agree, but there is also a potential risk, to populate fields with unwanted values, using available options.

               

               

               

              Not quite sure what you mean by "there is a risk".

              There would be no risk obviously because you would not use things like "Creation Account Name" in an EA scenario...

              Once you understand how a feature works, you use it accordingly.

              • 4. Re: FileMaker Server External Authentication problem
                SBerger

                Since there is no a single word in documentation (at least I couldn't find it), about spaces being allowed in entering Account names, there is a risk that person who is not aware of this "feature", sets "created_by" field using "Creation Account Name" instead of using calculation engine to trim unwanted blank characters.

                 

                I would like to hear from someone at FieMaker, why they don't trim those blanks when file is being opened.

                • 5. Re: FileMaker Server External Authentication problem
                  taylorsharpe

                  If I were answering for FM, and I'm not, my answer would be because FileMaker is submitting exactly what was typed to the AD and how AD handles it is a matter outside of FM control.  What if AD trims and say OD doesn't or something else like that?  Or different versions of them handle it differently.  I think FM is playing it safe to send only exactly what the user has put in. 

                  • 6. Re: FileMaker Server External Authentication problem
                    SBerger

                    Taylor,

                     

                    I agree with you that FileMaker is playing safe and sends whatever  is typed in. And that's fine with me.

                    What I'm having problem with is :

                     

                       - user types in account name with leading or trailing spaces

                        - FileMaker sends that user name to AD/OD for authentication

                       - AD/OD trims spaces out and validates account's authenticity. This is important to notice - it trims spaces out and, if the rest of the user name is ok OD/AD says "OK, user exists".

                        - AD/OD sends that info back to FileMaker.

                        - Since OD/AD approved that account (Without Spaces), FileMaker accepts that account as a valid account, BUT WITH SPACES.

                     

                    And, that is when real problem occurs. If developer uses "Current Account Name" or "Modifier Account Name" options in field definition for "created_by" or "modified_by" fields in his/her solution, it will automatically accept account name with leading/trailing spaces.

                     

                    From that moment on, Get(accountname) will always return account name WITH spaces, and all relationships you might built in your solution that are based on the current active user will fail.

                     

                    Wim has suggested to avoid using those two options when define "created_by" and "modified_by" fields, but using calculation engine instead, and trim spaces out. Which is fine.

                     

                    My concern is, nowhere in documentation says that you have to do that when you authenticate users against LDAP, and because of that, it can cause problem to developers who were unaware of it.

                     

                    Of course, that problem wouldn't exist if FileMaker just trimed out all leading/trailing spaces, the same way AO/OD does.

                    FileMaker doesn't allow creation of local, fileMaker accounts, with leading/trailing spaces anyways, so, why would it allow to EA accounts?

                    • 7. Re: FileMaker Server External Authentication problem
                      Mike_Mitchell

                      FileMaker doesn't allow creation of local, fileMaker accounts, with leading/trailing spaces anyways

                       

                      Slight correction: It will, if you script the account creation. So you have to be mindful of this little trap in that environment, too.

                       

                      Carry on. 

                      • 8. Re: FileMaker Server External Authentication problem
                        SBerger

                        Thank you Mike,

                         

                        I was so focused on UI aspect of it.

                         

                        Good catch.

                        • 9. Re: FileMaker Server External Authentication problem
                          wimdecorte

                          SBerger wrote:

                           

                          My concern is, nowhere in documentation says that you have to do that when you authenticate users against LDAP, and because of that, it can cause problem to developers who were unaware of it.

                           

                          Of course, that problem wouldn't exist if FileMaker just trimed out all leading/trailing spaces, the same way AO/OD does.

                          FileMaker doesn't allow creation of local, fileMaker accounts, with leading/trailing spaces anyways, so, why would it allow to EA accounts?

                           

                          I think you are focusing a little too much on the whitespace.  As I mentioned earlier in this thread, any approach that uses the bulk (trimmed or not) of Get(AccountName) is going to fall flat in an EA environment because the same user can log in with

                           

                          DOMAIN\username

                          or

                          username@domain

                           

                          And Get(AccountName) is going to use whatever the user entered, not just the username part.  No spaces involved here.

                           

                          And these things have been documented going back 10+ years so it is not new.  Those white papers and tech briefs are there for just that purpose: they supplmenent what you can find in the help file because they touch on things that are outside of the FM product.