CF administrator ldap authentication

Report · Dec 04, 2023

We recently installed CF 2023 and want to authenticate users via LDAP for access to the CFIDE administrator console. However, verifying the LDAP connection always results in an error:

The CONFIG parameter to the verifyConnection function is required but was not passed in. The specific sequence of files included or processed is: C:\ColdFusion2023\cfusion\wwwroot\CFIDE\administrator\security\ldapServices.cfc

This runs as a AJAX request so it appears that the Verify Connection button does nothing. But when you open the developer console, you can see that the request has failed. Opening in another browser window shows this.

Any ideas?

Report · Dec 04, 2023

well - I found the problem. Our config has the "Preserve case for Struct keys for Serialization" option checked. Because of this, the JSON coming back from the first AJAX request (to adminpasswordCFCPath + '?method=getAdminLdapConfiguration') had its keys in lowercase. However, the Javascript in the page was checking for keys in uppercase. This caused the resulting next AJAX request (to adminpasswordCFCPath + '?method=verifyConnection') to basically throw an error which was caught with an empty catch block, resulting in nothing happening.

Report · Dec 04, 2023

Good sleuthing there. If it may help, there should be a workaround to changing the Admin setting (which of course affects all code on the server). Note that you can also control this at the application level, such as in an application.cfc in cfscript as:

this.serialization={preserveCaseForStructKey: true};

Or in application.cfm as:

<cfapplication preserveCaseForStructKey="true">

Of course, you can instead set the admin value to true and use code like this to set app-level settings to false, if more apps need it set to true than to false. Just know you have options. 🙂

This issue you've found does seem to be a bug worth your reporting (at tracker.adobe.com). If you do file one, feel free to mention both workarounds, if you confirm my other works well for you. And then please share the bug id here so that I and others might know of it and add a vote for it.

/Charlie (troubleshooter, carehart.org)

Report · Dec 04, 2023

Thanks, but this is a problem in the CFIDE/administrator console. I cannot make any change (other than turning off the "Preserve case for Struct keys for Serialization" setting) that will fix this. Definitely no code change will fix this.

Report · Dec 04, 2023

Ah, right. In my zeal to point out the app-level option, I forgot that you were using the CF Admin itself when you got the error. That said, what I share may still be valuable.

First, some folks may well make the change like you propose (to solve this) and then they may have existing apps break because the code expected to use the admin setting. If that's changed there (such as from True to false, as you are proposing), they can at least use this code I share to fix it for apps that need it "true".

Second--and while I agree Adobe should fix this problem--I don't know if it's true that "no code change will fix this" problem in the CF Admin. I'm pretty sure you could slip an Application.cfc of your own into the folder of that page you found was run, and have that extend the original one that the CF Admin uses, and thus override the settings in this page/folder only. I've not tried it, but logically it should be possible.

Still, I understand you may not care to go to that length, if the change in the admin suits you (and no other apps of yours). Again, I only press this point as some readers may come to realize they would have trouble in changing that admin-level preservecase setting because of its impact on existing apps.

Finally, thanks for sharing the bug report.

/Charlie (troubleshooter, carehart.org)

Report · Dec 04, 2023

I think this issue only affects setting up the external LDAP connection (and verifying it) so turning off that "preserve struct key case" setting while I made those changes and turning it back on suits me just fine.

The \cfusion\wwwroot\CFIDE\administrator\security folder (which contains the problematic cfadminpassword.cfm file) already contains an Application.cfm file so I dont think introducing my own Application.cfc file would be a smart idea - even though I might potentially be able to cfinclude the contents of Application.cfm before or after my own code. To be honest, I'm quite surprised that you would even mention that as an option. Even if it is theorically possible, its probably not a very smart smart idea to be making changes to the internals of the CF administrator console code.

Report · Dec 04, 2023

Good point on the admin workaround being only needing to be temprary for you, to verify. If that remains so, that's a relief.

If it continues beyond that in some unexpected way, that's indeed why I proposed the other workaround. And while it may be "surprising" to hear me suggest it, I am a problem solver. If I can give someone an idea to get around a problem, I'm willing to share it. It's CERTAINLY true that monkeying with such things should be done with care. I thought this one suggestion was simple enough to not likely have long-term ramifications. Really, I brought it up more because most folks would never DREAM of it as a possibility. 🙂 And if it did solve it, that was my goal. (Can someone shoot themselves in the foot by taking that too far? Sure. But that would be on them.)

Let's see how things go for you with that one solution, and what others may have to say in reply to that tracker ticket (or here). I just wanted to chime in with the additional thoughts if they may help, but I understand this is really a problem for Adobe to resolve.

/Charlie (troubleshooter, carehart.org)

Report · Dec 04, 2023

I also did create a issue/bug report for this:
https://tracker.adobe.com/#/view/CF-4220003