After LDAP authentication, the MUser will check if valid MUser password field is empty or not

Description

After LDAP authentication, the MUser will check if valid MUser password field is empty or not.
In actual, password is stored in LDAP Directory server. we don't need set up password in the MUser password field.

Environment

None

Attachments

12 Jan 2019, 07:08 AM

Linked issues

relates to

IDEMPIERE-3931

LDAP Users must no be able to login with AD_User password

Activity

Show:

Carlos Ruiz March 25, 2019 at 6:46 PM

Created https://idempiere.atlassian.net/browse/IDEMPIERE-3931#icft=IDEMPIERE-3931

Carlos Ruiz March 19, 2019 at 11:55 AM

Hi @Nicolas Micoud, better to open a new ticket - I feel like if somebody configure LDAP authentication - the ad_user auth must be disabled for the users with an LDAP configuration.
Allowing to login with ad_user password to an LDAP user sounds like a security hole - a big one - are you sure that's the behavior? I don't have an LDAP environment to test.

Nicolas Micoud March 18, 2019 at 3:14 PM

Hi,

I also faced this issue on a new instance.
I did not remember that when using LDAP for storing passwords, the AD_User.Password must be filled.
Once it was done, access was possible (I also need to change the "principal" (LDAP.java, line 58), that will be another ticket ^^).

But now, users can log with "domain" password or "table" password.
So yes, adding a SysConfig to force using the LDAP password seems necessary.

Something like LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD (System Leve, default to Y to preserve the actual behaviour) ?

Then, in Login.java, I would add this control :

if (MSystem.IsLdap() && !authenticated && valid && MSysConfig.getValue(LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD ))
valid = false

between

} else {
	// password not hashed
	valid = user.getPassword() != null && user.getPassword().equals(app_pwd);
}

and

if (valid ) {

Haven't tested, but that's the idea.
WDYT ?

Thanks,

Nicolas

Carlos Ruiz January 14, 2019 at 3:09 PM

Thanks @Ray Lee, I think is better not to integrate this one because of the potential collateral issues with other plugins/reports, etc.

In some way, since compiere times the definition of a user vs a contact in AD_User is that a user has a password, and many people must have developed stuff with such definition in mind.

I think the LDAP module requires a better reorganization, but I would be more prone to a fix in the LDAP module to save a "default" password in the field (so it doesn't destroy the definition of user) and the database authentication module (the default) just ignore that password, or make that configurable in different authentication methods. I think at this moment the database method (AD_User.Password) behaves like a fallback of LDAP, but maybe that must be configurable.

Regards,

Carlos Ruiz

Ray Lee January 12, 2019 at 7:14 AM

Change Login.java LoginPanel.java and Muser.java.
For LDAP authentication that don't need set password in MUser's field of passowrd.
1) IDEMPIERE-3866.patch

Ray Lee January 12, 2019 at 6:44 AM

I am testing and debug. I will upload patch later.

Won't Fix

Details

Assignee

Carlos Ruiz

Reporter

Ray Lee

Priority

Major

Created January 12, 2019 at 6:40 AM

Updated March 25, 2019 at 6:46 PM

Resolved January 14, 2019 at 3:09 PM

Configure