LDAP Users must no be able to login with AD_User password
Description
Using LDAP is allowing users to authenticate also with AD_User.Password, this can be considered a security issue, I think most companies would like to stop login if LDAP fails.
Environment
Activity
Thanks !
This is how is working after the patch:
System | AD_User.LDAPUser | USE_EMAIL_FOR_LOGIN | Authentication |
|---|---|---|---|
LDAP | Filled | N | Enforced LDAP authentication using LDAPUser – AD_User not allowed |
LDAP | Empty | N | Try LDAP auth first using Name – fallback to AD_User using Name auth if LDAP failed |
Non-LDAP | Filled | N | AD_User authentication using LDAPUser |
Non-LDAP | Empty | N | AD_User authentication using Name |
LDAP | Filled | Y | Enforced LDAP authentication using Email – AD_User not allowed |
LDAP | Empty | Y | Try LDAP auth first using Email – fallback to AD_User auth using Email if LDAP failed |
Non-LDAP | Filled | Y | AD_User authentication using Email |
Non-LDAP | Empty | Y | AD_User authentication using Email |
Thanks for the answer, I agree that is a very big security hole, but it was useful
I don't understand what you mean with _"On LDAP environments is the same but the LDAPUser is forced authentication against the LDAP server.
You can still create a parallel user without LDAP if needed."._
Could you say more about that please ?
Thanks,
Nicolas
Hi
> In fact, that's the actual behaviour
Right, I think that's very dangerous and unwanted - that's since compiere times - so, I guess many people is "used" to such security hole - but from a security point of view it sounds crazy to me - if you have an LDAP configuration, and an LDAP configured user, why would you allow to bypass the LDAP security and allow the probably more-lazy security of AD_User.Password?
And people not aware of such behavior was probably assigning very lazy passwords in AD_User - or probably not even encrypted/hashed.
Because people can be "used" to such security hole - I think the option I just pushed is trying to "respect" that - if somebody needs a user to be validated with AD_User.Password in an LDAP environment, then it can create a user without the LDAPUser field filled - so, we are allowing some kind of exceptions configured by the implementor. I think is also up to the implementor if LDAPUser must be mandatory for certain tenants or not - that can be easily configured in custom window or plugin.
I saw your proposal about LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD, but as you say is not safe, and your proposal to make it an ID list in the end is the same as allowing a parallel user authenticated by AD_User.Password.
> Another scenario that could happen - don't know if your patch allow it or not -
> if you implement iDempiere into a company which uses LDAP, you may not have a user in LDAP.
Yes, is possible, is just leaving empty the LDAPUser field - as said above - I think is a decision on every implementation if that's allowed or not and under which conditions (that is: customization).
> it's easier to use the LDAPUser field to store the login (I prefer to log using 'nmd' (lLDAPUser)
> instead of 'Nicolas Micoud' (AD_User.Name)).
Yes, I'm aware of that "hack" That's still possible in non-LDAP environments - to use the LDAPUser as the login key.
On LDAP environments is the same but the LDAPUser is forced authentication against the LDAP server.
You can still create a parallel user without LDAP if needed.
Regards,
Carlos Ruiz
Hello ,
Haven't tested yet, but just a thought :
"Allowing to login with ad_user password to an LDAP user sounds like a security hole - a big one - are you sure that's the behavior?" (from https://idempiere.atlassian.net/browse/IDEMPIERE-3866)
In fact, that's the actual behaviour
ATM, I can log into the system using my LDAPUsername (Tginm) and password from LDAP or AD_User.
The SysConfig LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD was here to preserve this behaviour (I agree, is not safe, but it has been working for years).
But perhaps, this SysConfig should refers UserIDs.
Another scenario that could happen - don't know if your patch allow it or not - if you implement iDempiere into a company which uses LDAP, you may not have a user in LDAP.
However, it's easier to use the LDAPUser field to store the login (I prefer to log using 'nmd' (lLDAPUser) instead of 'Nicolas Micoud' (AD_User.Name)).
Regards,
Nicolas
