LDAP Users must no be able to login with AD_User password

Description

As reported at
https://idempiere.atlassian.net/browse/IDEMPIERE-3866?focusedCommentId=43076&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-43076

Using LDAP is allowing users to authenticate also with AD_User.Password, this can be considered a security issue, I think most companies would like to stop login if LDAP fails.

Environment

None

Activity

Show:
Nicolas Micoud
March 26, 2019, 6:00 PM

Thanks !

Carlos Ruiz
March 26, 2019, 5:58 PM
Edited

This is how is working after the patch:

System

AD_User.LDAPUser

USE_EMAIL_FOR_LOGIN

Authentication

LDAP

Filled

N

Enforced LDAP authentication using LDAPUser – AD_User not allowed

LDAP

Empty

N

Try LDAP auth first using Name – fallback to AD_User using Name auth if LDAP failed

Non-LDAP

Filled

N

AD_User authentication using LDAPUser

Non-LDAP

Empty

N

AD_User authentication using Name

LDAP

Filled

Y

Enforced LDAP authentication using Email – AD_User not allowed

LDAP

Empty

Y

Try LDAP auth first using Email – fallback to AD_User auth using Email if LDAP failed

Non-LDAP

Filled

Y

AD_User authentication using Email

Non-LDAP

Empty

Y

AD_User authentication using Email

Nicolas Micoud
March 26, 2019, 4:36 PM

Thanks for the answer, I agree that is a very big security hole, but it was useful

I don't understand what you mean with _"On LDAP environments is the same but the LDAPUser is forced authentication against the LDAP server.
You can still create a parallel user without LDAP if needed."._
Could you say more about that please ?

Thanks,

Nicolas

Carlos Ruiz
March 26, 2019, 4:20 PM

Hi

> In fact, that's the actual behaviour

Right, I think that's very dangerous and unwanted - that's since compiere times - so, I guess many people is "used" to such security hole - but from a security point of view it sounds crazy to me - if you have an LDAP configuration, and an LDAP configured user, why would you allow to bypass the LDAP security and allow the probably more-lazy security of AD_User.Password?
And people not aware of such behavior was probably assigning very lazy passwords in AD_User - or probably not even encrypted/hashed.

Because people can be "used" to such security hole - I think the option I just pushed is trying to "respect" that - if somebody needs a user to be validated with AD_User.Password in an LDAP environment, then it can create a user without the LDAPUser field filled - so, we are allowing some kind of exceptions configured by the implementor. I think is also up to the implementor if LDAPUser must be mandatory for certain tenants or not - that can be easily configured in custom window or plugin.

I saw your proposal about LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD, but as you say is not safe, and your proposal to make it an ID list in the end is the same as allowing a parallel user authenticated by AD_User.Password.

> Another scenario that could happen - don't know if your patch allow it or not -
> if you implement iDempiere into a company which uses LDAP, you may not have a user in LDAP.

Yes, is possible, is just leaving empty the LDAPUser field - as said above - I think is a decision on every implementation if that's allowed or not and under which conditions (that is: customization).

> it's easier to use the LDAPUser field to store the login (I prefer to log using 'nmd' (lLDAPUser)
> instead of 'Nicolas Micoud' (AD_User.Name)).

Yes, I'm aware of that "hack" That's still possible in non-LDAP environments - to use the LDAPUser as the login key.
On LDAP environments is the same but the LDAPUser is forced authentication against the LDAP server.
You can still create a parallel user without LDAP if needed.

Regards,

Carlos Ruiz

Nicolas Micoud
March 26, 2019, 3:29 PM

Hello ,

Haven't tested yet, but just a thought :
"Allowing to login with ad_user password to an LDAP user sounds like a security hole - a big one - are you sure that's the behavior?" (from https://idempiere.atlassian.net/browse/IDEMPIERE-3866)
In fact, that's the actual behaviour

ATM, I can log into the system using my LDAPUsername (Tginm) and password from LDAP or AD_User.
The SysConfig LDAP_ALLOW_LOGIN_WITH_AD_USER_PASSWORD was here to preserve this behaviour (I agree, is not safe, but it has been working for years).
But perhaps, this SysConfig should refers UserIDs.

Another scenario that could happen - don't know if your patch allow it or not - if you implement iDempiere into a company which uses LDAP, you may not have a user in LDAP.
However, it's easier to use the LDAPUser field to store the login (I prefer to log using 'nmd' (lLDAPUser) instead of 'Nicolas Micoud' (AD_User.Name)).

Regards,

Nicolas

Fixed

Assignee

Carlos Ruiz

Reporter

Carlos Ruiz

Labels

None

Tested By

None

Priority

Major