Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support applications that verify the password themselves #53

Closed
jcgruenhage opened this issue Jul 31, 2018 · 8 comments
Closed

Support applications that verify the password themselves #53

jcgruenhage opened this issue Jul 31, 2018 · 8 comments

Comments

@jcgruenhage
Copy link

Some applications don't try to connect to the ldap server as the user it's trying to authenticate but look for the password in the result they get and calculate/compare the hash itself. As far as I can tell, glauth does not give those applications enough data to finish authentication.

Right now I only know of nextcloud that is acting this way, but I'm sure there are more things out there doing the same.

Possibly related to #3, because I don't think any other ldap implementation out there uses plain sha256.
@benyanke
Copy link
Member

benyanke commented Aug 1, 2018
edited

I have plans to connect my nextcloud install to my glauth instance, so I'll look into this! One way or another, I'll do what I need to for it to work with NextCloud.

@benyanke
Copy link
Member

benyanke commented Aug 5, 2018
edited

Confirmed that NextCloud is stalling out on authentication. Will be hopefully digging into this more soon.

edit: This was due to a minor misconfiguration on my end - NC is now working with GLAuth as-is.

@jcgruenhage could you provide more info on ldap queries returning hashed passwords? In the LDAP experience I have (which I will admit is not as deep as I'd like but growing), I have not seen this, and auth is typically accomplished on the server via bind.

@jcgruenhage
Copy link
Author

Huh? Maybe I've completely misinterpreted what I've read (docs/logs).. I need to check my config then

@benyanke
Copy link
Member

Closing this - feel free to reopen if you have issues or you find another good example which could make the case for this feature. I'd really rather not expose the password hashes.

@jcgruenhage
Copy link
Author

It's pretty likely that I misunderstood something somewhere. Sadly I haven't had the time to investigate more why my Nextcloud isn't working, I'll update this once I've gotten further..

@benyanke
Copy link
Member

No worries! Thanks for using glauth!

@jcgruenhage
Copy link
Author

Well thanks for writing it!

@halkeye halkeye mentioned this issue Aug 20, 2019
Closed
@href
Copy link

href commented Nov 18, 2019

Not sure if this is related, but it seems like GLAuth does not support password checks using LDAP's COMPARE operation.

I'm using GLAuth for integration tests because it's really simple to get up and running. I thought I'd add my 50 cents, since:

Closing this - feel free to reopen if you have issues or you find another good example which could make the case for this feature. I'd really rather not expose the password hashes.

Checking with COMPARE seems to fit this description. Checking a password using compare doesn't expose the password hash to the outside. It simply allows clients to check if an attribute is set to a certain value.

Anyway, just thought I'd add this comment to the discussion. I can easily mock this out on my side, so it's not a feature I need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@href @benyanke @jcgruenhage