enable user backends to show a different page when login failed (e.g. password wrong or needs to change) #12215

Closed
finius opened this Issue Nov 17, 2014 · 37 comments

Projects

None yet
@finius
finius commented Nov 17, 2014

ownCloud seems not to support password changes for AD users!
If a user is forced by AD to change his password (i.e. after a reset caused by IT-helpdesk), he got to find an alternative way to change his password before he will able to log in to ownCloud again.

Further, ownCloud tries to send a password reset mail in the case above - even to Active Directoy imported users, which makes no sense.

@karlitschek
Member
@blizzz
Contributor
blizzz commented Nov 17, 2014

I don't see anything we can do about this. Since we do not write to LDAP, we also cannot set or change passwords.

About password reset mail: since the user was not able to login, we do not know whether the attempt was done by a local user, an LDAP user, or someone else.

@finius
finius commented Nov 17, 2014

Hi,
thanks for this quick response.
I understand that no passwort changes are possible, when there will be no information written into AD.
But just to know: If a user tries to log in, one can try to find out if the user is part of a (within owncloud configured) ldap directory without writing something. If this is the case, one could at least show an more appropriate error page (without password emailing).
AD users are, as far as I know, often confused about the current error dialog.

@blizzz
Contributor
blizzz commented Nov 18, 2014

Well, ok, it is certainly possible to implement this. OTOH this will also leak valid login names. How much of an issue is this @LukasReschke ?

@LukasReschke
Member

Well, ok, it is certainly possible to implement this. OTOH this will also leak valid login names. How much of an issue is this @LukasReschke ?

Not too much of a deal for me as long as it is not about "showing a list of all user names". - Though, I'd like to discuss with @karlitschek what we consider as issue and what not.

@karlitschek
Member

@LukasReschke I agree with you

@blizzz blizzz changed the title from no login possible i.e. if an Active Directory user is forced to change password on next login to enable user backends to show a different page when login failed (e.g. password wrong or needs to change) Nov 19, 2014
@blizzz
Contributor
blizzz commented Nov 19, 2014

thanks guys, titles and tags adjusted

@DeepDiver1975 DeepDiver1975 modified the milestone: backlog Mar 21, 2015
@MorrisJobke
Member

I migrated the blue ticket from #16816


Architecture

ownCloud version": "7.0.3.4"
PHP Version": "5.4.34"
Apache 2.2.15 (SLES Expanded Support)
LDAP activated

Expected behavior:

LDAP User writes a wrong password and gets a message to contact the administrator.

Actual behavior:

LDAP USer writes a wrong password and gets a link per Email, and the token is invalid.

How to turn off this option?

Steps to reporduce it:

1.- Write a valid user and a wrong password,
2.- ask to reset the password.
3.- The oC Server sends an Email with link but can't reset password (token is not valid).

Logs

Apache and ownCloud Logs and LDAP configuration in
S3-ownCloud\Shared\owncloud\support\github-issues\core\16816

@MorrisJobke

00002757

@ghost
ghost commented Jun 15, 2015

Hi,

instead of showing just a message to contact the admin a possibility could be to allow an admin to specify an external URL. This could point to a phpnyldapadmin installation for example where a user can reset its password.

@bboule
bboule commented Jun 23, 2015

Might work for OpenLDAP but not a good option for AD shops... IMHO

@bboule
bboule commented Jun 23, 2015

@MTRichards This seems like something to be considered for future release??

@MTRichards
Contributor

Need some clarity on the blue part here.
When a user enters a bad password, they are offered the reset password link by default, even if using LDAP/AD?
Clearly a "forgotten password" configuration option would be nice so that the "forgotten password" link is either configurable, or can be disabled.

Is that the ask?

@blizzz
Contributor
blizzz commented Jun 23, 2015

The basic question here is (because of how the user management is designed), if the user was not able to authenticate against the backend, how do you now whether he actually belongs to the LDAP backend? Maybe it's an imap user. Or a local. Or from somewhere else.

@finius
finius commented Jun 23, 2015

sure, if the users origin can not be determined there is no need for any password reset dialogs,
But if the username can be verified in some way by any one source (LDAP, AD, IMAP, local - and regardless of the password given), the "password reset" dialog can be handled the right way.

@cdamken
Contributor
cdamken commented Jun 25, 2015

@MTRichards @blizzz @MorrisJobke @DeepDiver1975 Would it be possible to add at option just to disable the mail option and just a note displayed like:

Password wrong, contact your administrator
@MTRichards MTRichards modified the milestone: 8.2-next, backlog Jun 29, 2015
@MTRichards
Contributor

Yes. It is currently tagged for 8.2. The feature is something like this:

As an administrator, I want to be able to disable the "forgot password link" and display a simple message to my end users.

Acceptance Criteria:

  • Config file option enables and disables the "forgot password link"
  • Three options exist for the forgotten password link configuration - 1) default as is; 2) disable the link altogether with no password reset available, and 3) a customer URL and message in place of the forgot password link
  • Config file option allows the admin to set these options
    example setting for option 3)
    lost_password_link => custom, 'internal.company.com/ssopasswordreset', 'If you have forgotten your password, please reset it through our corporate sso password reset gateway';
  • The URL would make the entire custom message into a clickable link, unless the url is empty, in that case just the test is displayed.

@cdamken does that work?

@LukasReschke any security issue here with setting a URL in the config file?

@MTRichards
Contributor

Also adding

00003545

@cmonteroluque
Contributor

@bboule @MorrisJobke @cdamken I consider this at risk of moving to 9.0. Need a strong push to avoid.
@LukasReschke #12215 (comment) from Matt?

@cdamken
Contributor
cdamken commented Sep 11, 2015

@MTRichards @gig13 @cmonteroluque I'm not pretty sure, but the patch from @schiesbn could be part of this fix:

#18747 (comment)

We tested with LDAP. and worked even in 8.1.1

@blizzz
Contributor
blizzz commented Sep 21, 2015

@schiesbn's fix has nothing to do here with. His use case is that LDAP passwords have changed and encryption needs a way to convert keys. In that case the user is already logged in. The changed code belongs all to encryption.

Since Feature Freeze is here I assume we move it to 9.0?

@LukasReschke
Member

@LukasReschke any security issue here with setting a URL in the config file?

No objections from my side but we need to ensure that not only the URL changes but also the controllers are not accessible anymore :-)

@cmonteroluque cmonteroluque modified the milestone: 9.0-next, 8.2-current Sep 21, 2015
@cmonteroluque
Contributor

A question, are we expected to provide different behavior when the user is known to exist but has the wrong password vs when the user is not determined to even exist? My understanding is that this is a security vulnerability because it can be used to expose the name of valid users that then can be potentially targeted for a password attack or phishing

@blizzz
Contributor
blizzz commented Sep 25, 2015
@cmonteroluque
Contributor

@blizzz Nod. I saw that before. My concern is still there (and one I've seen before in dealing with the response to failed username/password combinations). Happy to get @LukasReschke's response

@PVince81
Collaborator
PVince81 commented Dec 1, 2015

No objections from my side but we need to ensure that not only the URL changes but also the controllers are not accessible anymore :-)

@LukasReschke can you clarify the thing with the controllers ? I don't see how it's related if redirecting to a separate custom page.

@PVince81
Collaborator
PVince81 commented Dec 1, 2015

@cdamken does that work?

Do we agree on the config option approach from #12215 (comment) ?

@cmonteroluque
Contributor

@nickvergessen hoping you can tackle it during the 9.0 phase

@PVince81
Collaborator
PVince81 commented Jan 8, 2016

@carlaschroder do we need explicit documentation for this or is the fact that it's in config.sample.php enough ?

@MorrisJobke
Member

@carlaschroder do we need explicit documentation for this or is the fact that it's in config.sample.php enough ?

config.sample.php generates to a documentation page ;)

@MorrisJobke
Member

config.sample.php generates to a documentation page ;)

owncloud/documentation@d56c57c

@PVince81
Collaborator
PVince81 commented Jan 8, 2016

Yeah I know, but in some cases we might want to "advertise" a feature a bit better like having TOC entries, etc.

@MorrisJobke
Member

Yeah I know, but in some cases we might want to "advertise" a feature a bit better like having TOC entries, etc.

Sure. This then needs additional documentation ;)

@carlaschroder
Contributor

@PVince81 @MorrisJobke It would be fabulous if someone could send me some screenshots.

@PVince81
Collaborator

@carlaschroder there are no screenshots to be shown. It's just a new config option in config.php that lets you specify a custom URL that opens whenever a user clicks the "Lost password" link. owncloud/documentation@d56c57c#diff-cc42d41e3199bfcefb0487b5b9e8872aR294

@carlaschroder
Contributor

Thanks @PVince81

@carlaschroder
Contributor

config.sample.php generates to a documentation page ;)

My favorite thing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment