-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP over-authenticating after upgrade UPDATED/Simplified #26065
Comments
I've checked previous working configuration Owncloud 9.0.0.19 ; this appears like a major bug in LDAP in the new version. |
@owncloud/ldap |
Since 9.1 there is some new logic that will try and detect whether a LDAP user still exists by doing a bind with the user password. Maybe that check is running too early and causes additional needless calls. |
Thanks for your response - happy to assist with any test to nail this issue. |
Maybe we need a config switch, also on the LDAP wizard, to disable such checks... @jvillafanez what do you think ? |
You could try to increase the value from Then see if it help reduce the over-authentication. We should make that value configurable and if the value is "0" or "-1", disable the check altogether. |
The only code piece that could be over-authenticating in the LDAP code should be https://github.com/owncloud/core/blob/stable9.1/apps/user_ldap/lib/User_LDAP.php#L137 . Probably core is checking too many times the password. |
Any progress here? @butonic |
@PaulHughes99 did you try with my advice from #26065 (comment) ? |
Please also make sure you have memcache enabled to reduce the number of queries to LDAP. |
cc @cdamken |
Hi - sorry i was distracted by other projects but will look at this again in next few days.
Sent from a phone.
… On 19 Jan 2017, at 16:58, Vincent Petry ***@***.***> wrote:
Please also make sure you have memcache enabled to reduce the number of queries to LDAP.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
@PVince81 I will devote some time to this now but please forgive a couple of newby questions: |
@PaulHughes99 in this specific case, yes. Directly modify Session.php. |
@PVince81 Thanks. I've made those changes and it does appear to reduce the over-authentication. I'll test it though over a couple of days and report back. |
So, once logged in, the authentication ceases, so adjusting this variable certainly helps. However, it is still over-authenticating (2-3) times during log-in process, both from web log-in and from desktop app. I'm wondering if there is a timeout parameters somewhere which is performing multiple re-tries because the response from the LDAP server is too slow. I'll hunt through the code, but if you know where to look please tell me. |
@PVince81 @jvillafanez OK I've narrowed things a little. There are two things that could be wrong here. |
Hi there! As @cornelinux already mentioned, we see three bind requests per user login in owncloud 10.0.2 with the user_ldap app 0.9.1. If it helps, here are the backtraces for the three invocations of #0 /var/www/owncloud/apps/user_ldap/lib/Connection.php(608): OCA\User_LDAP\LDAP->bind(Resource id #86, 'uid=user777,cn=...', 'password777') #1 /var/www/owncloud/apps/user_ldap/lib/Access.php(1411): OCA\User_LDAP\Connection->bind() #2 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(134): OCA\User_LDAP\Access->areCredentialsValid('uid=user777,cn=...', 'password777') #3 [internal function]: OCA\User_LDAP\User_LDAP->checkPassword('user777', 'password777') #4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(79): call_user_func_array(Array, Array) #5 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(140): OCA\User_LDAP\User_Proxy->walkBackends('user777', 'checkPassword', Array) #6 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(194): OCA\User_LDAP\Proxy->handleRequest('user777', 'checkPassword', Array) #7 /var/www/owncloud/lib/private/User/Manager.php(215): OCA\User_LDAP\User_Proxy->checkPassword('user777', 'password777') #8 /var/www/owncloud/core/Controller/LoginController.php(186): OC\User\Manager->checkPassword('user777', 'password777') #9 [internal function]: OC\Core\Controller\LoginController->tryLogin('user777', 'password777', NULL) #10 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array) #11 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89): OC\AppFramework\Http\Dispatcher->executeController(Object(OC\Core\Controller\LoginController), 'tryLogin') #12 /var/www/owncloud/lib/private/AppFramework/App.php(98): OC\AppFramework\Http\Dispatcher->dispatch(Object(OC\Core\Controller\LoginController), 'tryLogin') #13 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC\AppFramework\App::main('LoginController', 'tryLogin', Object(OC\AppFramework\DependencyInjection\DIContainer), Array) #14 [internal function]: OC\AppFramework\Routing\RouteActionHandler->__invoke(Array) #15 /var/www/owncloud/lib/private/Route/Router.php(299): call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array) #16 /var/www/owncloud/lib/base.php(918): OC\Route\Router->match('/login') #17 /var/www/owncloud/index.php(49): OC::handleRequest() #18 {main} #0 /var/www/owncloud/apps/user_ldap/lib/Connection.php(608): OCA\User_LDAP\LDAP->bind(Resource id #89, 'uid=user777,cn=...', 'password777') #1 /var/www/owncloud/apps/user_ldap/lib/Access.php(1411): OCA\User_LDAP\Connection->bind() #2 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(134): OCA\User_LDAP\Access->areCredentialsValid('uid=user777,cn=...', 'password777') #3 [internal function]: OCA\User_LDAP\User_LDAP->checkPassword('user777', 'password777') #4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(106): call_user_func_array(Array, Array) #5 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(138): OCA\User_LDAP\User_Proxy->callOnLastSeenOn('user777', 'checkPassword', Array, false) #6 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(194): OCA\User_LDAP\Proxy->handleRequest('user777', 'checkPassword', Array) #7 /var/www/owncloud/lib/private/User/Manager.php(215): OCA\User_LDAP\User_Proxy->checkPassword('user777', 'password777') #8 /var/www/owncloud/lib/private/User/Session.php(465): OC\User\Manager->checkPassword('user777', 'password777') #9 /var/www/owncloud/lib/private/User/Session.php(299): OC\User\Session->loginWithPassword('user777', 'password777') #10 /var/www/owncloud/core/Controller/LoginController.php(205): OC\User\Session->login('user777', 'password777') #11 [internal function]: OC\Core\Controller\LoginController->tryLogin('user777', 'password777', NULL) #12 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(159): call_user_func_array(Array, Array) #13 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(89): OC\AppFramework\Http\Dispatcher->executeController(Object(OC\Core\Controller\LoginController), 'tryLogin') #14 /var/www/owncloud/lib/private/AppFramework/App.php(98): OC\AppFramework\Http\Dispatcher->dispatch(Object(OC\Core\Controller\LoginController), 'tryLogin') #15 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC\AppFramework\App::main('LoginController', 'tryLogin', Object(OC\AppFramework\DependencyInjection\DIContainer), Array) #16 [internal function]: OC\AppFramework\Routing\RouteActionHandler->__invoke(Array) #17 /var/www/owncloud/lib/private/Route/Router.php(299): call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array) #18 /var/www/owncloud/lib/base.php(918): OC\Route\Router->match('/login') #19 /var/www/owncloud/index.php(49): OC::handleRequest() #20 {main} #0 /var/www/owncloud/apps/user_ldap/lib/Connection.php(608): OCA\User_LDAP\LDAP->bind(Resource id #68, 'uid=user777,cn=...', 'password777') #1 /var/www/owncloud/apps/user_ldap/lib/Access.php(1411): OCA\User_LDAP\Connection->bind() #2 /var/www/owncloud/apps/user_ldap/lib/User_LDAP.php(134): OCA\User_LDAP\Access->areCredentialsValid('uid=user777,cn=...', 'password777') #3 [internal function]: OCA\User_LDAP\User_LDAP->checkPassword('user777', 'password777') #4 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(106): call_user_func_array(Array, Array) #5 /var/www/owncloud/apps/user_ldap/lib/Proxy.php(138): OCA\User_LDAP\User_Proxy->callOnLastSeenOn('user777', 'checkPassword', Array, false) #6 /var/www/owncloud/apps/user_ldap/lib/User_Proxy.php(194): OCA\User_LDAP\Proxy->handleRequest('user777', 'checkPassword', Array) #7 /var/www/owncloud/lib/private/User/Manager.php(215): OCA\User_LDAP\User_Proxy->checkPassword('user777', 'password777') #8 /var/www/owncloud/lib/private/User/Session.php(632): OC\User\Manager->checkPassword('user777', 'password777') #9 /var/www/owncloud/lib/private/User/Session.php(667): OC\User\Session->checkTokenCredentials(Object(OC\Authentication\Token\DefaultToken), 'b5pijede0v5d9jf...') #10 /var/www/owncloud/lib/private/User/Session.php(233): OC\User\Session->validateToken('b5pijede0v5d9jf...') #11 /var/www/owncloud/lib/private/legacy/app.php(131): OC\User\Session->validateSession() #12 /var/www/owncloud/lib/base.php(888): OC_App::loadApps(Array) #13 /var/www/owncloud/index.php(49): OC::handleRequest() #14 {main} So it seems like
|
From my point of view, and based on @fredreichbier 's traces, it seems that core is the one over-authenticating. LDAP just forward the request to LDAP, and I think it's a request that LDAP shouldn't cache, so if core keeps checking for the password over and over is something core should handle, not LDAP. |
Thank you for looking into this @jvillafanez! I thought a bit about how to fix this:
The issue that request 3 is repeated every five minutes was fixed by #28252 :) |
"get rid of request 2", yes, in 9.1 core password is
In 10.0 this was reworked and looks good for me. Anyone tested with 10.0? "get rid of request 3", I agree on suggested solution, to initially set token's lastCheckTime to the login time. Makes sense. |
@felixboehm already fixed in #28252 by @cornelinux. But looking at the code it seems to be missing a way to turn the check of completely: https://github.com/owncloud/core/pull/28269/files#diff-9c47cee6ac987e5256aeee509f91ddb1R611. |
@PVince81 @felixboehm |
@PVince81 <https://github.com/pvince81> @felixboehm
<https://github.com/felixboehm>
Likewise, calling my LDAP initiates 2FA, so (the option of)
authenticating every 24 hours would be perfect ... otherwise users are
driven crazy.
…On 13/07/2017 09:29, Cornelius Kölbel wrote:
@PVince81 <https://github.com/pvince81> @felixboehm
<https://github.com/felixboehm>
For me it was ok, to not turn the check of completely.
I would simply set this to 8 hours or 24 hours. After all for me this
is important for OTP authentication. And I am happy, if the user needs
to enter a one time password once a day!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#26065 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AVBH28dRRY-IW8WEW-debAkg69Lt7fOsks5sNdVVgaJpZM4J33BC>.
|
Thank you for looking into this @PVince81 @felixboehm! My backtraces above actually came from an installation of ownCloud 10.0.2, so the issue is still prevalent in ownCloud 10. However, I just tried the current ownCloud master and user_ldap master. First, I had the problem that I couldn't log in at all using the user_ldap app due to a HTTP 500. This was caused by $loginResult = $this->userManager->get($user); with $loginResult = $this->userSession->getUser(); which allows me to log in just fine. Do you think that change is sensible? I can also do a PR, if you prefer that. And indeed, this eliminates request 2 from above. In conjunction with the |
Cool, so do we agree to close this ticket ? @fredreichbier if you are having other problems with LDAP latest versions, please raise a new ticket in https://github.com/owncloud/user_ldap |
Yes, I think if we can get the two one-line fixes merged into master, this ticket can be closed. Thanks! Should I do two PRs? (since the first fix only removes the bind request 3, whereas the second fix seems necessary to get user_ldap running on the current master in general?) |
@fredreichbier hmm I'm not really following what you mean. What PRs or fixes are you talking about ? I'm only aware of the fix from #28252 which is already on master and stable10. |
Sorry if I didn't make this clear enough. The situation is the following: On ownCloud 10.0.2, we still see three LDAP bind requests per login (see my backtraces here). The fix from #28252 only fixes the issue that the bind request 3 is repeated every five minutes. On the
So, all in all, applying these two fixes to master reduces the number of bind requests per login from 3 to 1. Please let me know if anything is unclear :) |
@fredreichbier ok thanks. Please raise the issue about 500 in the user_ldap repo and/or submit your one-liner as PR. Whether this belongs to core and user_ldap, maybe @jvillafanez can help with that. But let's discuss this separate issue there. |
Closing this now. @fredreichbier when ready, please raise separate issue/PR and link them here. Thanks. |
@fredreichbier thanks a lot! |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
After upgrading OC Server (from 9.0.0.19 to 9.1.0.15) , a previously working LDAP setup is broken; LDAP is now making at least three authentication calls (binds with user password) each time a client logs in through webinterface, and frequent unwanted authentications from the desktop client (previously it was only one authentication when the client booted up).
(NB This matters because I've successfully implemented 2-factor authentication onto the LDAP server, so too many authentications causes total chaos) This is a very severe issue.
My question is whether the LDAP coding in OC has changed; and is there way to prevent these multiple authentications?
I've noted topic: https://central.owncloud.org/t/lot-of-ldap-traffic/19091 which may have similar cause.
This is my first post , so apologies if i've not provided some relevant info.
Steps to reproduce
Expected behaviour
OC should perform a single authentication on LOGIN, and thereafter cache shoudl prevent further authentications being necessary; the OC desktop client should authenticate only once at startup.
The LDAP log from working Owncloud 9.0 server (grep -R slapd /var/log/syslog) shows a single search for the user's UID -- in this case 'ttest' followed within the same connection by a successful bind with the full DN 'test test' etc, and password.
###Actual behaviour
in OC 9.1, the LDAP server is being asked to search THREE times for the user name, and the username plus password is authenticated THREE times.
Server configuration
Operating system: Ubuntu
Web server: Apache/2.4.7 (Ubuntu)
Database: MySQL
PHP version: PHP 5.5.9-1ubuntu4.19 (cli) (built: Jul 28 2016 19:31:33)
ownCloud version (see ownCloud admin page): ownCloud 9.1.0 (stable)
Updated from an older ownCloud or fresh install: updated
ownCloud log (data/owncloud.log, see https://central.owncloud.org/t/how-to-find-webserver-or-oc-logfile-enable-php-logfile/808):
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption):
Integrity status for oC9+
Login as admin user into your ownCloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.
No errors have been found.
LDAP configuration (delete this part if not used)
The text was updated successfully, but these errors were encountered: