LDAP authentication assumes passwords are reusable #11113
Description
Steps to reproduce
- Set up an LDAP server with non-reusable passwords, perhaps a corporate LDAP server backed by a RADIUS server linked with company-issued time-based token generators
- Enable LDAP authentication in Nextcloud
- Log in with generated token
- Wait 5 minutes
Expected behaviour
I should stay logged in longer than 5 minutes at a time.
Actual behaviour
I am logged out after 5 minutes when Nextcloud tries to reauthenticate with my (non-reusable) login password.
Workaround
The following patch will skip the 5-minute password check:
--- lib/private/User/Session.php~ 2018-09-07 23:14:26.867485000 +0000
+++ lib/private/User/Session.php 2018-09-07 22:51:03.908411000 +0000
@@ -690,12 +690,14 @@
return true;
}
+ if (false) { /* Kludge around LDAP with non-reusable passwords */
if ($this->manager->checkPassword($dbToken->getLoginName(), $pwd) === false
|| (!is_null($this->activeUser) && !$this->activeUser->isEnabled())) {
$this->tokenProvider->invalidateToken($token);
// Password has changed or user was disabled -> log user out
return false;
}
+ }
$dbToken->setLastCheck($now);
return true;
}
Sorry, I'm having a lot of trouble pasting a tab character in here. Hopefully this patch is simple enough to recreate by hand. This code section is present in Nextcloud 14 as well.
Server configuration
Operating system: Container Linux by CoreOS 1800.7.0 (Rhyolite)
Web server: Apache2 2.4.25-3+deb
Database: MariaDB
PHP version: 7.1.20
Nextcloud version: 13.0.4
Updated from an older Nextcloud/ownCloud or fresh install: Updated from an older Nextcloud
Where did you install Nextcloud from: docker run nextcloud:13.0.4
Signing status:
Signing status
No errors have been found.
List of activated apps:
App list
Enabled:
- activity: 2.6.1
- bruteforcesettings: 1.1.0
- comments: 1.3.0
- dav: 1.4.7
- deck: 0.4.1
- federatedfilesharing: 1.3.1
- federation: 1.3.0
- files: 1.8.0
- files_external: 1.4.1
- files_pdfviewer: 1.2.1
- files_sharing: 1.5.0
- files_texteditor: 2.5.1
- files_trashbin: 1.3.0
- files_versions: 1.6.0
- files_videoplayer: 1.2.0
- firstrunwizard: 2.2.1
- gallery: 18.0.0
- logreader: 2.0.0
- lookup_server_connector: 1.1.0
- nextcloud_announcements: 1.2.0
- notes: 2.3.2
- notifications: 2.1.2
- oauth2: 1.1.1
- onlyoffice: 1.3.0
- passman: 2.1.4
- password_policy: 1.3.0
- provisioning_api: 1.3.0
- serverinfo: 1.3.0
- sharebymail: 1.3.0
- survey_client: 1.1.0
- systemtags: 1.3.0
- tasks: 0.9.6
- theming: 1.4.5
- twofactor_backupcodes: 1.2.3
- updatenotification: 1.3.0
- user_ldap: 1.3.1
- user_saml: 1.5.0
- workflowengine: 1.3.0
Disabled:
- admin_audit
- encryption
- user_external
Nextcloud configuration:
Config report
I{
"system": {
"instanceid": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"nextcloud-main",
"onlyoffice-document-server"
],
"overwriteprotocol": "https",
"overwritehost": "arcs.lanl.gov",
"overwritewebroot": "\/nextcloud",
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"lost_password_link": "disabled",
"proxy": "proxyout.lanl.gov:8080",
"dbtype": "mysql",
"version": "13.0.4.0",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "UTC",
"installed": true,
"mail_smtpmode": "smtp",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "25",
"memcache.local": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"theme": "",
"loglevel": 0,
"maintenance": false,
"overwrite.cli.url": "https:\/\/arcs.lanl.gov\/nextcloud",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory"
}
}
Are you using external storage, if yes which one: local
Are you using encryption: yes, with an haproxy front-end
Are you using an external user-backend, if yes which one: LDAP
LDAP configuration (delete this part if not used)
LDAP config
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 0 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | dc=lanl,dc=gov |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDefaultPPolicyDN | |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | cn |
| ldapExpertUUIDUserAttr | employeeNumber |
| ldapExpertUsernameAttr | employeeNumber |
| ldapGidNumber | gidNumber |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=posixGroup))(|(cn=cfl-*))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | uniqueMember |
| ldapHost | ldap://ldap.lanl.gov |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(objectClass=inetOrgPerson)(|(departmentNumber=A-4)(memberOf=cfl-affiliates))(|(uid=%uid)(employeeNumber=%uid)(mail=%uid)(mail=%uid@lanl.gov))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayName |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectClass=inetOrgPerson)(|(departmentNumber=A-4)(memberOf=cfl-affiliates))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| turnOnPasswordChange | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Client configuration
Browser: Chrome 68.0.3440.118
Operating system: ChromeOS 68.0.3440.118
Logs
Web server error log
Web server error log
H00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.0.1.244. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 10.0.1.244. Set the 'ServerName' directive globally to suppress this message
[Fri Sep 07 18:15:44.748489 2018] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.1.20 configured -- resuming normal operations
[Fri Sep 07 18:15:44.748582 2018] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
[Fri Sep 07 18:20:21.355161 2018] [authz_core:error] [pid 29] [client 10.0.1.249:34068] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 18:20:24.690810 2018] [authz_core:error] [pid 30] [client 10.0.1.251:33810] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 18:28:29.828013 2018] [php7:warn] [pid 41] [client 10.0.1.251:34882] PHP Warning: Redis::connect(): php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/www/html/lib/private/RedisFactory.php on line 84
[Fri Sep 07 18:28:29.828075 2018] [php7:warn] [pid 41] [client 10.0.1.251:34882] PHP Warning: Redis::connect(): connect() failed: php_network_getaddresses: getaddrinfo failed: Name or service not known in /var/www/html/lib/private/RedisFactory.php on line 84
[Fri Sep 07 18:28:29.829955 2018] [php7:error] [pid 41] [client 10.0.1.251:34882] PHP Fatal error: Uncaught RedisException: Redis server went away in /var/www/html/lib/private/Memcache/Redis.php:54\nStack trace:\n#0 /var/www/html/lib/private/Memcache/Redis.php(54): Redis->get('7b1b99d0725c301...')\n#1 /var/www/html/lib/autoloader.php(146): OC\\Memcache\\Redis->get('OC_User')\n#2 [internal function]: OC\\Autoloader->load('OC_User')\n#3 /var/www/html/lib/private/Log/File.php(104): spl_autoload_call('OC_User')\n#4 [internal function]: OC\\Log\\File::write('PHP', 'RedisException:...', 3)\n#5 /var/www/html/lib/private/Log.php(329): call_user_func(Array, 'PHP', 'RedisException:...', 3)\n#6 /var/www/html/lib/private/Log.php(179): OC\\Log->log(3, 'RedisException:...', Array)\n#7 /var/www/html/lib/private/Log/ErrorHandler.php(81): OC\\Log->critical('RedisException:...', Array)\n#8 [internal function]: OC\\Log\\ErrorHandler::onException(Object(RedisException))\n#9 {main}\n thrown in /var/www/html/lib/private/Memcache/Redis.php on line 54
[Fri Sep 07 18:28:29.830174 2018] [php7:error] [pid 41] [client 10.0.1.251:34882] PHP Fatal error: Uncaught RedisException: Redis server went away in /var/www/html/lib/private/Memcache/Redis.php:54\nStack trace:\n#0 /var/www/html/lib/private/Memcache/Redis.php(54): Redis->get('7b1b99d0725c301...')\n#1 /var/www/html/lib/autoloader.php(146): OC\\Memcache\\Redis->get('OC_User')\n#2 [internal function]: OC\\Autoloader->load('OC_User')\n#3 /var/www/html/lib/private/Log/File.php(104): spl_autoload_call('OC_User')\n#4 [internal function]: OC\\Log\\File::write('PHP', 'Uncaught RedisE...', 3)\n#5 /var/www/html/lib/private/Log.php(329): call_user_func(Array, 'PHP', 'Uncaught RedisE...', 3)\n#6 /var/www/html/lib/private/Log.php(179): OC\\Log->log(3, 'Uncaught RedisE...', Array)\n#7 /var/www/html/lib/private/Log/ErrorHandler.php(68): OC\\Log->critical('Uncaught RedisE...', Array)\n#8 [internal function]: OC\\Log\\ErrorHandler::onShutdown()\n#9 {main}\n thrown in /var/www/html/lib/private/Memcache/Redis.php on line 54
[Fri Sep 07 22:00:45.185345 2018] [authz_core:error] [pid 50] [client 10.0.1.250:46302] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:00:50.170253 2018] [authz_core:error] [pid 34] [client 10.0.1.249:41682] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:00:59.872722 2018] [authz_core:error] [pid 51] [client 10.0.1.250:46368] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:01:54.160050 2018] [authz_core:error] [pid 56] [client 10.0.1.251:52350] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:03:03.890282 2018] [authz_core:error] [pid 38] [client 10.0.1.251:52594] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:03:07.574277 2018] [authz_core:error] [pid 32] [client 10.0.1.249:41782] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:54:31.273827 2018] [authz_core:error] [pid 53] [client 10.0.1.251:56922] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:54:34.342268 2018] [authz_core:error] [pid 52] [client 10.0.1.250:56582] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
[Fri Sep 07 22:57:28.881287 2018] [authz_core:error] [pid 53] [client 10.0.1.251:57172] AH01630: client denied by server configuration: /var/www/html/data/.ocdata
Nextcloud log (data/nextcloud.log)
Nextcloud log
root@7c2ef2fb937d:/var/www/html/data# ls -lh nextcloud.log
-rw-r----- 1 www-data www-data 641M Sep 7 23:25 nextcloud.log
root@7c2ef2fb937d:/var/www/html/data# tail -n 4 nextcloud.log
{"reqId":"4TYNJBJnX6BNc39qCqCV","level":0,"time":"2018-09-07T23:25:32+00:00","remoteAddr":"10.0.1.251","user":"--","app":"core","method":"GET","url":"\/nextcloud\/index.php\/login","message":"Scss is disabled for \/var\/www\/html\/core\/css\/jquery-ui-fixes.scss, ignoring","userAgent":"Go-http-client\/1.1","version":"13.0.4.0"}
{"reqId":"4TYNJBJnX6BNc39qCqCV","level":0,"time":"2018-09-07T23:25:32+00:00","remoteAddr":"10.0.1.251","user":"--","app":"core","method":"GET","url":"\/nextcloud\/index.php\/login","message":"Scss is disabled for \/var\/www\/html\/core\/css\/server.scss, ignoring","userAgent":"Go-http-client\/1.1","version":"13.0.4.0"}
{"reqId":"4TYNJBJnX6BNc39qCqCV","level":0,"time":"2018-09-07T23:25:32+00:00","remoteAddr":"10.0.1.251","user":"--","app":"core","method":"GET","url":"\/nextcloud\/index.php\/login","message":"Scss is disabled for \/var\/www\/html\/core\/css\/share.scss, ignoring","userAgent":"Go-http-client\/1.1","version":"13.0.4.0"}
{"reqId":"4TYNJBJnX6BNc39qCqCV","level":0,"time":"2018-09-07T23:25:32+00:00","remoteAddr":"10.0.1.251","user":"--","app":"core","method":"GET","url":"\/nextcloud\/index.php\/login","message":"Scss is disabled for \/var\/www\/html\/core\/css\/jquery.ocdialog.scss, ignoring","userAgent":"Go-http-client\/1.1","version":"13.0.4.0"}
Browser log
Browser log
Not relevant