Active Directory disabled users can successfully login #1574
Comments
|
Great application! Thanks a lot. I confirm this behaviour. User has been cached locally once his account was still active. Expected behaviour: sysPass Version: Docker image: |
|
Hello, please, let me check it out, LDAP should return a 533 error code. Regards |
|
Hello, it seems that your server is not using an standard result code for locked or non-existent accounts, since it should reply with an 'INVALID_CREDENTIALS (49)' code: https://ldap.com/ldap-result-code-reference-core-ldapv3-result-codes/#rc-invalidCredentials Could you please tell me which result code is returning your server? Regards |
|
Hi, I did some debugging yesterday. I have connected sysPass to MS AD on a Domain Controller. It seems that the UserAccountControl filter bit 2 (part of the FILTER_USER_OBJECT in LdapMsAds) is hiding the locked users from being included in the search results. Then sysPass falls back to local account apparently. Introduced here If I remove the UserAccountControl filter everything works. The user is found in LDAP correctly and AD can return 533 error, resulting in a correctly denied login. I have seen various issues about UserAccountControl filter but it seems it's still included unchanged? Merry Christmas |
|
Hi, these are good news. I'll checkout he Many thanks for the feedback! Merry Christmas ;) |
…r `UserAccountControl` property, since it prevents to throw the proper status code when authenticating against LDAP. Thanks to @t0l0 for testing. Closes #1574 * [MOD] Update dependencies * [MOD] Bump version number Signed-off-by: Rubén D <[email protected]>
…r `UserAccountControl` property, since it prevents to throw the proper status code when authenticating against LDAP. Thanks to @t0l0 for testing. Closes #1574 * [MOD] Update dependencies * [MOD] Bump version number Signed-off-by: Rubén D <[email protected]>
…r `UserAccountControl` property, since it prevents to throw the proper status code when authenticating against LDAP. Thanks to @t0l0 for testing. Closes #1574 Signed-off-by: Rubén D <[email protected]>
Hi there!
A few days ago I figured out that disabled active directory users can successfully login at sysPass.
And syspass.log says an "Error while searching the user on LDAP".
I did another tests with expired and restricted logon hours users as well and, as expected, it's not possible to login with that users.
sysPass Version
3.1 (312.20030701)
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Disabled AD/LDAP users should not be able to login.
Event log
syspass.EXCEPTION: logger {"message":"Error while searching the user on LDAP
#0 /var/www/html/syspass/lib/SP/Providers/Auth/Ldap/LdapAuth.php(156): SP\Providers\Auth\Ldap\LdapActions->getAttributes(String)
#1 /var/www/html/syspass/lib/SP/Providers/Auth/Ldap/LdapAuth.php(121): SP\Providers\Auth\Ldap\LdapAuth->getAttributes(String)
#2 /var/www/html/syspass/lib/SP/Providers/Auth/AuthProvider.php(119): SP\Providers\Auth\Ldap\LdapAuth->authenticate(Object(SP\DataModel\UserLoginData))
#3 /var/www/html/syspass/lib/SP/Providers/Auth/AuthProvider.php(97): SP\Providers\Auth\AuthProvider->authLdap()
#4 /var/www/html/syspass/lib/SP/Services/Auth/LoginService.php(154): SP\Providers\Auth\AuthProvider->doAuth(Object(SP\DataModel\UserLoginData))
#5 /var/www/html/syspass/app/modules/web/Controllers/LoginController.php(65): SP\Services\Auth\LoginService->doLogin()
#6 [internal function]: SP\Modules\Web\Controllers\LoginController->loginAction()
#7 /var/www/html/syspass/lib/SP/Bootstrap.php(240): call_user_func_array(Array,Array)
#8 [internal function]: SP\Bootstrap->SP{closure}(Object(Klein\Request),Object(Klein\Response),Object(Klein\ServiceProvider),Object(Klein\App),Object(Klein\Klein),Object(Klein\DataCollection\RouteCollection),Array)
#9 /var/www/html/syspass/vendor/klein/klein/src/Klein/Klein.php(886): call_user_func(Object(Closure),Object(Klein\Request),Object(Klein\Response),Object(Klein\ServiceProvider),Object(Klein\App),Object(Klein\Klein),Object(Klein\DataCollection\RouteCollection),Array)
#10 /var/www/html/syspass/vendor/klein/klein/src/Klein/Klein.php(588): Klein\Klein->handleRouteCallback(Object(Klein\Route),Object(Klein\DataCollection\RouteCollection),Array)
#11 /var/www/html/syspass/lib/SP/Bootstrap.php(464): Klein\Klein->dispatch(Object(Klein\Request))
#12 /var/www/html/syspass/lib/Base.php(75): SP\Bootstrap->run(Object(DI\Container))
#13 /var/www/html/syspass/index.php(28): require(String)","caller":"N/A"}
Platform:
By the way, I'd like to contribute with the project. I've translated all messages.po to pt_BR.
Please inform how can I send you this file, if you are interested in
Regards.
The text was updated successfully, but these errors were encountered: