search

OpenCTI-Platform / opencti

Open Cyber Threat Intelligence Platform
https://opencti.io
Other
6.32k stars 932 forks source link

I can't remove Local Auth Strategy for users after enabling LDAP Auth Strategy. #4829

Closed rattat0r closed 11 months ago

rattat0r commented 11 months ago

Description

The user can connect via LDAP and via Local Auth Strategy, even if I comment out the line - PROVIDERS__LOCAL__STRATEGY=LocalStrategy.

I have local connector and user accounts. I need to migrate local user accounts to LDAP Auth Strategy. New users successfully log into the platform only via LDAP; they will not be able to connect using the Local Auth Strategy (this is correct). But users who had a local account can connect using both LDAP and Local Auth Strategy at the same time. I need to remove the ability to connect via Local Auth Strategy for users who can now connect via LDAP, but I need to keep the local connector accounts. How can I disable local accounts for these users?

Environment

  1. OS: Ubuntu 20.04.6
  2. OpenCTI version: OpenCTI 5.11.12
  3. OpenCTI client: frontend

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Create a Local account with an email in the organization’s domain and a login as in the organization (for example, JDoe@org.com)
  2. Configure LDAP Auth Strategy
  3. Login to OpenCTI Platform using this user's account
  4. The account has taken over the rights of this local user
  5. Log out
  6. Login again using Local Auth Strategy
  7. It is still possible to log in using a local account

Expected Output

After enabling LDAP Auth Strategy and disabling Local Auth Strategy, it is only possible to log in using the enabled strategy.

Actual Output

After enabling LDAP Auth Strategy and disabling Local Auth Strategy, it is possible to log in using both strategies.

Additional information

My config:

- PROVIDERS__LDAP__STRATEGY=LdapStrategy
- PROVIDERS__LDAP__CONFIG__URL=ldap://org.local:389
- PROVIDERS__LDAP__CONFIG__BIND_DN=CN=bind-user,OU=Security,OU=Groups,OU=Organization,DC=org,DC=local
- PROVIDERS__LDAP__CONFIG__BIND_CREDENTIALS=strong-password
- PROVIDERS__LDAP__CONFIG__SEARCH_BASE=DC=org,DC=local
- PROVIDERS__LDAP__CONFIG__SEARCH_FILTER={{`(sAMAccountName={{username}})`}}
- PROVIDERS__LDAP__CONFIG__MAIL_ATTRIBUTE=mail
- PROVIDERS__LDAP__CONFIG__ACCOUNT_ATTRIBUTE=sAMAccountName
- PROVIDERS__LDAP__CONFIG__FIRSTNAME_ATTRIBUTE=givenName
- PROVIDERS__LDAP__CONFIG__ALLOW_SELF_SIGNED=true
- PROVIDERS__LDAP__CONFIG__AUTO_CREATE_GROUP=true
- "PROVIDERS__LDAP__CONFIG__ORGANIZATIONS_DEFAULT=[\"Organization\"]"

Screenshots (optional)

I have disabled Local Auth Strategy, but it is enabled in the platform settings image

richard-julien commented 11 months ago

It could be disable by configuration. The env var is not explicitly define in https://docs.opencti.io/latest/deployment/authentication/ but the file config is available. So for your use with a strategy named LOCAL, it should be something like:

PROVIDERS__LOCAL__CONFIG__DISABLED=true

rattat0r commented 11 months ago

@richard-julien Thanks for the answer!