downtownallday / cloudinabox

An installation of Nextcloud that borrows some of the "Mail-in-a-Box" code and standards
Other
2 stars 1 forks source link

Password reset seems broken #9

Closed dumblob closed 2 years ago

dumblob commented 3 years ago

Recently I came across an issue with password reset. How is it supposed to work?

Clicking on reset password at the login page, filling an MiaB-LDAP email results as expected in a received email with one time hash.

But then writing a new password and submitting yields the message "password can not be changed, please contact your administrator". But at the same time the user gets an email "password changed. your password was reset". In reality though, the password was NOT reset and stayed untouched.

From my point of view, there are several issues with this:

1) User can't reset password as trying to reset it fails. 2) User is being lied to by the wrong email about successful password reset. 3) Admin won't get notified about any such issues (neither by Nextcloud per notifications nor by Netxcloud per email nor by MiaB-LDAP per email).

If this'll prove to be unsolvable for whatever reason, there should be at least some way of making it less confusing (e.g. disabling the password reset altogether or by changing it to mailto:myldapadminemail@domain.tld or by automatically sending an email to myldapadminemail@domain.tld who can then reset the password...).

downtownallday commented 3 years ago

This is probably related to my bug post at Nextcloud:

https://github.com/nextcloud/server/issues/18406

The service account that Nextcloud uses should not have full rights to the LDAP directory - it doesn't need it. I thought the bug would have been fixed by now, so didn't adjust the permissions of cn=nextcloud,ou=Services,dc=mailinabox.

To get this to work, you can have users change their passwords via Roundcube (Roundcube's service account does not require admin privs), and/or change the LDAP account that Nextcloud uses to access the LDAP directory to one with a higher privilege, such as "cn=admin,dc=mailinabox", the password for which will be in /home/user-data/ldap/miab_ldap.conf.

downtownallday commented 2 years ago

This is fixed by https://github.com/downtownallday/mailinabox-ldap/commit/70475cc2943a49842bbd4cfb43d39ba82e382603