search

nextcloud / mail

💌 Mail app for Nextcloud
https://apps.nextcloud.com/apps/mail
GNU Affero General Public License v3.0
823 stars 256 forks source link

LDAP Password Not Being Used for Mail Provisioning #6124

Open jch0182 opened 2 years ago

jch0182 commented 2 years ago

Steps to reproduce

I have an interesting use case, that I have not found documented yet - although if I've missed it, please feel free to point me in the right direction.

Currently, I have Nextcloud set up with an LDAP backend, synchronizing the users successfully. In addition, I am using OpenID Connect Login (v. 2.3.1) to pass users in to Nextcloud automatically via SSO, so they do not have to log in. OpenID Connect Login provides a mechanism to link users to their LDAP account, so they stay in sync, instead of creating new accounts within Nextcloud, only allowing the user to log in to the system if they come in through SSO AND have an LDAP account.

After setting both of these up, I attempted to set up the Mail app Provisioning Configuration to automatically provision the mail account, however, the account is being set up with an incorrect password, therefore the mail app cannot open the mailbox.

Some additional information showing the users mapped together (with some values redacted for privacy/security):

sso.config.php ```php $CONFIG = array ( 'allow_user_to_change_display_name' => false, 'lost_password_link' => 'disabled', 'oidc_login_provider_url' => 'https://mydomain/application/o/cloudoidc/', 'oidc_login_client_id' => 'secretID', 'oidc_login_client_secret' => 'secret', 'oidc_login_auto_redirect' => false, 'oidc_login_logout_url' => 'https://mydomain/if/session-end/cloudoidc/', 'oidc_login_end_session_redirect' => false, 'oidc_login_button_text' => 'Log in with My Domain SSO', 'oidc_login_hide_password_form' => true, 'oidc_login_use_id_token' => false, 'oidc_login_attributes' => array ( 'id' => 'preferred_username', 'name' => 'given_name', 'mail' => 'email', 'ldap_uid' => 'preferred_username', 'groups' => 'groups', ), 'oidc_login_default_group' => 'everyone', 'oidc_login_scope' => 'openid profile roles email', 'oidc_login_proxy_ldap' => true, 'oidc_login_disable_registration' => false, 'oidc_login_redir_fallback' => false, 'oidc_login_tls_verify' => true, 'oidc_create_groups' => true, 'oidc_login_webdav_enabled' => true, 'oidc_login_password_authentication' => true, 'oidc_login_public_key_caching_time' => 86400, 'oidc_login_min_time_between_jwks_requests' => 10, 'oidc_login_well_known_caching_time' => 86400, 'oidc_login_update_avatar' => false, ); ```
Mail app Configuration ![image](https://user-images.githubusercontent.com/94981896/157507694-0dd1519f-546b-4f3d-bbf2-387942e7eeaf.png)
LDAP User Mapping ![image](https://user-images.githubusercontent.com/94981896/157507984-b3f078e3-6502-4cbd-bd70-e1ef9910ed10.png)
Mail Accounts ![image](https://user-images.githubusercontent.com/94981896/157508556-7526397d-09ea-481f-8a48-c555cc003921.png)

Is there something specific that needs to be done to tell the Mail app to read the LDAP user information to be able to send the correct password (or any password at all)?

Expected behavior

Since the user is being synced from LDAP and OpenID is linking the user to the LDAP user, I would love to be able to read the user information from LDAP, pass through the correct password, and log in to email through auto-provisioning without the user having to change/enter their information manually.

Actual behavior

The user gets a completely blank email box with the following in the server error logs:

image

Mail app version

1.11.7

Mailserver or service

Postfix/Dovecot

Operating system

Ubuntu 20.04.4 LTS

PHP engine version

PHP 8.0

Web server

Nginx

Database

MariaDB

Additional info

Nextcloud Hub II (23.0.2)

miaulalala commented 2 years ago

Seems to be closely related to #5933 can you confirm?

jch0182 commented 2 years ago

That is very likely. I have been trying to find where the password information is being pulled from, but have not successfully understood the logic yet. I do, in fact, see passwords being entered in to the database entries for the mail app, so the app thinks it's finding a password to send, but without knowing where it's pulling that information I am stuck as to a suitable solution.

So, only partially related, I guess?

sevmonster commented 2 years ago

I am pretty sure this is the same issue. Since you are signing in with SSO, your Nextcloud accounts do not have any passwords. Even if you didn't use OIDC, IIRC the LDAP sync does not copy the password from LDAP to NC, it delegates it to LDAP via either attempting an LDAP bind or service account. (It would actually be very insecure to copy the plaintext/reversible password over, which is why almost no one does it anymore, and ignores the LDAP spec requiring a plaintext password 😀)

Since 99% of the time LDAP passwords are encrypted, and yours assumedly is and should be too, it is impossible to use the LDAP password for either NC user or mail user, even if the LDAP sync supported password writeback, which I don't believe it does from the last time I used it.

Sorry if I am misremembering anything, but if all of this is the case, the resolution I explained would help:

Since you're using it, what would you suggest should happen for passwordless accounts?

Ideally the user is prompted for an IMAP password (redirect to first time setup page with error message about password? or a new page?) to complete the sign-in process. At the very least, don't cause an error if there is no password to assign which prevents the user from utilizing the app.

Alternatively you could use OAUTH2 as a login method for your email system and hook that up into your OIDC provider, if that login method gets supported.