search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
26.76k stars 4k forks source link

password change performed by ldap user is made internally by ldap service account #18406

Open downtownallday opened 4 years ago

downtownallday commented 4 years ago

Steps to reproduce

1.Enable & configure LDAP / AD integration

  1. Ensure the service account configured in the "server" tab does not have rights to change user passwords on the LDAP server 3.Ensure "Enable LDAP password changes per user" is checked in the "advanced settings" tab 4.Ensure user accounts on the LDAP server do have rights to change their own passwords
  2. Login as a regular user and attempt a password change from "settings/security"

Expected behaviour

The password change attempt by the user should succeed

Actual behaviour

The password change is denied

Server configuration

Operating system: ubuntu 18.04 Web server: apache Database: mariadb PHP version: 7.2.24 Nextcloud version: (see Nextcloud admin page) 17.0.1 Updated from an older Nextcloud/ownCloud or fresh install: 16 Where did you install Nextcloud from:

Signing status:

Signing status No errors have been found.

List of activated apps:

App list Enabled: - accessibility: 1.3.0 - activity: 2.10.1 - calendar: 1.7.1 - circles: 0.17.10 - cloud_federation_api: 1.0.0 - comments: 1.7.0 - contacts: 3.1.6 - dav: 1.13.0 - external: 3.4.1 - federatedfilesharing: 1.7.0 - federation: 1.7.0 - files: 1.12.0 - files_external: 1.8.0 - files_pdfviewer: 1.6.0 - files_rightclick: 0.15.1 - files_sharing: 1.9.0 - files_trashbin: 1.7.0 - files_versions: 1.10.0 - files_videoplayer: 1.6.0 - firstrunwizard: 2.6.0 - gallery: 18.4.0 - groupfolders: 5.0.4 - logreader: 2.2.0 - lookup_server_connector: 1.5.0 - mail: 0.20.2 - maps: 0.1.2 - nextcloud_announcements: 1.6.0 - notifications: 2.5.0 - oauth2: 1.5.0 - password_policy: 1.7.0 - polls: 0.10.4 - privacy: 1.1.0 - provisioning_api: 1.7.0 - recommendations: 0.5.0 - serverinfo: 1.7.0 - sharebymail: 1.7.0 - socialsharing_email: 1.0.6 - spreed: 7.0.2 - support: 1.0.1 - systemtags: 1.7.0 - text: 1.1.1 - theming: 1.8.0 - twofactor_backupcodes: 1.6.0 - updatenotification: 1.7.0 - user_ldap: 1.7.0 - viewer: 1.2.0 - workflowengine: 1.7.0 Disabled: - admin_audit - announcementcenter - encryption - survey_client

Nextcloud configuration:

Config report n/a

Are you using external storage, if yes which one:

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

LDAP configuration (delete this part if not used)

LDAP config +-------------------------------+------------------------------------------------------------------------------+ | Configuration | s01 | +-------------------------------+------------------------------------------------------------------------------+ | hasMemberOfFilterSupport | 0 | | homeFolderNamingRule | | | lastJpegPhotoLookup | 0 | | ldapAgentName | cn=webmail,ou=Services,dc=zapapp | | ldapAgentPassword | *** | | ldapAttributesForGroupSearch | | | ldapAttributesForUserSearch | | | ldapBackupHost | | | ldapBackupPort | | | ldapBase | ou=Users,dc=zapapp | | ldapBaseGroups | ou=Users,dc=zapapp | | ldapBaseUsers | ou=Users,dc=zapapp | | ldapCacheTTL | 600 | | ldapConfigurationActive | 1 | | ldapDefaultPPolicyDN | | | ldapDynamicGroupMemberURL | | | ldapEmailAttribute | mail | | ldapExperiencedAdmin | 1 | | ldapExpertUUIDGroupAttr | | | ldapExpertUUIDUserAttr | uid | | ldapExpertUsernameAttr | uid | | ldapExtStorageHomeAttribute | | | ldapGidNumber | gidNumber | | ldapGroupDisplayName | description | | ldapGroupFilter | (objectClass=mailGroup) | | ldapGroupFilterGroups | | | ldapGroupFilterMode | 0 | | ldapGroupFilterObjectclass | | | ldapGroupMemberAssocAttr | member | | ldapHost | ldaps://ztb.tld | | ldapIgnoreNamingRules | | | ldapLoginFilter | (&(objectClass=inetOrgPerson)(objectClass=mailUser)(|(uid=%uid)(mail=%uid))) | | ldapLoginFilterAttributes | | | ldapLoginFilterEmail | 0 | | ldapLoginFilterMode | 0 | | ldapLoginFilterUsername | 1 | | ldapNestedGroups | 1 | | ldapOverrideMainServer | | | ldapPagingSize | 500 | | ldapPort | 636 | | ldapQuotaAttribute | | | ldapQuotaDefault | | | ldapTLS | 0 | | ldapUserAvatarRule | default | | ldapUserDisplayName | cn | | ldapUserDisplayName2 | mail | | ldapUserFilter | (&(objectClass=inetOrgPerson)(objectClass=mailUser)) | | ldapUserFilterGroups | | | ldapUserFilterMode | 0 | | ldapUserFilterObjectclass | | | ldapUuidGroupAttribute | auto | | ldapUuidUserAttribute | auto | | turnOffCertCheck | 0 | | turnOnPasswordChange | 1 | | useMemberOfToDetectMembership | 1 | +-------------------------------+------------------------------------------------------------------------------+

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log *nothing logged on a failed password attempt*

slapd log

SLAPD log Summary: Dec 14 15:18:23 ztb slapd[6295]: conn=1823 fd=13 ACCEPT from IP=redacted:58184 (IP=0.0.0.0:636) Dec 14 15:18:23 ztb slapd[6295]: conn=1823 fd=13 TLS established tls_ssf=256 ssf=256 Dec 14 15:18:23 ztb slapd[6295]: conn=1823 op=0 BIND dn="cn=webmail,ou=Services,dc=zapapp" method=128 Dec 14 15:18:23 ztb slapd[6295]: => access_allowed: result not in cache (userPassword) Dec 14 15:18:23 ztb slapd[6295]: => access_allowed: auth access to "cn=webmail,ou=Services,dc=zapapp" "userPassword" requested Dec 14 15:18:23 ztb slapd[6295]: => acl_get: [1] attr userPassword Dec 14 15:18:23 ztb slapd[6295]: => acl_mask: access to entry "cn=webmail,ou=Services,dc=zapapp", attr "userPassword" requested Dec 14 15:18:23 ztb slapd[6295]: => acl_mask: to value by "", (=0) Dec 14 15:18:23 ztb slapd[6295]: <= check a_dn_pat: cn=management,ou=services,dc=zapapp Dec 14 15:18:23 ztb slapd[6295]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Dec 14 15:18:23 ztb slapd[6295]: <= check a_dn_pat: ou=services,dc=zapapp Dec 14 15:18:23 ztb slapd[6295]: <= check a_dn_pat: self Dec 14 15:18:23 ztb slapd[6295]: <= check a_dn_pat: anonymous Dec 14 15:18:23 ztb slapd[6295]: <= acl_mask: [5] applying auth(=xd) (stop) Dec 14 15:18:23 ztb slapd[6295]: <= acl_mask: [5] mask: auth(=xd) Dec 14 15:18:23 ztb slapd[6295]: => slap_access_allowed: auth access granted by auth(=xd) Dec 14 15:18:23 ztb slapd[6295]: => access_allowed: auth access granted by auth(=xd) Dec 14 15:18:23 ztb slapd[6295]: conn=1823 op=0 BIND dn="cn=webmail,ou=Services,dc=zapapp" mech=SIMPLE ssf=0 Dec 14 15:18:23 ztb slapd[6295]: conn=1823 op=0 RESULT tag=97 err=0 text= Dec 14 15:18:25 ztb slapd[6295]: conn=1823 op=1 SRCH base="ou=Users,dc=zapapp" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(objectClass=mailUser)(|(uid=2d49a528-a44a-4608-b189-bf90c15646c2)(mail=2d49a528-a44a-4608-b189-bf90c15646c2)))" Dec 14 15:18:25 ztb slapd[6295]: conn=1823 op=1 SRCH attr=entryuuid nsuniqueid objectguid guid ipauniqueid dn uid samaccountname memberof mail cn jpegphoto thumbnailphoto Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access to "ou=Users,dc=zapapp" "entry" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr entry Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "ou=Users,dc=zapapp", attr "entry" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to all values by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "objectClass" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr objectClass Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "objectClass" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "objectClass" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr objectClass Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "objectClass" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "uid" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr uid Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "uid" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: search access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "entry" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr entry Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "entry" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to all values by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: result not in cache (mail) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "mail" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr mail Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "mail" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: result not in cache (uid) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "uid" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr uid Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "uid" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: result not in cache (cn) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "cn" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr cn Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "cn" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: result not in cache (entryUUID) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "entryUUID" requested Dec 14 15:18:25 ztb slapd[6295]: => dn: [4] ou=config,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => dn: [5] ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [6] attr entryUUID Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "entryUUID" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: * Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] applying read(=rscxd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [1] mask: read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: read access granted by read(=rscxd) Dec 14 15:18:25 ztb slapd[6295]: conn=1823 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 14 15:18:25 ztb slapd[6295]: conn=1824 fd=16 ACCEPT from IP=redacted:58186 (IP=0.0.0.0:636) Dec 14 15:18:25 ztb slapd[6295]: conn=1824 fd=16 TLS established tls_ssf=256 ssf=256 Dec 14 15:18:25 ztb slapd[6295]: conn=1824 op=0 BIND dn="uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=users,dc=zapapp" method=128 Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: result not in cache (userPassword) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: auth access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "userPassword" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_get: [1] attr userPassword Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "userPassword" requested Dec 14 15:18:25 ztb slapd[6295]: => acl_mask: to value by "", (=0) Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: cn=management,ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: ou=services,dc=zapapp Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: self Dec 14 15:18:25 ztb slapd[6295]: <= check a_dn_pat: anonymous Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [5] applying auth(=xd) (stop) Dec 14 15:18:25 ztb slapd[6295]: <= acl_mask: [5] mask: auth(=xd) Dec 14 15:18:25 ztb slapd[6295]: => slap_access_allowed: auth access granted by auth(=xd) Dec 14 15:18:25 ztb slapd[6295]: => access_allowed: auth access granted by auth(=xd) Dec 14 15:18:25 ztb slapd[6295]: conn=1824 op=0 BIND dn="uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" mech=SIMPLE ssf=0 Dec 14 15:18:25 ztb slapd[6295]: conn=1824 op=0 RESULT tag=97 err=0 text= Dec 14 15:18:28 ztb slapd[6295]: conn=1824 op=1 UNBIND Dec 14 15:18:28 ztb slapd[6295]: conn=1824 fd=16 closed Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1 Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=2 PASSMOD id="uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=users,dc=zapapp" new Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "entry" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "objectClass" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: result not in cache (userPassword) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: delete access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_get: [1] attr userPassword Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: to all values by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: cn=management,ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] applying none(=0) (stop) Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] mask: none(=0) Dec 14 15:18:28 ztb slapd[6295]: => slap_access_allowed: delete access denied by none(=0) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: no more rules Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=2 RESULT oid= err=50 text= Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=3 MOD dn="uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=users,dc=zapapp" Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=3 MOD attr=userPassword Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "entry" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "objectClass" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: result not in cache (userPassword) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: delete access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_get: [1] attr userPassword Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: to all values by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: cn=management,ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] applying none(=0) (stop) Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] mask: none(=0) Dec 14 15:18:28 ztb slapd[6295]: => slap_access_allowed: delete access denied by none(=0) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: no more rules Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=3 RESULT tag=103 err=50 text= Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=4 EXT oid=1.3.6.1.4.1.4203.1.11.1 Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=4 PASSMOD id="uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=users,dc=zapapp" new Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "entry" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "objectClass" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: result not in cache (userPassword) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: delete access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_get: [1] attr userPassword Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: to all values by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: cn=management,ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] applying none(=0) (stop) Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] mask: none(=0) Dec 14 15:18:28 ztb slapd[6295]: => slap_access_allowed: delete access denied by none(=0) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: no more rules Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=4 RESULT oid= err=50 text= Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=5 MOD dn="uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=users,dc=zapapp" Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=5 MOD attr=userPassword Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "entry" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "objectClass" requested Dec 14 15:18:28 ztb slapd[6295]: <= root access granted Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: search access granted by manage(=mwrscxd) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: result not in cache (userPassword) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: delete access to "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp" "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_get: [1] attr userPassword Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: access to entry "uid=2d49a528-a44a-4608-b189-bf90c15646c2,ou=Users,dc=zapapp", attr "userPassword" requested Dec 14 15:18:28 ztb slapd[6295]: => acl_mask: to all values by "cn=webmail,ou=services,dc=zapapp", (=0) Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: cn=management,ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Dec 14 15:18:28 ztb slapd[6295]: <= check a_dn_pat: ou=services,dc=zapapp Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] applying none(=0) (stop) Dec 14 15:18:28 ztb slapd[6295]: <= acl_mask: [3] mask: none(=0) Dec 14 15:18:28 ztb slapd[6295]: => slap_access_allowed: delete access denied by none(=0) Dec 14 15:18:28 ztb slapd[6295]: => access_allowed: no more rules Dec 14 15:18:28 ztb slapd[6295]: conn=1823 op=5 RESULT tag=103 err=50 text= Dec 14 15:18:29 ztb slapd[6295]: conn=1823 op=6 UNBIND Dec 14 15:18:29 ztb slapd[6295]: conn=1823 fd=13 closed

Summary

The logs have ACL logging turned on, so they're a bit long. Here is a summary of what's happening:

connection 1823 is bound to the service account ("webmail") connection 1824 is bound to the user account ("2d49a528-a44a-4608-b189-bf90c15646c2") full disclosure "zapapp" is a fictional name

  1. Nextcloud binds using the service account and locates the user [OK]
  2. Nextcloud verifies the user's existing password by binding as that user. The connection is closed immediately after binding. [OK]
  3. Nextcloud attempts to change the user's password using the service account [FAIL]

The right behavior should be that a password change initiated by a USER be made by the USER using their credentials (ie. using connection 1824).

The reason for this is that helps limit damage should the service account be compromised. The nefarios actor won't be able to change the password of every user account. If an organization wishes to allow such acess to the admin/super then they can grant that access to the service account in the ldap server.

A backward-compatible change would be, upon receiving a user initiated password change request, to do that first by the user's credentials, then by the service account.

kesselb commented 4 years ago

Sounds like a good enhancement :+1:

The password change is denied

https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html#directory-settings as documented. A requirement for "Enable LDAP password changes per user" is:

Access control policies must be configured on the LDAP server to grant permissions for password changes. The User DN as configured in Server Settings needs to have write permissions in order to update the userPassword attribute.

cc @blizzz

blizzz commented 4 years ago

Yes, it works as intended and stated. I'd accept PRs that would extend it and attempt to set is by user. Doing it by agent can be the fall back option on those errors.

kesselb commented 4 years ago

Ref https://github.com/nextcloud/server/issues/19305

szaimen commented 3 years ago

Is this Issue still valid? If not, please close this issue. Thanks! :)

downtownallday commented 3 years ago

Still valid.

Just tried on 21.0.2, just to be sure.

During a password change the old password is verified by authenticating as the user (conn=1483), which is good. However, the password change is attempted by the service account (conn=1482), which is the issue.

May 28 08:23:36 host slapd[13551]: conn=1482 fd=13 ACCEPT from IP=[1.2.3.4]:57244 (IP=[::]:636)
May 28 08:23:36 host slapd[13551]: conn=1482 fd=13 TLS established tls_ssf=256 ssf=256
May 28 08:23:36 host slapd[13551]: conn=1482 op=0 BIND dn="cn=nextcloud,ou=Services,dc=mailinabox" method=128
May 28 08:23:36 host slapd[13551]: conn=1482 op=0 BIND dn="cn=nextcloud,ou=Services,dc=mailinabox" mech=SIMPLE ssf=0
May 28 08:23:36 host slapd[13551]: conn=1482 op=0 RESULT tag=97 err=0 text=
May 28 08:23:36 host slapd[13551]: conn=1482 op=1 SRCH base="ou=Users,dc=mailinabox" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(objectClass=mailUser)(|(mail=user@domain.tld)(uid=user@domain.tld)))"
May 28 08:23:36 host slapd[13551]: conn=1482 op=1 SRCH attr=entryuuid nsuniqueid objectguid guid ipauniqueid dn uid samaccountname memberof host cn jpegphoto thumbnailphoto
May 28 08:23:36 host slapd[13551]: conn=1482 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
May 28 08:23:36 host slapd[13551]: conn=1483 fd=16 ACCEPT from IP=[1.2.3.4]:57246 (IP=[::]:636)
May 28 08:23:36 host slapd[13551]: conn=1483 fd=16 TLS established tls_ssf=256 ssf=256
May 28 08:23:36 host slapd[13551]: conn=1483 op=0 BIND dn="uid=69196ab0-bfb0-11eb-8777-c38b42299889,ou=users,dc=mailinabox" method=128
May 28 08:23:36 host slapd[13551]: conn=1483 op=0 BIND dn="uid=69196ab0-bfb0-11eb-8777-c38b42299889,ou=Users,dc=mailinabox" mech=SIMPLE ssf=0
May 28 08:23:36 host slapd[13551]: conn=1483 op=0 RESULT tag=97 err=0 text=
May 28 08:23:37 host slapd[13551]: conn=1482 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1
May 28 08:23:37 host slapd[13551]: conn=1482 op=2 PASSMOD id="uid=69196ab0-bfb0-11eb-8777-c38b42299889,ou=users,dc=mailinabox" new
May 28 08:23:37 host slapd[13551]: conn=1483 op=1 UNBIND
May 28 08:23:37 host slapd[13551]: conn=1483 fd=16 closed
May 28 08:23:37 host slapd[13551]: conn=1482 op=2 RESULT oid= err=50 text=
May 28 08:23:37 host slapd[13551]: conn=1482 op=3 MOD dn="uid=69196ab0-bfb0-11eb-8777-c38b42299889,ou=users,dc=mailinabox"
May 28 08:23:37 host slapd[13551]: conn=1482 op=3 MOD attr=userPassword
May 28 08:23:37 host slapd[13551]: conn=1482 op=3 RESULT tag=103 err=50 text=
Iwios commented 1 year ago

Hello, someone have found a solution for this bug ?