nextcloud / user_external

👥 External user authentication methods like IMAP, SMB and FTP
https://apps.nextcloud.com/apps/user_external
108 stars 64 forks source link

using user_external inside a docker container #143

Closed stefangweichinger closed 4 years ago

stefangweichinger commented 4 years ago

Steps to reproduce

  1. setup docker container with image "nextcloud:18.0.3"
  2. install app "user_external:0.9.1" within
  3. configure "user_backends" to ask a dovecot imap server

Expected behaviour

authentication works

Actual behaviour

authentication does not work, curl can't talk to the IMAP server

I have problems defining the IMAP server:

the nextcloud container runs on a debian server, which runs dovecot as well

mail.my.tld points to a WAN IP and gets forwarded into the DMZ, so I assume asymmetrical routing here maybe.

The container is able to access the internet, for example it could reinstall the user_external app OK.

I tried various configs without success (IP, FQDN, with or without ssl, tls etc)

I tried the LAN-IP, and the IP of the host on the docker bridge.

You see, I am lost a bit here.

For reference: I also filed https://github.com/nextcloud/docker/issues/1086

Affected Authentication backend

IMAP

Server configuration

User External App version:

0.9.1

Operating system:

Debian Buster 10.3

Nextcloud version:

docker image nextcloud:18.0.3 (contains apache, nc, php)

Updated from an older Nextcloud/ownCloud or fresh install:

migration from non-docker setup

Where did you install Nextcloud from:

dockerhub (?)

Signing status:

Signing status ``` No errors have been found. ```

List of activated apps:

App list ``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder ```

Nextcloud configuration:

Config report ``` 'ocd2a8ecc', 'passwordsalt' => '553xxxxxxxxxxxxxx', 'trusted_domains' => array ( 0 => '192.168.220.222', 1 => 'cloud.my.tld', 2 => 'mail2.my.tld', ), 'datadirectory' => '/var/www/html/data', 'dbtype' => 'mysql', 'version' => '18.0.3.0', 'dbname' => 'nextcloud', 'dbhost' => 'db', 'dbtableprefix' => 'oc_', 'dbuser' => 'nextcloud', 'dbpassword' => 'somepwd', 'installed' => true, 'trusted_proxies' => array ( 0 => '192.168.220.254', ), 'theme' => '', 'user_backends' => array ( 0 => array ( 'class' => 'OC_User_IMAP', 'arguments' => array ( '192.168.16.1', 993, 'ssl/novalidate-cert', true, false ), ), ), 'mail_smtpmode' => 'smtp', 'mail_from_address' => 'owncloud', 'mail_domain' => 'my.tld', 'mail_smtpauthtype' => 'PLAIN', 'mail_smtpauth' => 1, 'mail_smtphost' => 'mail.my.tld', 'mail_smtpport' => '587', 'mail_smtpname' => 'owncloud', 'mail_smtppassword' => 'somepwd', 'mail_smtpsecure' => 'tls', 'forcessl' => true, 'loglevel' => 2, 'secret' => 'GPhUdAbpdxddsssxxxxxxxxxxx', 'maintenance' => false, 'trashbin_retention_obligation' => 'auto', 'appstore.experimental.enabled' => false, 'overwrite.cli.url' => 'https://my.tld', 'activity_expire_days' => '90', 'mysql.utf8mb4' => true, 'filelocking.enabled' => true, 'memcache.locking' => '\OC\Memcache\Redis', 'redis' => array( 'host' => 'redis', 'port' => 6379, 'timeout' => 0.0, 'password' => '', // Optional, if not defined no password will be used. ), 'auth.bruteforce.protection.enabled' => false, ); ```

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` {"reqId":"X85Tcswz9cC3SXkJHRhO","level":3,"time":"2020-04-23T08:55:40+00:00","remoteAddr":"62.40.171.237","user":"--","app":"user_external","method":"POST","url":"/index.php/login","message":"ERROR: Could not connect to imap server via curl: Operation timed out after 10001 milliseconds with 0 out of 0 bytes received","userAgent":"Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36","version":"18.0.3.0"} ```

stefangweichinger commented 4 years ago

Additional info:

I am able to do this:

# docker-compose exec app bash
# curl --insecure --url "imaps://192.168.220.222/" --user "stefan:mypwd"

... it auths and connects and lists mailboxes.

But with FQDN it fails:

# curl --insecure --url "imaps://mail.my.tld/" --user "stefan:mypwd"

(I suspect the routing issue here)

So maybe I only have to figure out how to set the first config within config.php, right?

stefangweichinger commented 4 years ago

I think I solved it by setting "extra_hosts" for the app container:

https://docs.docker.com/compose/compose-file/#extra_hosts

app:
    image: nextcloud:18.0.3

...    

    extra_hosts:
      - "mail.my.tld:192.168.220.222"

and this config-block in nextcloud:

 'user_backends' => 
  array (
    0 => 
    array (
      'class' => 'OC_User_IMAP',
      'arguments' => 
      array (
          'mail.my.tld', 993, 'ssl'
      ),
    ),
  ),

I will close this issue after some more tests ....

stefangweichinger commented 4 years ago

I have an additional question here: during migration I have to auth the old nextcloud-installation against the new dovecot server ... while it still has a mismatching ssl-cert.

Could you please provide a working example how to set that novalidate-cert flag with your user_external app? I couldn't find anything in the README etc, and my various attempts failed so far.

violoncelloCH commented 4 years ago

cool that you found the docker routing issue and made it working! we intentionally don't allow tls connection without validating the certificate, because this would allow for easy MITM attacks while giving the admin a false sense of security... Please either use a valid cert (e.g. letsencrypt (or trust your own ca certificate)) or use insecure connections if you can trust the network... closing this, as the original issue is solved

stefangweichinger commented 4 years ago

I understand that but during migration sometimes one has a mismatch: hostname points to old machine, cert doesn't match new hostname, etc etc But I am on my way now, more or less.

btw: insecure didn't work for me, either. But I might remember it wrong, many things happened in the last few days.

violoncelloCH commented 4 years ago

I see; but it's still not a reason for me to easily allow such configurations... if you really want it you can still modify the curl parameters in the code ;) insecure should be working with notls in the config... (if your mail server allows it)

stefangweichinger commented 4 years ago

The README says null which didn't work. May I suggest adding that info (I might file a PR someday as well, but you know ...) ?

I eventually test notls later this day: we might try connection the old nextcloud to the new IMAP server for a test (although not really needed anymore right now).

thanks