search

nextcloud / user_external

👥 External user authentication methods like IMAP, SMB and FTP
https://apps.nextcloud.com/apps/user_external
107 stars 64 forks source link

O365 IMAP Auth end of life 2022-10-01 #205

Open mmccarn opened 1 year ago

mmccarn commented 1 year ago

IMAP Authentication in user_external uses basic authentication.

As of October 1, 2022 Microsoft will begin disabling basic authentication in Exchange365.

(There is information in the Microsoft link above describing how you can opt out of having Microsoft disable IMAP basic authentication for your tenant.)

Normally it is not possible to set a password in /settings/users for accounts authenticating through user_external. However, if you manually create an entry in oc_users with a uid that matches an entry in oc_users_external, it becomes possible to set a local nextcloud password.

My plan at the moment is to move my existing users from IMAP auth to internal Nextcloud Auth, then require twofactor_email for the migrated users.

The code snippet below works on my system to create entries in oc_users with matching uid values from oc_users_external.

My database settings from config.php:

  'dbtype' => 'pgsql',
  'dbname' => 'nextcloud',
  'dbtableprefix' => 'oc_',

  1. Connect to the sql database

    sudo -u postgres psql -t -d nextcloud

  2. Manually create an entry in 'oc_users' using the same value for uid and displayname used in oc_users_external:

    insert into oc_users(uid,displayname,uid_lower)
select uid, displayname,lower(uid) from  oc_users_external where uid like '<uid-from-oc_users_external>';

  3. Once there is an entry in "oc_users" with a uid that matches an entry in oc_users_external, the user's password can be set in /settings/users

  4. The User now sees the same files & shares if logging in using the original IMAP password or the new locally set password

  5. Requring two factor auth using twofactor_email ensures that security remains tied to the user's email

There is some fine-tuning that could be applied to this procedure:

This code snippet sets the selected user's local password to "badPassword" -

insert into oc_users(uid,displayname,uid_lower,password)
select 
  uid, 
  displayname,
  lower(uid),
  '3|$argon2id$v=19$m=65536,t=4,p=1$aWZKcTZsV08yczguSHlNWA$3Tdbsc4hVuiM4o6zLtsR1xxhL9T27HzE2cM1umYl7nI' 
from  oc_users_external where uid like '<uid-from-oc_users_external>';
simonbuehler commented 1 year ago

got hit by this issue last week, is this the only migration path possible?

mmccarn commented 1 year ago

It may be possible to re-factor the IMAP code to use SMTP instead (which may continue to work?)

I have also in the past customized the social-login app to use the email address as the UID, which also worked.

Aquariu commented 1 year ago

got hit by this issue last week, is this the only migration path possible?

Obvious path out of this is using an IMAP-conformant email provider, but in many corporate cases, getting out of that jail looks like a daunting task.

violoncelloCH commented 1 year ago

Hey, thanks for raising this. However I feel that there is no much we can do if companies drop support for standard protocols. Your migration approach sounds reasonable; other options might be using other types of authentications as LDAP/AD or possibly OAuth. Writing a user_external module capable of doing authentication over SMTP could work too, but for me personally it's out of scope. If anyone is up for doing this, contributions are obviously always welcome :)

simonbuehler commented 1 year ago

could https://github.com/nextcloud/mail/pull/7722 help here also in any way?