search

nextcloud / user_saml

:lock: App for authenticating Nextcloud users using SAML https://apps.nextcloud.com/apps/user_saml
https://portal.nextcloud.com/article/configuring-single-sign-on-10.html
GNU Affero General Public License v3.0
93 stars 73 forks source link

Option 'multiple user back-ends' is disabled but users from the LDAP backend can login via WebDAV #339

Open m-a-r-k-e opened 5 years ago

m-a-r-k-e commented 5 years ago

Steps to reproduce

  1. Configure a LDAP backend
  2. Configure SAML authentication and disable "Allow the use of multiple user back-ends (e.g. LDAP)"
  3. Login using the web interface
  4. Try to open via webdav (https:///remote.php/webdav/) and try to login with the credentials of an LDAP user -> This works

Expected behaviour

  1. Login via the web interface redirects via my SSO solution (Keycloak)
  2. Login to WebDAV should fail, because this cannot redirect to my SSO solution and "Allow the use of multiple user back-ends (e.g. LDAP)" is disabled I expect that only app passwords works, as in this case WebDAV can not redirect you to the SSO login webpage. So you can use app passwords

Actual behaviour

  1. Login via the web interface works as expected
  2. I can login to WebDAV with the credentials of a user in the LDAP backend. I have configured my SSO solution with 2FA, so with WebDAV you can now directly login and bypass the 2FA.

This issue is probably related to https://github.com/nextcloud/user_saml/issues/284, but for the direct login page I used the suggested solution to block the direct login page with the web server configuration

Server configuration detail

Operating system: Linux 3.10.0-957.12.1.el7.x86_64 #1 SMP Mon Apr 29 14:59:59 UTC 2019 x86_64

Webserver: Apache (apache2handler)

Database: mysql 5.5.60

PHP version:

7.2.10 Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, apache2handler, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, intl, json, ldap, exif, mysqlnd, PDO, Phar, posix, shmop, SimpleXML, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlwriter, xsl, zip, mysqli, pdo_mysql, pdo_sqlite, wddx, xmlreader, apcu, igbinary, imagick, redis, Zend OPcache

Nextcloud version: 16.0.1 - 16.0.1.1

Updated from an older Nextcloud/ownCloud or fresh install:

Where did you install Nextcloud from: unknown

Signing status Array ( )
List of activated apps ``` Enabled: - accessibility: 1.2.0 - activity: 2.9.1 - admin_audit: 1.6.0 - cloud_federation_api: 0.2.0 - comments: 1.6.0 - dav: 1.9.2 - drawio: 0.9.3 - external: 3.3.0 - federatedfilesharing: 1.6.0 - files: 1.11.0 - files_accesscontrol: 1.6.0 - files_pdfviewer: 1.5.0 - files_rightclick: 0.13.0 - files_sharing: 1.8.0 - files_texteditor: 2.8.0 - files_trashbin: 1.6.0 - files_versions: 1.9.0 - files_videoplayer: 1.5.0 - firstrunwizard: 2.5.0 - gallery: 18.3.0 - groupfolders: 4.0.2 - issuetemplate: 0.5.0 - logreader: 2.1.0 - lookup_server_connector: 1.4.0 - nextcloud_announcements: 1.5.0 - notes: 2.6.0 - notifications: 2.4.1 - oauth2: 1.4.2 - password_policy: 1.6.0 - provisioning_api: 1.6.0 - recommendations: 0.4.0 - serverinfo: 1.6.0 - sharebymail: 1.6.0 - systemtags: 1.6.0 - theming: 1.7.0 - twofactor_backupcodes: 1.5.0 - updatenotification: 1.6.0 - user_ldap: 1.6.0 - user_saml: 2.3.1 - viewer: 1.0.0 - workflowengine: 1.6.0 Disabled: - encryption - federation - files_external - privacy - support - survey_client ```
Configuration (config/config.php) ``` { "dbtype": "mysql", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "3306", "dbname": "***REMOVED SENSITIVE VALUE***", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "mysql.utf8mb4": true, "datadirectory": "***REMOVED SENSITIVE VALUE***", "overwritehost": "***REMOVED MY DOMAIN/URL***", "overwriteprotocol": "https", "overwritewebroot": "\/", "overwrite.cli.url": "***REMOVED MY DOMAIN/URL***", "htaccess.RewriteBase": "\/", "trusted_domains": [ "***REMOVED MY DOMAIN/URL***" ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "default_language": "nl", "default_locale": "nl_NL", "remember_login_cookie_lifetime": 0, "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.local": "\\OC\\Memcache\\APCu", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "logtimezone": "Europe\/Amsterdam", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": 25, "lost_password_link": "disabled", "allow_user_to_change_display_name": false, "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "version": "16.0.1.1", "dbtableprefix": "oc_", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "theme": "", "maintenance": false, "loglevel": 0 } ```

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: LDAP

Client configuration

Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Operating system: Windows 10

lexeyka commented 4 years ago

If you enable the "Enforce two-factor authentication" option in Settings-> Administration-> Security - Two-Factor Authentication (or occ config:system:set --value true twofactor_enforced) without enabling any two-factor providers, access with the backend password will be denied, but access with the application password will remain (and user_saml module functionality too).

You can certainly use this crutch to solve the problem, but I'm not sure that similar problems will not come out anywhere else ...

I suppose all this mess has occurred due to rather serious changes in the authentication stack in several recent versions of nextcloud (support for multi-factor providers, Two-Factor Gateway and etc.). And I'm not sure that the problem lies in the module itself.

In any case, it requires either additional testing of this "solution", and/or confirmation of the author that this "solution" works as expected.

But in any case, to achieve authentication webdav through the module will not work, because it requires support in the sabredav library. Multifactor authentication functionality (it doesn’t matter - through a user_saml module or two-factor provider) refers only to the nextcloud web portal and its web applications.

flotpg commented 3 years ago

If I understand you correctly - I need to untick enforce TOTP to prevent users from signing in via this backdoor?

WTH? This is a big security issue - We punish users through all that MFA/TOTP hassle, route them through Azure Conditional Access Policies to make sure only trusted/domain joined/etc. devices are able to access the Nextcloud instance and now this? The user only has to change the URL to login from any device?

flotpg commented 3 years ago

Got it:

Many thx for that hint.