unosquare / passcore

A self-service password management tool for Active Directory
https://unosquare.github.io/passcore/
MIT License
1.04k stars 229 forks source link

Linux Docker AD (working conf?) #665

Open demogorgonz opened 2 years ago

demogorgonz commented 2 years ago

PassCore Server

Can anyone share working config for AD setup ? Is port 636 required for password change to work ?

I have been fiddling and got various errors from :

Have tried even windows powershell install, but got requests spamming without password change.

Current run command is (doesn't work) :


docker run \
-e WebSettings__EnableHttpsRedirect='false' \
-e AppSettings__UseAutomaticContext='false' \
-e AppSettings__LdapHostnames__0='dc-01.example.com' \
-e AppSettings__LdapSecureSocketLayer='false' \
-e AppSettings__LdapStartTls='false' \
-e AppSettings__LdapPort='389' \
-e AppSettings__LdapUsername='passcore' \
-e AppSettings__LdapPassword='PW-HERE' \
-e AppSettings__LdapIgnoreTlsValidation='true' \
-e AppSettings__LdapIgnoreTlsErrors='true' \
-e AppSettings__LdapSecureSocketLayer='true' \
-e AppSettings__IdTypeForUser='SAM' \
-e AppSettings__DefaultDomain='example.com' \
-e ClientSettings__UseEmail='false' \
-it \
-p 80:80 \
passcore:latest            
demogorgonz commented 2 years ago

Ok so i made new AD, enabled CA/SSL.. tripple checked new password against password policy and still get random errors:

{"EventId":1,"LogLevel":"Information","Category":"Microsoft.AspNetCore.Hosting.Diagnostics","Message":"Request starting HTTP/1.1 POST http://localhost/api/password application/json 164","State":{"Message":"Request starting HTTP/1.1 POST http://localhost/api/password application/json 164","Protocol":"HTTP/1.1","Method":"POST","ContentType":"application/json","Co
ntentLength":164,"Scheme":"http","Host":"localhost","PathBase":"","Path":"/api/password","QueryString":""}}
{"EventId":0,"LogLevel":"Information","Category":"Microsoft.AspNetCore.Routing.EndpointMiddleware","Message":"Executing endpoint \u0027Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)\u0027","State":{"Message":"Executing endpoint \u0027Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)\u0027","
EndpointName":"Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)","{OriginalFormat}":"Executing endpoint \u0027{EndpointName}\u0027"}}
{"EventId":3,"LogLevel":"Information","Category":"Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker","Message":"Route matched with {action = \u0022Post\u0022, controller = \u0022Password\u0022}. Executing controller action with signature System.Threading.Tasks.Task\u00601[Microsoft.AspNetCore.Mvc.IActionResult] Post(Unosquare.PassCore.Web.Models.C
hangePasswordModel) on controller Unosquare.PassCore.Web.Controllers.PasswordController (Unosquare.PassCore.Web).","State":{"Message":"Route matched with {action = \u0022Post\u0022, controller = \u0022Password\u0022}. Executing controller action with signature System.Threading.Tasks.Task\u00601[Microsoft.AspNetCore.Mvc.IActionResult] Post(Unosquare.PassCore.Web
.Models.ChangePasswordModel) on controller Unosquare.PassCore.Web.Controllers.PasswordController (Unosquare.PassCore.Web).","RouteData":"{action = \u0022Post\u0022, controller = \u0022Password\u0022}","MethodInfo":"System.Threading.Tasks.Task\u00601[Microsoft.AspNetCore.Mvc.IActionResult] Post(Unosquare.PassCore.Web.Models.ChangePasswordModel)","Controller":"Un
osquare.PassCore.Web.Controllers.PasswordController","AssemblyName":"Unosquare.PassCore.Web","{OriginalFormat}":"Route matched with {RouteData}. Executing controller action with signature {MethodInfo} on controller {Controller} ({AssemblyName})."}}
{"EventId":0,"LogLevel":"Warning","Category":"PassCoreLDAPProvider","Message":"LDAP query: (sAMAccountName=123)","State":{"Message":"LDAP query: (sAMAccountName=123)","0":"(sAMAccountName=123)","{OriginalFormat}":"LDAP query: {0}"}}
{"EventId":0,"LogLevel":"Warning","Category":"PassCoreLDAPProvider","Message":"Resolved Win32 API Error: code=1325 name=ERROR_PASSWORD_RESTRICTION desc=Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain. - LdapException: Constraint Violation (19) Constraint Violation
\nLdapException: Server Message: 0000052D: AtrErr: DSID-031910C9, #1:\n\t0: 0000052D: DSID-031910C9, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)\n\u0000\nLdapException: Matched DN: ","State":{"Message":"Resolved Win32 API Error: code=1325 name=ERROR_PASSWORD_RESTRICTION desc=Unable to update the password. The value provided for the new pa
ssword does not meet the length, complexity, or history requirements of the domain. - LdapException: Constraint Violation (19) Constraint Violation\nLdapException: Server Message: 0000052D: AtrErr: DSID-031910C9, #1:\n\t0: 0000052D: DSID-031910C9, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)\n\u0000\nLdapException: Matched DN: ","0":"LdapE
xception: Constraint Violation (19) Constraint Violation\nLdapException: Server Message: 0000052D: AtrErr: DSID-031910C9, #1:\n\t0: 0000052D: DSID-031910C9, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)\n\u0000\nLdapException: Matched DN: ","{OriginalFormat}":"Resolved Win32 API Error: code=1325 name=ERROR_PASSWORD_RESTRICTION desc=Unable t
o update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain. - {0}"}}
{"EventId":1,"LogLevel":"Information","Category":"Microsoft.AspNetCore.Mvc.Infrastructure.ObjectResultExecutor","Message":"Executing BadRequestObjectResult, writing value of type \u0027Unosquare.PassCore.Web.Models.ApiResult\u0027.","State":{"Message":"Executing BadRequestObjectResult, writing value of type \u0027Unosquare.PassCore.Web.Models.ApiResult\u0027.",
"ObjectResultType":"BadRequestObjectResult","Type":"Unosquare.PassCore.Web.Models.ApiResult","{OriginalFormat}":"Executing {ObjectResultType}, writing value of type \u0027{Type}\u0027."}}
{"EventId":2,"LogLevel":"Information","Category":"Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker","Message":"Executed action Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web) in 60.8681ms","State":{"Message":"Executed action Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web) in
60.8681ms","ActionName":"Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)","ElapsedMilliseconds":60.8681,"{OriginalFormat}":"Executed action {ActionName} in {ElapsedMilliseconds}ms"}}
{"EventId":1,"LogLevel":"Information","Category":"Microsoft.AspNetCore.Routing.EndpointMiddleware","Message":"Executed endpoint \u0027Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)\u0027","State":{"Message":"Executed endpoint \u0027Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)\u0027","En
dpointName":"Unosquare.PassCore.Web.Controllers.PasswordController.Post (Unosquare.PassCore.Web)","{OriginalFormat}":"Executed endpoint \u0027{EndpointName}\u0027"}}
{"EventId":2,"LogLevel":"Information","Category":"Microsoft.AspNetCore.Hosting.Diagnostics","Message":"Request finished HTTP/1.1 POST http://localhost/api/password application/json 164 - 400 - application/json;\u002Bcharset=utf-8 61.2996ms","State":{"Message":"Request finished HTTP/1.1 POST http://localhost/api/password application/json 164 - 400 - application/
json;\u002Bcharset=utf-8 61.2996ms","ElapsedMilliseconds":61.2996,"StatusCode":400,"ContentType":"application/json; charset=utf-8","ContentLength":null,"Protocol":"HTTP/1.1","Method":"POST","Scheme":"http","Host":"localhost","PathBase":"","Path":"/api/password","QueryString":""}}

With the focus on : name=ERROR_PASSWORD_RESTRICTION desc=Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

Run command:

docker run \
-e WebSettings__EnableHttpsRedirect='false' \
-e AppSettings__UseAutomaticContext='false' \
-e AppSettings__LdapHostnames__0='192.168.1.60' \
-e AppSettings__LdapPort='636' \
-e AppSettings__LdapUsername='passcore' \
-e AppSettings__LdapPassword='P@ssw0rd' \
-e ClientSettings__UseEmail='false' \
-e AppSettings__IdTypeForUser='SAM' \
-e AppSettings__DefaultDomain='corp.localdev' \
-e AppSettings__LdapSearchBase='CN=Users,DC=corp,DC=localdev' \
-e AppSettings__LdapSecureSocketLayer='true' \
-e AppSettings__LdapStartTls='false' \
-e AppSettings__LdapIgnoreTlsValidation='true' \
-e AppSettings__LdapIgnoreTlsErrors='true' \
-e AppSettings__RestrictedADGroups='' \
-it \
-p 80:80 \
passcore:latest

passcore user is in Domain Admins group too.

demogorgonz commented 2 years ago

Managed to get single password reset to work, which can't be repeated across other users or same user (used different and strong password). Seems like project is not stable/working.