Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show LDAP lock out message #6010

Open
MorrisJobke opened this issue Aug 7, 2017 · 13 comments
Open

Show LDAP lock out message #6010

MorrisJobke opened this issue Aug 7, 2017 · 13 comments
Labels
1. to develop Accepted and waiting to be taken care of enhancement feature: ldap

Comments

@MorrisJobke
Copy link
Member

  • LDAP is setup as user backend for Nextcloud
  • LDAP has rules to expire passwords
  • once the expiry date is reached the user is not able to login
  • actual: there is no proper error message about this
  • expected: it should show the user "Your account is locked" on the next login

This was noticed on an stable11 instance.

cc @nextcloud/ldap
@MorrisJobke MorrisJobke added 1. to develop Accepted and waiting to be taken care of enhancement feature: ldap labels Aug 7, 2017
@MorrisJobke MorrisJobke added this to the Nextcloud 13 milestone Aug 7, 2017
@MorrisJobke
Copy link
Member Author

Additionally, the app just spams LDAP with thousands of failed login attempts after the account returns locked.

@LukasReschke
Copy link
Member

Additionally, the app just spams LDAP with thousands of failed login attempts after the account returns locked.

This is more caused by our mobile or desktop apps which try to reauthenticate instead of showing a proper error message I suppose.

@MorrisJobke
Copy link
Member Author

This is more caused by our mobile or desktop apps which try to reauthenticate instead of showing a proper error message I suppose.

Ah right - this could also be another reason.

@tobiasKaminsky @AndyScherzinger @marinofaggiana How do you handle if the login fails with invalid credentials, that worked before?

@tobiasKaminsky
Copy link
Member

We show the login screen again, with prefilled server url.
Then the user can try to authenticate again and will hopefully get a meaningful error message ;-)

@marinofaggiana
Copy link
Member

We show the login screen again, with prefilled server url.
Then the user can try to authenticate again and will hopefully get a meaningful error message ;-)

iOS as well

@MorrisJobke
Copy link
Member Author

Yep the iOS app does not ask for new username and password:

10.0.3.2 - test [07/Aug/2017:09:34:58 -0500] "PROPFIND /server/remote.php/webdav/17-08-06%2011-11-40%206556.jpg HTTP/1.1" 401 1024 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30835967
10.0.3.2 - test [07/Aug/2017:09:35:08 -0500] "PROPFIND /server/remote.php/webdav HTTP/1.1" 401 1526 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30495532
10.0.3.2 - test [07/Aug/2017:09:35:08 -0500] "PROPFIND /server/remote.php/webdav/Photos HTTP/1.1" 401 1532 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30495698
10.0.3.2 - test [07/Aug/2017:09:35:09 -0500] "REPORT /server/remote.php/dav/files/test HTTP/1.1" 401 1608 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30378820
10.0.3.2 - test [07/Aug/2017:09:35:09 -0500] "GET /server/ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 1696 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30591540
10.0.3.2 - test [07/Aug/2017:09:35:10 -0500] "PROPFIND /server/remote.php/webdav HTTP/1.1" 401 1540 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30239689
10.0.3.2 - test [07/Aug/2017:09:35:10 -0500] "PROPFIND /server/remote.php/webdav/Photos HTTP/1.1" 401 1532 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30360002
10.0.3.2 - test [07/Aug/2017:09:35:34 -0500] "PROPFIND /server/remote.php/webdav HTTP/1.1" 401 1534 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30459140
10.0.3.2 - test [07/Aug/2017:09:35:39 -0500] "PROPFIND /server/remote.php/webdav/Photos HTTP/1.1" 401 1024 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30262588
10.0.3.2 - test [07/Aug/2017:09:35:39 -0500] "REPORT /server/remote.php/dav/files/test HTTP/1.1" 401 1096 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30380233
10.0.3.2 - test [07/Aug/2017:09:35:40 -0500] "GET /server/ocs/v2.php/apps/notifications/api/v2/notifications?format=json HTTP/1.1" 401 1286 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 31302281
10.0.3.2 - test [07/Aug/2017:09:35:40 -0500] "GET /server/ocs/v2.php/cloud/activity?format=json HTTP/1.1" 401 1290 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 31286460
10.0.3.2 - test [07/Aug/2017:09:35:40 -0500] "GET /server/ocs/v1.php/cloud/users/test?format=json HTTP/1.1" 401 1320 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 31325732
10.0.3.2 - test [07/Aug/2017:09:35:41 -0500] "PROPFIND /server/remote.php/webdav/Photos HTTP/1.1" 401 1024 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30417035
10.0.3.2 - test [07/Aug/2017:09:36:04 -0500] "PROPFIND /server/remote.php/webdav HTTP/1.1" 401 1024 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30228076
10.0.3.2 - test [07/Aug/2017:09:36:11 -0500] "MKCOL /server/remote.php/webdav/Photos HTTP/1.1" 401 1536 "-" "Mozilla/5.0 (iOS) Nextcloud-iOS/2.17.6" 30854622

Sometimes a badge at the top appears with "Wrong username and password".

@marinofaggiana
Copy link
Member

marinofaggiana commented Aug 7, 2017
edited
Loading

mmm I detect the 401 error and show the changepassword view .... this is strange ... I don't understand

@MorrisJobke MorrisJobke mentioned this issue Aug 7, 2017
Closed
@MorrisJobke
Copy link
Member Author

We show the login screen again, with prefilled server url.
Then the user can try to authenticate again and will hopefully get a meaningful error message ;-)

The Android app shows it properly after two 401 (but both seem to have started at around the same time):

10.0.3.2 - test [07/Aug/2017:10:08:19 -0500] "GET /server/status.php HTTP/1.1" 200 1492 "-" "Mozilla/5.0 (Android) ownCloud-android/1.4.3" 219358
10.0.3.2 - test [07/Aug/2017:10:08:19 -0500] "GET /server/ocs/v1.php/cloud/capabilities?format=json HTTP/1.1" 200 1630 "-" "Mozilla/5.0 (Android) ownCloud-android/1.4.3" 1506923
10.0.3.2 - test [07/Aug/2017:10:08:21 -0500] "GET /server/ocs/v1.php/cloud/user?format=json HTTP/1.1" 401 1270 "-" "Mozilla/5.0 (Android) ownCloud-android/1.4.3" 1939436
10.0.3.2 - test [07/Aug/2017:10:08:23 -0500] "PROPFIND /server/remote.php/webdav/ HTTP/1.1" 401 1472 "-" "Mozilla/5.0 (Android) ownCloud-android/1.4.3" 345

@MorrisJobke MorrisJobke self-assigned this Aug 7, 2017
@GitHubUser4234
Copy link
Contributor

  • LDAP is setup as user backend for Nextcloud
  • LDAP has rules to expire passwords
  • once the expiry date is reached the user is not able to login
  • actual: there is no proper error message about this
  • expected: it should show the user "Your account is locked" on the next login
    This was noticed on an stable11 instance.

cc @nextcloud/ldap

With the combination of OpenLDAP + password policies enabled in Nextcloud, HTTP response 302 is returned via API and in a browser an actual redirection to the password renewal page is triggered. However if the number of grace logins is exceeded (e.g. due to an app trying to login infinitely), a 401 response will be returned as usual. So an app could parse the response code and avoid spamming LDAP with failed login attempts.

About showing an appropriate error during login when the password is expired: This hasn't been possible (at least for OpenLDAP users) because PHP doesn't support parsing the error in this case. There is no way to distinguish whether a login failed due to wrong password or password expiry. However, whether it's possible to recognize a locked account during login might need to be investigated...looks unlikely though.

@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jun 20, 2018
@nextcloud-bot nextcloud-bot mentioned this issue Aug 21, 2018
Closed
@MorrisJobke MorrisJobke modified the milestones: Nextcloud 15, Nextcloud 16 Nov 5, 2018
@nextcloud-bot nextcloud-bot mentioned this issue Nov 14, 2018
Closed
@MorrisJobke MorrisJobke removed this from the Nextcloud 16 milestone Feb 25, 2019
@ghost ghost closed this as completed Jun 12, 2019
@skjnldsv skjnldsv removed the stale Ticket or PR with no recent activity label Jun 12, 2019
@skjnldsv skjnldsv reopened this Jun 12, 2019
@tobiasKaminsky
Copy link
Member

Do clients need something to do here?

@skjnldsv
Copy link
Member

cc @blizzz ?

@blizzz
Copy link
Member

blizzz commented Jun 20, 2019

There is not extended info right now. It might be that some newer PHP version support getting that info, but I am not aware atm.

@szaimen

This comment has been minimized.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1. to develop Accepted and waiting to be taken care of enhancement feature: ldap
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@MorrisJobke @LukasReschke @blizzz @tobiasKaminsky @marinofaggiana @skjnldsv @GitHubUser4234 @nextcloud-bot @szaimen