Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Active Directory password change issues #10809

Closed
paraviz02 opened this issue Aug 22, 2018 · 6 comments · Fixed by #21106
Closed

Active Directory password change issues #10809

paraviz02 opened this issue Aug 22, 2018 · 6 comments · Fixed by #21106
Labels
1. to develop Accepted and waiting to be taken care of bug feature: ldap
Milestone
Nextcloud 20

Comments

@paraviz02
Copy link

paraviz02 commented Aug 22, 2018
edited
Loading

Steps to reproduce

  1. Enable and configure LDAP user and group backend app
  2. As a Nextcloud AD user, attempt password change OR
  3. As a Nextcloud admin, change password for AD user

Expected behaviour

Password should change, cache should be cleared. User should no longer be able to log in with old password.

Actual behaviour

For a Nextcloud admin, the password changes and is updated in Active Directory. For a Nextcloud AD user, the message "Wrong password" is displayed when attempting a password change, and the password is not updated.

After password is updated (in this case, currently only possible by an admin), the user can still log in with both the old and new passwords until the caching service is restarted or cache is cleared. I did not test waiting for the cache to expire, however.

Server configuration

Operating system: Ubuntu 18.04

Web server: Apache 2.4.29

Database: MySQL 5.7.23

PHP version: 7.2.7

Nextcloud version: Nextcloud 14 beta 4

Updated from an older Nextcloud/ownCloud or fresh install: Updated from Nextcloud 13

Where did you install Nextcloud from: Internet archive

Signing status:

Signing status 
No errors have been found.

List of activated apps:

App list 
  - accessibility: 1.0.1
  - activity: 2.7.0
  - cloud_federation_api: 0.0.1
  - comments: 1.4.0
  - dav: 1.6.0
  - federatedfilesharing: 1.4.0
  - federation: 1.4.0
  - files: 1.9.0
  - files_external: 1.5.0
  - files_pdfviewer: 1.3.2
  - files_sharing: 1.6.2
  - files_texteditor: 2.6.0
  - files_trashbin: 1.4.1
  - files_versions: 1.7.1
  - files_videoplayer: 1.3.0
  - firstrunwizard: 2.3.0
  - gallery: 18.1.0
  - limit_login_to_ip: 1.0.4
  - logreader: 2.0.0
  - lookup_server_connector: 1.2.0
  - nextcloud_announcements: 1.3.0
  - notifications: 2.2.1
  - oauth2: 1.2.1
  - password_policy: 1.4.0
  - provisioning_api: 1.4.0
  - serverinfo: 1.4.0
  - sharebymail: 1.4.0
  - support: 1.0.0
  - survey_client: 1.2.0
  - systemtags: 1.4.0
  - theming: 1.5.0
  - twofactor_backupcodes: 1.3.0
  - twofactor_gateway: 0.7.0
  - twofactor_totp: 1.5.0
  - updatenotification: 1.4.1
  - user_ldap: 1.4.0
  - workflowengine: 1.4.0

Nextcloud configuration:

Config report 
{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "cloud.retinostics.com"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "overwrite.cli.url": "http:\/\/cloud.retinostics.com",
        "dbtype": "mysql",
        "version": "14.0.0.16",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "updater.release.channel": "beta",
        "maintenance": false,
        "theme": "",
        "loglevel": 2,
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "25",
        "memcache.local": "\\OC\\Memcache\\APCu"
    }
}

Are you using external storage, if yes which one: SMB is configured but not being used.

Are you using encryption: Access to the site is encrypted, data location is not encrypted

Are you using an external user-backend, if yes which one: Active Directory

LDAP configuration (delete this part if not used)

LDAP config 
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------+
| Configuration                 |                                                                                                                       |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 0                                                                                                                     |
| hasPagedResultSupport         |                                                                                                                       |
| homeFolderNamingRule          |                                                                                                                       |
| lastJpegPhotoLookup           | 0                                                                                                                     |
| ldapAgentName                 | cn=Retinostics Services,ou=Service,ou=Accounts,dc=retinostics,dc=corp                                                 |
| ldapAgentPassword             | ***                                                                                                                   |
| ldapAttributesForGroupSearch  |                                                                                                                       |
| ldapAttributesForUserSearch   |                                                                                                                       |
| ldapBackupHost                |                                                                                                                       |
| ldapBackupPort                |                                                                                                                       |
| ldapBase                      | dc=retinostics,dc=corp                                                                                                |
| ldapBaseGroups                | dc=retinostics,dc=corp                                                                                                |
| ldapBaseUsers                 | dc=retinostics,dc=corp                                                                                                |
| ldapCacheTTL                  | 600                                                                                                                   |
| ldapConfigurationActive       | 1                                                                                                                     |
| ldapDefaultPPolicyDN          |                                                                                                                       |
| ldapDynamicGroupMemberURL     |                                                                                                                       |
| ldapEmailAttribute            | mail                                                                                                                  |
| ldapExperiencedAdmin          | 0                                                                                                                     |
| ldapExpertUUIDGroupAttr       |                                                                                                                       |
| ldapExpertUUIDUserAttr        |                                                                                                                       |
| ldapExpertUsernameAttr        |                                                                                                                       |
| ldapGidNumber                 | gidNumber                                                                                                             |
| ldapGroupDisplayName          | cn                                                                                                                    |
| ldapGroupFilter               | (|(cn=Cloud))                                                                                                         |
| ldapGroupFilterGroups         |                                                                                                                       |
| ldapGroupFilterMode           | 1                                                                                                                     |
| ldapGroupFilterObjectclass    |                                                                                                                       |
| ldapGroupMemberAssocAttr      | member                                                                                                                |
| ldapHost                      | ldaps://retinostics-ad0.retinostics.corp                                                                              |
| ldapIgnoreNamingRules         |                                                                                                                       |
| ldapLoginFilter               | (&(&(objectclass=person)(memberOf=cn=Cloud,ou=Groups,dc=retinostics,dc=corp))(|(mailPrimaryAddress=%uid)(mail=%uid))) |
| ldapLoginFilterAttributes     |                                                                                                                       |
| ldapLoginFilterEmail          | 1                                                                                                                     |
| ldapLoginFilterMode           | 0                                                                                                                     |
| ldapLoginFilterUsername       | 0                                                                                                                     |
| ldapNestedGroups              | 0                                                                                                                     |
| ldapOverrideMainServer        |                                                                                                                       |
| ldapPagingSize                | 500                                                                                                                   |
| ldapPort                      | 636                                                                                                                   |
| ldapQuotaAttribute            |                                                                                                                       |
| ldapQuotaDefault              |                                                                                                                       |
| ldapTLS                       | 0                                                                                                                     |
| ldapUserAvatarRule            | default                                                                                                               |
| ldapUserDisplayName           | displayname                                                                                                           |
| ldapUserDisplayName2          |                                                                                                                       |
| ldapUserFilter                | (&(objectclass=person)(memberOf=cn=Cloud,ou=Groups,dc=retinostics,dc=corp))                                           |
| ldapUserFilterGroups          |                                                                                                                       |
| ldapUserFilterMode            | 1                                                                                                                     |
| ldapUserFilterObjectclass     | person                                                                                                                |
| ldapUuidGroupAttribute        | auto                                                                                                                  |
| ldapUuidUserAttribute         | auto                                                                                                                  |
| turnOffCertCheck              | 0                                                                                                                     |
| turnOnPasswordChange          | 1                                                                                                                     |
| useMemberOfToDetectMembership | 1                                                                                                                     |
+-------------------------------+-----------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser: Safari 11.1

Operating system: MacOS 10.13.4

Logs

Web server error log

Web server error log 
N/A - no errors

Nextcloud log (data/nextcloud.log)

Nextcloud log 
{"reqId":"eQKGhzGcYxgv8Yr4i0ZV","level":2,"time":"2018-08-22T15:25:59+00:00","remoteAddr":"1.2.3.4","user":"E88E4D13-C0B4-4239-9B59-94B90FF47DBF","app":"core","method":"POST","url":"\/index.php\/settings\/personal\/changepassword","message":"Login failed: 'E88E4D13-C0B4-4239-9B59-94B90FF47DBF' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15","version":"14.0.0.16"}
{"reqId":"kmJXCOeYvurTXN1PBpGS","level":2,"time":"2018-08-22T15:26:05+00:00","remoteAddr":"1.2.3.4","user":"E88E4D13-C0B4-4239-9B59-94B90FF47DBF","app":"core","method":"POST","url":"\/index.php\/settings\/personal\/changepassword","message":"Login failed: 'E88E4D13-C0B4-4239-9B59-94B90FF47DBF' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15","version":"14.0.0.16"}
{"reqId":"sCWDf91rY14bxbsZf9hB","level":2,"time":"2018-08-22T16:06:04+00:00","remoteAddr":"1.2.3.4","user":"E88E4D13-C0B4-4239-9B59-94B90FF47DBF","app":"core","method":"POST","url":"\/index.php\/settings\/personal\/changepassword","message":"Login failed: 'E88E4D13-C0B4-4239-9B59-94B90FF47DBF' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15","version":"14.0.0.16"}
{"reqId":"vt7uFNJuWdZQIQp9BCPP","level":2,"time":"2018-08-22T16:06:23+00:00","remoteAddr":"1.2.3.4","user":"E88E4D13-C0B4-4239-9B59-94B90FF47DBF","app":"core","method":"POST","url":"\/index.php\/settings\/personal\/changepassword","message":"Login failed: 'E88E4D13-C0B4-4239-9B59-94B90FF47DBF' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15","version":"14.0.0.16"}
{"reqId":"NlfqwcFmfpVFtQTh0QmK","level":2,"time":"2018-08-22T16:09:30+00:00","remoteAddr":"1.2.3.4","user":"E88E4D13-C0B4-4239-9B59-94B90FF47DBF","app":"core","method":"POST","url":"\/index.php\/settings\/personal\/changepassword","message":"Login failed: 'E88E4D13-C0B4-4239-9B59-94B90FF47DBF' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15","version":"14.0.0.16"}
{"reqId":"QzIOptBcgqJHxQo46FXs","level":2,"time":"2018-08-22T16:11:21+00:00","remoteAddr":"1.2.3.4","user":"E88E4D13-C0B4-4239-9B59-94B90FF47DBF","app":"core","method":"POST","url":"\/index.php\/settings\/personal\/changepassword","message":"Login failed: 'E88E4D13-C0B4-4239-9B59-94B90FF47DBF' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15","version":"14.0.0.16"}
{"reqId":"m9OVQEqk35yGbK0W3dnz","level":2,"time":"2018-08-22T16:23:38+00:00","remoteAddr":"1.2.3.4","user":"E88E4D13-C0B4-4239-9B59-94B90FF47DBF","app":"core","method":"POST","url":"\/index.php\/settings\/personal\/changepassword","message":"Login failed: 'E88E4D13-C0B4-4239-9B59-94B90FF47DBF' (Remote IP: '1.2.3.4')","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit\/605.1.15 (KHTML, like Gecko) Version\/11.1 Safari\/605.1.15","version":"14.0.0.16"}

Browser log

Browser log 
JSON response
{status: "error", data: {message: "Wrong password"}}

Summary
URL: https://cloud.retinostics.com/index.php/settings/personal/changepassword
Status: 200 OK
Source: Network
Address: 199.19.158.151:443

Request
POST /index.php/settings/personal/changepassword HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: https://cloud.retinostics.com
Host: cloud.retinostics.com
Accept: */*
Connection: keep-alive
Accept-Encoding: br, gzip, deflate
Content-Length: 88
DNT: 1
Cookie: nc_session_id=9aev56b6shl7mgje108uomj0tb; nc_token=zFau1%2BGtqmYZ7DRzETiK7%2BDTlJYGxqlk; nc_username=E88E4D13-C0B4-4239-9B59-94B90FF47DBF; oczthmqvfvi4=9aev56b6shl7mgje108uomj0tb; oc_sessionPassphrase=GN4XQLBUZ6AlEgLtg1mlqWveMMBP8lc8%2BAct113qLEvM0osnL30qxd2KcTrVEjp8Vb9jSwfbMIgvKQt%2F0mMBjw9ATdOCd4ijbV30YhHsi%2FDT12Zw1oDXbkC0HZVVGuBk; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15
Accept-Language: en-us
requesttoken: wRytWaSgVf1drq91Ued9rFhzsI0N7CobqiKLpLhgnkU=:+FHLEcLaA4s2ydw5ZIor7wE1+9pFo0ZzyVLz199V0XM=
OCS-APIREQUEST: true
X-Requested-With: XMLHttpRequest

Response
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Pragma: no-cache
Date: Wed, 22 Aug 2018 18:17:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
X-XSS-Protection: 1; mode=block
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 54
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-Download-Options: noopen

Request Data
MIME Type: application/x-www-form-urlencoded; charset=UTF-8
oldpassword: oldness
newpassword: newpass
newpassword-clone: newpass
@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #3565 (Improve change password dialogue), #422 (Password Protected Shared Directories Upon Opening Are Buggy), #8356 (Unable to change forgotten password), #7378 ([personal settings] Move "Change password" to "Security"-settings ), and #9989 (User should change his password after a certain time).

@blizzz
Copy link
Member

blizzz commented Aug 25, 2018

For a Nextcloud admin, the password changes and is updated in Active Directory. For a Nextcloud AD user, the message "Wrong password" is displayed when attempting a password change, and the password is not updated.

Interesting, as in any scenario the configured agent is being used to perform that action.

After password is updated (in this case, currently only possible by an admin), the user can still log in with both the old and new passwords until the caching service is restarted or cache is cleared. I did not test waiting for the cache to expire, however.

The cache is not involved with the login process. A bind against the LDAP server is necessary and you should be also able to spot such a request against AD.

AD, typically, allows authentication with old and new password for a while… either it's replication or (for NTLM – i do not know how they treat LDAP binds internally) one hour by default.

@blizzz
Copy link
Member

blizzz commented Sep 27, 2018

As there is no feedback since a while I will close this ticket. If this is still happening please feel free to reopen.

@blizzz blizzz closed this as completed Sep 27, 2018
@tomasz-lasko
Copy link

tomasz-lasko commented Nov 18, 2019
edited
Loading

Perhaps there is indeed a bug in Nextcloud (noticed e.g. in 17.0.1), that for a password change operation, nextcloud searches the user by UUID, but it does the search in a wrong way: by using configured "login attributes" (e.g. name/email). But these attributes do not have a UUID, so the user is not found (so nothing can be done for the user, e.g. I guess even the old password cannot be verified before starting to update to a new one).

WORKAROUND:
Find out which attribute is used to map UUID (e.g. objectGUID) and include this attribute in the "login attributes".

Details here: https://help.nextcloud.com/t/users-unable-to-change-password-active-directory-ldap/44412/9

@blizzz blizzz reopened this Nov 18, 2019
@tomasz-lasko
Copy link

I see that you reopened the ticket. I have edited my previous comment, so that it is more clear what is wrong and I added a workaround.

@skjnldsv skjnldsv added the 1. to develop Accepted and waiting to be taken care of label Apr 10, 2020
This was referenced May 25, 2020
Closed
Merged
@blizzz
Copy link
Member

blizzz commented May 25, 2020

fix in #21106

@MorrisJobke MorrisJobke added this to the Nextcloud 20 milestone May 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1. to develop Accepted and waiting to be taken care of bug feature: ldap
Projects
None yet
Milestone
Nextcloud 20
Development

Successfully merging a pull request may close this issue.

use the loginname to verify the old password in user password changes nextcloud/server
7 participants
@MorrisJobke @blizzz @tomasz-lasko @paraviz02 @tflidd @skjnldsv @nextcloud-bot