Local users login with IMAP credentials is not working properly #3
Comments
|
Interestingly NC desktop client 2.3.3 and latest OC desktop client both do not have the issue - login with IMAP credentials is stable and durable. |
violoncelloCH
changed the title
|
this is not a supported use case to overtake local nextcloud users with the external user backend |
(from #61) how should user_external prevent this? afaik it just gets called from nextcloud if there was no valid authentication form an other backend and then does it's authentication, nothing more or less |
Seconded. You should only use one user back-end for each user. I assume the moment you're logged out is when the token manager tries to verify the password is still valid. This happens every five minutes. Web logins and clients that use sessions/cookies will be affected. In general: please report security issues to hacker1 https://github.com/nextcloud/server/blob/master/.github/CONTRIBUTING.md#guidelines |
|
Hm, my understanding of external user authentication is to allow a (local) user to authenticate via external resources - thats what is suggested by the extension (without a deep dive into the code and database). However, this could be prevented by user_external by checking, if a local user with the same name / identifier already exist (regular nextcloud user database). Even if one should use only one user backend I think there is a valid use case to have more, e.g. allowing a user to authenticate via (local) password and/or e.g. IMAP authentication. |
|
Why does the token manages does not "remember" that I previously logged in via IMAP auth and verifies a valid password agains the wrong user backend? |
|
This is not how the Nextcloud user manager works. It just iterates the available back-ends and checks if any of them validate the password as correct.
It's beyond its scope. That part is handled by the user management (as described above). Please be aware that I'm not an expert in the area of user mgmt, so you could just have a look at the code if you'r interested in how it works: https://github.com/nextcloud/server/blob/fce1ddc04e0ec7253fb34ebdff5f6161e96c4d2a/lib/private/User/Manager.php#L201-L214 |
That's the point. Obviously this doesn't work / does not iterate the available back-ends. Otherwise the IMAP password (which I previously successfuly used to log in) would be validated correctly against the IMAP server which is not the case and not even tried. |
|
I suggest to attach a debugger with xdebug and just step through that code. |
Affected apps
Nextcloud-14.0.4 (at least)
user_external
Steps to reproduce
Actual behaviour (modified user names and IPs)
I enabled IMAP authentication for my (locally existing) users.
Initial login with IMAP credentials is fine:
Dec 15 22:49:08 srv-mail-1 dovecot: imap-login: Login: user=[email protected], method=PLAIN, rip=192.168.0.201, lip=192.168.0.202, mpid=4153, TLS, session=<kLF3hBZ9bq/AqADJ>
Dec 15 22:49:08 srv-mail-1 dovecot: imap([email protected]): Logged out in=15 out=436
After several minutes (even while using / browsing) you're getting logged out. The logfile contains the following error:
{"reqId":"bAkH7FHnR1VCysvgycVc","level":2,"time":"2018-12-15T21:54:14+00:00","remoteAddr":"a.b.c.d","user":"[email protected]","app":"core","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Login failed: '[email protected]' (Remote IP: 'a.b.c.d')","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36","version":"14.0.4.2"}
However, the mail log is fine - no errors / failed logins but also no login attemps.
The problem is the same/similar when using the desktop client - initial sync is fine but subsequent login attemps fail with the same error.
If I should really collect all the information requested in this template please let me know - thanks.
The text was updated successfully, but these errors were encountered: