The Wayback Machine - https://web.archive.org/web/20211016083933/https://github.com/nextcloud/server/issues/29049
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML/LDAP tries impossible bind while using Kerberos auth backend #29049

Open
L0ric0 opened this issue Oct 3, 2021 · 0 comments
Open

SAML/LDAP tries impossible bind while using Kerberos auth backend #29049

L0ric0 opened this issue Oct 3, 2021 · 0 comments
Labels
0. Needs triage bug feature: ldap

Comments

@L0ric0
Copy link

@L0ric0 L0ric0 commented Oct 3, 2021

Steps to reproduce

  1. use apache to authenticate against a kerberos server which sets the REMOTE_USER variable.
  2. use ldap to loock up the user
  3. try to login to nextcloud

Expected behaviour

the login succedes and the user can use the cloud

Actual behaviour

after authenticating with kerberos nextcloud looks up the user in the ldap database and finds it then it trys a bind for the user and fails as for users it is impossible to bind with ldap as that is handled by kerberos

(all ldap lockups are done anonymous and testing the configuration in the settings or with the occ command return the expected results)

Server configuration detail

Operating system: Linux 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64

Webserver: Apache/2.4.48 (Debian) (apache2handler)

Database: pgsql PostgreSQL 13.3 (Debian 13.3-1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit

PHP version:

7.4.21
Modules loaded: Core, date, libxml, openssl, pcre, zlib, filter, hash, Reflection, SPL, session, standard, sodium, apache2handler, mysqlnd, PDO, xml, apcu, bcmath, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, gmp, iconv, imagick, intl, json, ldap, luasandbox, exif, mcrypt, mysqli, pdo_mysql, pdo_pgsql, pgsql, apc, posix, readline, shmop, SimpleXML, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, wikidiff2, xmlreader, xmlwriter, xsl, zip, Phar, Zend OPcache

Nextcloud version: 22.2.0 - 22.2.0.2

Updated from an older Nextcloud/ownCloud or fresh install: updated from 18.something in the steps the updater sugests

Where did you install Nextcloud from: unknown

Signing status

Array
(
)

List of activated apps 
Enabled:
 - accessibility: 1.8.0
 - activity: 2.15.0
 - admin_audit: 1.12.0
 - apporder: 0.13.0
 - calendar: 2.3.4
 - circles: 22.1.1
 - cloud_federation_api: 1.5.0
 - comments: 1.12.0
 - contacts: 4.0.3
 - contactsinteraction: 1.3.0
 - dashboard: 7.2.0
 - dav: 1.19.0
 - deck: 1.5.3
 - event_update_notification: 1.3.0
 - federatedfilesharing: 1.12.0
 - federation: 1.12.0
 - files: 1.17.0
 - files_fulltextsearch: 22.0.1
 - files_mindmap: 0.0.25
 - files_pdfviewer: 2.3.0
 - files_rightclick: 1.1.0
 - files_sharing: 1.14.0
 - files_trashbin: 1.12.0
 - files_versions: 1.15.0
 - firstrunwizard: 2.11.0
 - fulltextsearch: 22.0.1
 - impersonate: 1.9.0
 - issuetemplate: 0.7.0
 - logreader: 2.7.0
 - lookup_server_connector: 1.10.0
 - mail: 1.10.5
 - nextcloud_announcements: 1.11.0
 - notes: 4.1.1
 - notifications: 2.10.1
 - oauth2: 1.10.0
 - password_policy: 1.12.0
 - photos: 1.4.0
 - privacy: 1.6.0
 - provisioning_api: 1.12.0
 - quicknotes: 0.7.2
 - recommendations: 1.1.0
 - serverinfo: 1.12.0
 - settings: 1.4.0
 - sharebymail: 1.12.0
 - support: 1.5.0
 - survey_client: 1.10.0
 - suspicious_login: 4.0.0
 - systemtags: 1.12.0
 - text: 3.3.0
 - theming: 1.13.0
 - twofactor_backupcodes: 1.11.0
 - updatenotification: 1.12.0
 - user_ldap: 1.12.0
 - user_saml: 4.1.1
 - user_status: 1.2.0
 - viewer: 1.6.0
 - weather_status: 1.2.0
 - workflowengine: 2.4.0
Disabled:
 - carnet
 - encryption
 - files_external
 - files_videoplayer
 - polls
 - tasks
Configuration (config/config.php) 
{
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "localhost",
        "wilhelm.physik.uni-kl.de"
    ],
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "dbtype": "pgsql",
    "version": "22.2.0.2",
    "overwrite.cli.url": "https:\/\/wilhelm.physik.uni-kl.de\/nextcloud",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "sendmail",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "htaccess.RewriteBase": "\/nextcloud",
    "ldapIgnoreNamingRules": false,
    "maintenance": false,
    "theme": "",
    "loglevel": 0,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "has_rebuilt_cache": true,
    "updater.secret": "***REMOVED SENSITIVE VALUE***",
    "data-fingerprint": "851d7e6fd91df0607def152cea5dca0b",
    "default_phone_region": "DE",
    "app_install_overwrite": [
        "calendar",
        "issuetemplate"
    ],
    "encryption.legacy_format_support": true,
    "encryption.key_storage_migrated": false,
    "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory"
}

Are you using external storage, if yes which one: local/smb/sftp/...

Are you using encryption:

Are you using an external user-backend, if yes which one: LDAP/Kerberos

LDAP configuration (delete this par if not used) 
cleanUpJobOffset: 0enabled: yesinstalled_version: 1.12.0s01_lastChange: 1632995387s01has_memberof_filter_support: s01home_folder_naming_rule: s01last_jpegPhoto_lookup: 0s01ldap_agent_password: s01ldap_attributes_for_group_search: s01ldap_attributes_for_user_search: s01ldap_backup_host: s01ldap_backup_port: s01ldap_base: dc=rethfeld,dc=physik,dc=uni-kl,dc=des01ldap_base_groups: ou=groups,dc=rethfeld,dc=physik,dc=uni-kl,dc=des01ldap_base_users: ou=people,dc=rethfeld,dc=physik,dc=uni-kl,dc=des01ldap_cache_ttl: 600s01ldap_configuration_active: 1s01ldap_default_ppolicy_dn: s01ldap_display_name: displaynames01ldap_dn: s01ldap_dynamic_group_member_url: s01ldap_email_attr: mails01ldap_experienced_admin: 0s01ldap_expert_username_attr: uids01ldap_expert_uuid_group_attr: cns01ldap_expert_uuid_user_attr: uids01ldap_gid_number: gidNumbers01ldap_group_display_name: cns01ldap_group_filter: (&(|(objectclass=groupOfNames)(objectclass=posixGroup)))s01ldap_group_filter_mode: 0s01ldap_group_member_assoc_attribute: members01ldap_groupfilter_groups: s01ldap_groupfilter_objectclass: groupOfNames
posixGroups01ldap_host: ypsilon.physik.uni-kl.des01ldap_login_filter: (&(|(objectclass=posixAccount))(|(uid=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid))))s01ldap_login_filter_mode: 1s01ldap_loginfilter_attributes: s01ldap_loginfilter_email: 1s01ldap_loginfilter_username: 1s01ldap_nested_groups: 1s01ldap_override_main_server: s01ldap_paging_size: 500s01ldap_port: 389s01ldap_quota_attr: s01ldap_quota_def: s01ldap_tls: 0s01ldap_turn_off_cert_check: 0s01ldap_turn_on_pwd_change: 0s01ldap_user_avatar_rule: defaults01ldap_user_display_name_2: s01ldap_user_filter_mode: 1s01ldap_userfilter_groups: s01ldap_userfilter_objectclass: posixAccounts01ldap_userlist_filter: (|(objectclass=posixAccount))s01use_memberof_to_detect_membership: 1types: authentication

Client configuration

Browser: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Operating system:

Logs

Web server error log 
none
Nextcloud log 
{"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"no app in context","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Token is not valid: Token does not exist","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0
) Gecko/20100101 Firefox/92.0","version":"22.2.0.2","exception":{"Exception":"OC\\Authentication\\Exceptions\\InvalidTokenException","Message":"Token does not exist","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php","line":146,"function":"getToken","class":"OC\\Authentication\
\Token\\DefaultTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":531,"function":"getToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":447,"function":"isTokenPassword","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":584,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive par
ameters replaced ***"]},{"file":"/var/www/nextcloud/lib/base.php","line":1053,"function":"tryBasicAuthLogin","class":"OC\\User\\Session","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":990,"function":"handleLogin","class":"OC","type":"::"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Authentication/Token/DefaultTokenProvider.php","Line":159,"Previous":{"Exception":"OCP\\AppFramework\\Db\\DoesNotExistException","Message":"token does not exist","Code":0,"Trace":[{"file":"/var/www/nextcloud/lib/private/Authentication/Token/D
efaultTokenProvider.php","line":157,"function":"getToken","class":"OC\\Authentication\\Token\\DefaultTokenMapper","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/Authentication/Token/Manager.php","line":146,"function":"getToken","class":"OC\\Authentication\\Token\\DefaultTokenProvider","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":531,"function":"getToken","class":"OC\\Authentication\\Token\\Manager","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/priva
te/User/Session.php","line":447,"function":"isTokenPassword","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/User/Session.php","line":584,"function":"logClientIn","class":"OC\\User\\Session","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/base.php","line":1053,"function":"tryBasicAuthLogin","class":"OC\\User\\Session","type":"->"},{"file":"/var/www/nextcloud/lib/base.php","line":990,"function":"handleLogin","class":"OC","type":"::"},{"file":"/var/www/nextcloud/index.php","line":36,"function":"handleReques
t","class":"OC","type":"::"}],"File":"/var/www/nextcloud/lib/private/Authentication/Token/DefaultTokenMapper.php","Line":93},"CustomMessage":"Token is not valid: Token does not exist"}}                                                                                                                                      {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"initializing paged search for filter (&(|(objectclass=posixAccount))(|(uid=lsteinert)(|(mailPrimaryAdd
ress=lsteinert)(mail=lsteinert)))), base ou=people,dc=rethfeld,dc=physik,dc=uni-kl,dc=de, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], limit 500, offset 0","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}                                                                                 
{"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}                                                                                                                                   
{"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"LDAP error Invalid credentials (49) after calling ldap_bind","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}                                                                                                
{"reqId":"77ZcD9Vr34sqwLKtIdiV","level":2,"time":"2021-10-03T18:19:01+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}                                                                                                                       
{"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"initializing paged search for filter (&(|(objectclass=posixAccount))(|(uid=lsteinert)(|(mailPrimaryAddress=lsteinert)(mail=lsteinert)))), base ou=people,dc=rethfeld,dc=physik,dc=uni-kl,dc=de, attr [\"entryuuid\",\"nsuniqueid\",\"objectguid\",\"guid\",\"ipauniqueid\",\"dn\",\"uid\",\"samaccountname\",\"memberof\",\"mail\",\"displayname\",\"jpegphoto\",\"thumbnailphoto\"], limit 500, offset 0","userAgent":"Mozilla/5.0 (
X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}                                                                                                                                                                                                                                                 {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Ready for a paged search","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox
/92.0","version":"22.2.0.2"}                                                                                                                                                                                                                                                                                                   {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":0,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"LDAP error Invalid credentials (49) after calling ldap_bind","userAgent":"Mozilla/5.0 (X11; Linux x86_
64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}                                                                                                                                                                                                                                                                {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":2,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"user_ldap","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Bind failed: 49: Invalid credentials","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/2010
0101 Firefox/92.0","version":"22.2.0.2"}                                                                                                                                                                                                                                                                                       {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":2,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"core","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Login failed: 'lsteinert' (Remote IP: '91.66.218.29')","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:92.0
) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}                                                                                                                                                                                                                                                                           {"reqId":"77ZcD9Vr34sqwLKtIdiV","level":1,"time":"2021-10-03T18:19:02+00:00","remoteAddr":"91.66.218.29","user":"--","app":"core","method":"GET","url":"/nextcloud/apps/theming/image/logo?useSvg=1&v=5","message":"Bruteforce attempt from \"91.66.218.29\" detected for action \"login\".","userAgent":"Mozilla/5.0 (X11; Lin
ux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0","version":"22.2.0.2"}
Browser log
@acsfer acsfer changed the title SAML/LDAP nextcoud trys impossible bind SAML/LDAP tries impossible bind while using Kerberos auth backend Oct 3, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage bug feature: ldap
2 participants
@acsfer @L0ric0