LDAP module don't work correct - vulnerable to burglary

Hello @mbatz ,
I would like to point out that when the ldap module is enabled, a new user, logging in for the first time with his ldap account (according to the standard), creates an account.
Everything is great as long as I log in according to the login policy.
However, if the user makes a mistake (in the login) or does it on purpose and enters it incorrectly, such an account is also created when ldap is enabled.

Shouldn’t the module first check if such an account exists, and then decide whether to set up an account or not?

It seems to me that a properly functioning mechanism should verify whether the account in the ldap exists. If not, it should not allow for setting up a datagerry account for such a login.

Currently, when a person enters a login that has nothing to do with the ldap policy and enters a password for such login, an account is created and the person is admitted to the program:

log from file webapp.log

2020-10-15 07:32:53][ERROR ] — [AUTH] jeden not in database: User not found (init.py)
[2020-10-15 07:32:53][INFO ] — [AUTH] Check for other providers - request_user: jeden (init.py)
[2020-10-15 07:32:53][INFO ] — [LocalAuthenticationProvider] Try login for user jeden (internal_providers.py)
[2020-10-15 07:32:53][ERROR ] — [AUTH] User jeden could not validate with provider <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>: (‘LocalAuthenticationProvider’, ‘Error while GET operation - E: $User not found’) (init.py)
[2020-10-15 07:32:53][INFO ] — [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7fee8addb400> (init.py)
[2020-10-15 07:32:57][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-15 07:32:57][INFO ] — [LdapAuthenticationProvider] Try creating user: jeden (external_providers.py)

and can log on to this data in the program all the time, and if the default permissions for this group are quite high, such a person can maliciously do damage or steal data.

Please check this and fix it

Hi @marcinw,

the LDAP authentication creates a DATAGERRY user account with the flag “LdapAuthenticationProvider” on a first login. This should only happen, if the LDAP authentication was successful. In our testing environment, I could not produce a situation, where an account was created, if the LDAP authentication was not sucessful (e.g. wrong username or password).

logs of a successful LDAP auth:

[2020-10-15 11:20:08][ERROR   ] --- [AUTH] mbatz not in database: User not found (__init__.py) 
[2020-10-15 11:20:08][INFO    ] --- [AUTH] Check for other providers - request_user: mbatz (__init__.py)
[2020-10-15 11:20:08][INFO    ] --- [LocalAuthenticationProvider] Try login for user mbatz (internal_providers.py)
[2020-10-15 11:20:08][ERROR   ] --- [AUTH] User mbatz could not validate with provider <class 'cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider'>: ('LocalAuthenticationProvider', 'Error while GET operation - E: $User not found') (__init__.py)
[2020-10-15 11:20:08][INFO    ] --- [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7f7086f9ff98> (__init__.py)
[2020-10-15 11:20:09][WARNING ] --- [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-15 11:20:09][INFO    ] --- [LdapAuthenticationProvider] Try creating user: mbatz (external_providers.py)

logs of an not successful LDAP auth:

[2020-10-15 11:22:45][ERROR   ] --- [AUTH] mbatz not in database: User not found (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [AUTH] Check for other providers - request_user: mbatz (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [LocalAuthenticationProvider] Try login for user mbatz (internal_providers.py)
[2020-10-15 11:22:45][ERROR   ] --- [AUTH] User mbatz could not validate with provider <class 'cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider'>: ('LocalAuthenticationProvider', 'Error while GET operation - E: $User not found') (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7f706c786da0> (__init__.py)
[2020-10-15 11:22:45][ERROR   ] --- [LdapAuthenticationProvider] User auth result: automatic bind not successful - invalidCredentials (external_providers.py)
[2020-10-15 11:22:45][ERROR   ] --- [AUTH] User mbatz could not validate with provider <class 'cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider'>: ('LdapAuthenticationProvider', LDAPBindError('automatic bind not successful - invalidCredentials',)) (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [AUTH] Provider instance: <cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider object at 0x7f708665e128> (__init__.py)

Can you please write down the single steps you made, to reproduce the error?

Hello @mbatz,
I have enable LocalAuthenticationProvider and LdapAuthenticationProvider like that:

I have version:

default group for the newly created user is User and that group has a value:
image

and next i open a new incognito window and write address http
next i fill fields login and password

when i clicked button i’m in app:

in logs i saw informations:

logs

[2020-10-16 09:27:18][ERROR ] — [AUTH] case not in database: User not found (init.py)
[2020-10-16 09:27:18][INFO ] — [AUTH] Check for other providers - request_user: case (init.py)
[2020-10-16 09:27:18][INFO ] — [LocalAuthenticationProvider] Try login for user case (internal_providers.py)
[2020-10-16 09:27:18][ERROR ] — [AUTH] User case could not validate with provider <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>: (‘LocalAuthenticationProvider’, ‘Error while GET operation - E: $User not found’) (init.py)
[2020-10-16 09:27:18][INFO ] — [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7fee741e0e48> (init.py)
[2020-10-16 09:27:22][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-16 09:27:22][INFO ] — [LdapAuthenticationProvider] Try creating user: case (external_providers.py)

i can logout and log in again and again

Profile looks like that:

Hi @marcinw,

as I can see in your logs, the LDAP authentication in your case is successful:

[2020-10-16 09:27:22][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)

That is why a new user account in DATAGERRY will be created.

Hi,
yes i know that in log is writed that user “case” exists but I assure you there is no such login in my company.
I created more than one strange logins and every one could be creates.
i create login “jeden” , “test” , “case” , “jkdsir”
and every time i could created:

I created user from random letters : jkdsir

[2020-10-20 12:35:31][ERROR ] — [AUTH] jkdsir not in database: User not found (init.py)
[2020-10-20 12:35:31][INFO ] — [AUTH] Check for other providers - request_user: jkdsir (init.py)
[2020-10-20 12:35:31][INFO ] — [LocalAuthenticationProvider] Try login for user jkdsir (internal_providers.py)
[2020-10-20 12:35:31][ERROR ] — [AUTH] User jkdsir could not validate with provider <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>: (‘LocalAuthenticationProvider’, ‘Error while GET operation - E: $User not found’) (init.py)
[2020-10-20 12:35:31][INFO ] — [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7fee74413ef0> (init.py)
[2020-10-20 12:35:37][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-20 12:35:37][INFO ] — [LdapAuthenticationProvider] Try creating user: jkdsir (external_providers.py)

Please check it

Hello all,

I can confirm I noticed a similar behavior with the default LDAP search string shipped with Datagerry.
Then I updated the search string to only allow login if a username is inside an Active Directory Group named “DatagerryUsers” in the Organizational Unit named “ServiceUsers”.

Configuration I have implemented is:

Authentication Config > Search > Basedn: OU=ServiceUsers,DC=example,DC=com
Authentication Config > Search > Searchfilter: (&(samaccountname=%username%)(memberof=CN=DatagerryUsers,OU=ServiceUsers,DC=example,DC=com))

After this configuration, logins result to be consistent:

  • users existing in LDAP but not in the group are denied access
  • users existing in LDAP and in the group are allowed access
  • users not existing in LDAP are denied access

Datagerry version is 1.3.1 currently.

Hope this helps
Regards
Gino

Hi @marcinw, @Gino,

ok, I understand the problem. Thanks for reporting the issue. We will review the LDAP authenticator today and give you an update soon.

@marcinw

I have a little difficulty reproducing this behavior. At the moment it looks like your LDAP connection will give a response when querying the user, which we don’t capture.

Could you activate DEBUG mode on your installed instance and run the error again (starting parameter -d)? Then the debug logs will be activated. Interesting would be the Search Filter and Search Result output while login.
Thanks a lot.

Hi,
i will try today preparing for You logs from this case.
If in logs i will see a sensitive information about my company i will change it because my security and company security.
I hope you will not be disturbed by this from verifying

Hi @marcinw,

thanks a lot. Of course, please anonymize secret data in the logs.

Hi,
Words and phrases written in capital letters are anonymised data.

logs with create user

[2020-10-26 06:33:07][DEBUG ] — [AuthModule][__init_settings] Installed provider: <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’> (init.py)
[2020-10-26 06:33:07][DEBUG ] — [AuthModule][__init_settings] Database provider list: [{‘class_name’: ‘LocalAuthenticationProvider’, ‘config’: {‘active’: True}}, {‘class_name’: ‘LdapAuthenticationProvider’, ‘config’: {‘active’: True, ‘default_group’: 2, ‘server_config’: {‘host’: ‘HOST.DOMAIN_NAME.COM’, ‘port’: 389, ‘use_ssl’: False}, ‘connection_config’: {‘user’: ‘CN=USER,OU=ADDITIONAL_ACCOUNTS,OU=ACCOUNT_GROUP,OU=CENTRAL_OTHER,OU=DOMAIN,DC=DOMAIN_NAME,DC=COM’, ‘password’: ‘PASSWORD’, ‘version’: 3}, ‘search’: {‘basedn’: ‘DC=DOMAIN_NAME,DC=COM’, ‘searchfilter’: ‘(uid=%username%)’}}}] (init.py)
[2020-10-26 06:33:07][DEBUG ] — [AuthModule][__init_settings] Installed provider: <class ‘cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider’> (init.py)
[2020-10-26 06:33:07][DEBUG ] — [AuthModule][__init_settings] Database provider list: [{‘class_name’: ‘LocalAuthenticationProvider’, ‘config’: {‘active’: True}}, {‘class_name’: ‘LdapAuthenticationProvider’, ‘config’: {‘active’: True, ‘default_group’: 2, ‘server_config’: {‘host’: ‘HOST.DOMAIN_NAME.COM’, ‘port’: 389, ‘use_ssl’: False}, ‘connection_config’: {‘user’: ‘CN=USER,OU=ADDITIONAL_ACCOUNTS,OU=ACCOUNT_GROUP,OU=CENTRAL_OTHER,OU=DOMAIN,DC=DOMAIN_NAME,DC=COM’, ‘password’: ‘PASSWORD’, ‘version’: 3}, ‘search’: {‘basedn’: ‘DC=DOMAIN_NAME,DC=COM’, ‘searchfilter’: ‘(uid=%username%)’}}}] (init.py)
[2020-10-26 06:33:07][ERROR ] — [AUTH] case121212 not in database: User not found (init.py)
[2020-10-26 06:33:07][INFO ] — [AUTH] Check for other providers - request_user: case121212 (init.py)
[2020-10-26 06:33:07][DEBUG ] — [AUTH] Provider list: [<class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>, <class ‘cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider’>] (init.py)
[2020-10-26 06:33:07][DEBUG ] — [AUTH] using provider: <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’> (init.py)
[2020-10-26 06:33:07][INFO ] — [LocalAuthenticationProvider] Try login for user case121212 (internal_providers.py)
[2020-10-26 06:33:07][ERROR ] — [AUTH] User case121212 could not validate with provider <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>: (‘LocalAuthenticationProvider’, ‘Error while GET operation - E: $User not found’) (init.py)
[2020-10-26 06:33:07][INFO ] — [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7fe59827cb00> (init.py)
[2020-10-26 06:33:07][DEBUG ] — [AUTH] using provider: <class ‘cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider’> (init.py)
[2020-10-26 06:33:07][DEBUG ] — [LdapAuthenticationProvider] Connection status: True (external_providers.py)
[2020-10-26 06:33:07][DEBUG ] — [LdapAuthenticationProvider] Search Filter: (uid=case121212) (external_providers.py)
[2020-10-26 06:33:10][DEBUG ] — [LdapAuthenticationProvider] Search result: True (external_providers.py)
[2020-10-26 06:33:10][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-26 06:33:10][INFO ] — [LdapAuthenticationProvider] Try creating user: case121212 (external_providers.py)
[2020-10-26 06:33:10][DEBUG ] — [LdapAuthenticationProvider] New user was init (external_providers.py)
[2020-10-26 06:33:10][DEBUG ] — [AuthModule][__init_settings] Installed provider: <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’> (init.py)
[2020-10-26 06:33:10][DEBUG ] — [AuthModule][__init_settings] Database provider list: [{‘class_name’: ‘LocalAuthenticationProvider’, ‘config’: {‘active’: True}}, {‘class_name’: ‘LdapAuthenticationProvider’, ‘config’: {‘active’: True, ‘default_group’: 2, ‘server_config’: {‘host’: ‘HOST.DOMAIN_NAME.COM’, ‘port’: 389, ‘use_ssl’: False}, ‘connection_config’: {‘user’: ‘CN=USER,OU=ADDITIONAL_ACCOUNTS,OU=ACCOUNT_GROUP,OU=CENTRAL_OTHER,OU=DOMAIN,DC=DOMAIN_NAME,DC=COM’, ‘password’: ‘PASSWORD’, ‘version’: 3}, ‘search’: {‘basedn’: ‘DC=DOMAIN_NAME,DC=COM’, ‘searchfilter’: ‘(uid=%username%)’}}}] (init.py)
[2020-10-26 06:33:10][DEBUG ] — [AuthModule][__init_settings] Installed provider: <class ‘cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider’> (init.py)
[2020-10-26 06:33:10][DEBUG ] — [AuthModule][__init_settings] Database provider list: [{‘class_name’: ‘LocalAuthenticationProvider’, ‘config’: {‘active’: True}}, {‘class_name’: ‘LdapAuthenticationProvider’, ‘config’: {‘active’: True, ‘default_group’: 2, ‘server_config’: {‘host’: ‘HOST.DOMAIN_NAME.COM’, ‘port’: 389, ‘use_ssl’: False}, ‘connection_config’: {‘user’: ‘CN=USER,OU=ADDITIONAL_ACCOUNTS,OU=ACCOUNT_GROUP,OU=CENTRAL_OTHER,OU=DOMAIN,DC=DOMAIN_NAME,DC=COM’, ‘password’: ‘PASSWORD’, ‘version’: 3}, ‘search’: {‘basedn’: ‘DC=DOMAIN_NAME,DC=COM’, ‘searchfilter’: ‘(uid=%username%)’}}}] (init.py)
[2020-10-26 06:33:10][DEBUG ] — Excepted parameter: group_id | public_id (route_utils.py)
[2020-10-26 06:33:10][DEBUG ] — Parameter exits 2 (route_utils.py)
[2020-10-26 06:33:10][DEBUG ] — Exception parameter passed test at group_id | public_id! (route_utils.py)

Hi @marcinw,@Gino,

thank you so much for supporting us. With your help, we found the problem and created a security release.

Hi @mbatz ,
I update new version and checked and it works great when i have good user lets the user in and when it don’t exist in ldap does not admit the user.

I had to also correct my search -> searchfilter from: (uid=%username%)
to: (samaccountname=%username%)

@Gino
You don’t need duplicate information from search -> basedn in search -> searchfilter
you could hove only (samaccountname=%username%) and this search should work the same because basedn specifies where to search

1 Like

Hello @marcinw,

yes search works even without the basedn, the advantage is that when you have 10.000+ elements in your directory, this makes the search more targeted, faster, more efficient.

One more time, thanks to all Datagerry development team for this good, flexible, promising system.

Regards
Gino

3 Likes