LDAP module don't work correct - vulnerable to burglary

marcinw · October 15, 2020, 5:43am

Hello @mbatz ,
I would like to point out that when the ldap module is enabled, a new user, logging in for the first time with his ldap account (according to the standard), creates an account.
Everything is great as long as I log in according to the login policy.
However, if the user makes a mistake (in the login) or does it on purpose and enters it incorrectly, such an account is also created when ldap is enabled.

Shouldn’t the module first check if such an account exists, and then decide whether to set up an account or not?

It seems to me that a properly functioning mechanism should verify whether the account in the ldap exists. If not, it should not allow for setting up a datagerry account for such a login.

Currently, when a person enters a login that has nothing to do with the ldap policy and enters a password for such login, an account is created and the person is admitted to the program:

log from file webapp.log

2020-10-15 07:32:53][ERROR ] — [AUTH] jeden not in database: User not found (init.py)
[2020-10-15 07:32:53][INFO ] — [AUTH] Check for other providers - request_user: jeden (init.py)
[2020-10-15 07:32:53][INFO ] — [LocalAuthenticationProvider] Try login for user jeden (internal_providers.py)
[2020-10-15 07:32:53][ERROR ] — [AUTH] User jeden could not validate with provider <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>: (‘LocalAuthenticationProvider’, ‘Error while GET operation - E: $User not found’) (init.py)
[2020-10-15 07:32:53][INFO ] — [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7fee8addb400> (init.py)
[2020-10-15 07:32:57][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-15 07:32:57][INFO ] — [LdapAuthenticationProvider] Try creating user: jeden (external_providers.py)

and can log on to this data in the program all the time, and if the default permissions for this group are quite high, such a person can maliciously do damage or steal data.

Please check this and fix it

mbatz · October 15, 2020, 9:41am

Hi @marcinw,

the LDAP authentication creates a DATAGERRY user account with the flag “LdapAuthenticationProvider” on a first login. This should only happen, if the LDAP authentication was successful. In our testing environment, I could not produce a situation, where an account was created, if the LDAP authentication was not sucessful (e.g. wrong username or password).

logs of a successful LDAP auth:

[2020-10-15 11:20:08][ERROR   ] --- [AUTH] mbatz not in database: User not found (__init__.py) 
[2020-10-15 11:20:08][INFO    ] --- [AUTH] Check for other providers - request_user: mbatz (__init__.py)
[2020-10-15 11:20:08][INFO    ] --- [LocalAuthenticationProvider] Try login for user mbatz (internal_providers.py)
[2020-10-15 11:20:08][ERROR   ] --- [AUTH] User mbatz could not validate with provider <class 'cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider'>: ('LocalAuthenticationProvider', 'Error while GET operation - E: $User not found') (__init__.py)
[2020-10-15 11:20:08][INFO    ] --- [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7f7086f9ff98> (__init__.py)
[2020-10-15 11:20:09][WARNING ] --- [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-15 11:20:09][INFO    ] --- [LdapAuthenticationProvider] Try creating user: mbatz (external_providers.py)

logs of an not successful LDAP auth:

[2020-10-15 11:22:45][ERROR   ] --- [AUTH] mbatz not in database: User not found (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [AUTH] Check for other providers - request_user: mbatz (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [LocalAuthenticationProvider] Try login for user mbatz (internal_providers.py)
[2020-10-15 11:22:45][ERROR   ] --- [AUTH] User mbatz could not validate with provider <class 'cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider'>: ('LocalAuthenticationProvider', 'Error while GET operation - E: $User not found') (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7f706c786da0> (__init__.py)
[2020-10-15 11:22:45][ERROR   ] --- [LdapAuthenticationProvider] User auth result: automatic bind not successful - invalidCredentials (external_providers.py)
[2020-10-15 11:22:45][ERROR   ] --- [AUTH] User mbatz could not validate with provider <class 'cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider'>: ('LdapAuthenticationProvider', LDAPBindError('automatic bind not successful - invalidCredentials',)) (__init__.py)
[2020-10-15 11:22:45][INFO    ] --- [AUTH] Provider instance: <cmdb.security.auth.providers.external_providers.LdapAuthenticationProvider object at 0x7f708665e128> (__init__.py)

Can you please write down the single steps you made, to reproduce the error?

marcinw · October 16, 2020, 7:29am

Hello @mbatz,
I have enable LocalAuthenticationProvider and LdapAuthenticationProvider like that:

I have version:

default group for the newly created user is User and that group has a value:

and next i open a new incognito window and write address http
next i fill fields login and password

when i clicked button i’m in app:

in logs i saw informations:

logs

[2020-10-16 09:27:18][ERROR ] — [AUTH] case not in database: User not found (init.py)
[2020-10-16 09:27:18][INFO ] — [AUTH] Check for other providers - request_user: case (init.py)
[2020-10-16 09:27:18][INFO ] — [LocalAuthenticationProvider] Try login for user case (internal_providers.py)
[2020-10-16 09:27:18][ERROR ] — [AUTH] User case could not validate with provider <class ‘cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider’>: (‘LocalAuthenticationProvider’, ‘Error while GET operation - E: $User not found’) (init.py)
[2020-10-16 09:27:18][INFO ] — [AUTH] Provider instance: <cmdb.security.auth.providers.internal_providers.LocalAuthenticationProvider object at 0x7fee741e0e48> (init.py)
[2020-10-16 09:27:22][WARNING ] — [LdapAuthenticationProvider] User exists on LDAP but not in database: User not found (external_providers.py)
[2020-10-16 09:27:22][INFO ] — [LdapAuthenticationProvider] Try creating user: case (external_providers.py)

i can logout and log in again and again

Profile looks like that: