[Feature Request] honor pwdReset: TRUE on openldap #1766
Comments
|
This would probably take a fair bit of thought. There are many LDAP implementations and they each have differing methods to signify this. We also have to ensure it's reset after. It would probably require 3 additional configuration options: authentication_backend:
ldap:
password_reset_attribute: pwdReset
password_reset_value_required: "TRUE"
password_reset_value_not_required: "FALSE"Ideally a feature like this should also exist as an alternative to the current email based password reset. |
james-d-elliott
added
type/feature
|
This can be half done via a filter:
We will have to think about the added functionality of forcing a reset, specifically. |
|
Thank you! Ill give it a try and post the results |
|
@davama how'd you go with testing this, with the updated filter did it prevent you from being able to login with that user? Just want to understand current behaviour so we know how to plan the second portion of this request. |
|
It works but will have an issue when it comes to email. Im trying to figure out how to better write the filter: |
|
We may have to have a set of filters for this purpose where the |
|
That’ll be interesting to see |
|
@davama see the linked PR, it's based on some other rather large changes to LDAP. Docs: https://645cd13fb6279b000851c935--authelia-staging.netlify.app/configuration/first-factor/ldap/ Specifically: https://645cd13fb6279b000851c935--authelia-staging.netlify.app/configuration/first-factor/ldap/#users_reset_filter |
|
Thank you very much @james-d-elliott ! I see there are a few changes to the ldap configuration settings. i would like to give this a test. Thanks! |
|
Tag is the branch name, so |
|
Hello @james-d-elliott hope you are doing well. I have no issue authenticating with my credentials and getting an email to reset my password. It is only after i clicked the reset password link and input my new password that i get the error below. I have yet to try an account with the perhaps it's a config issue? below is my update ldap config: I can post my openldap logs too, but want to make sure that my config is sane before i do so. Best, |
|
Try this: authentication_backend:
password_reset:
disable: false
custom_url: ""
refresh_interval: 5m
ldap:
implementation: custom
address: 'ldap://dcom-dave-vm.domain.com'
timeout: '5s'
start_tls: false
tls:
skip_verify: false
minimum_version: TLS1.2
base_dn: 'dc=domain,dc=com'
additional_users_dn: 'ou=people'
users_filter: '(&({username_attribute}={input})(objectClass=person)(!(pwdReset=TRUE)))'
users_reset_filter: '(&({username_attribute}={input})(objectClass=person))'
additional_groups_dn: 'ou=group'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_search_mode: 'filter'
mail_attribute: mail
display_name_attribute: cn
permit_referrals: false
permit_unauthenticated_bind: false
user: cn=pwmanager,dc=domain,dc=com
#password: is via ENV var
attributes:
distinguished_name: 'dn'
username: 'uid'
display_name: 'cn'
mail: 'mail'
member_of: 'memberOf'
group_name: 'cn' |
|
Also @davama I was literally coming on to ask how you were going with this, so good timing! |
thats funny appreciate the input! thank you @james-d-elliott !! |
|
These new filters definitely help in a user not being able to successfully auth/authorize with some dummy password that an administrator set and with the I will say that that's as far as a user can go. They are not able to reset their password on their own. No email is sent and according to authelia logs, no user is found (which makes sense according to this filter Log of the authelia error: I believe it would be beneficial for the users to know that they MUST reset their password (via email perhaps). As I understand that the less info you give back on the UI the better. Thank you very much for your help in this! Looking forward to your thoughts Best, |
|
I think I know why. Should be easy to fix. I understand the desire for making this more than just allowing the reset but preventing a user login, however I'm skeptical about the idea of this specifically because it may not prove to be very portable. For example as far as I am aware FreeIPA doesn't have an attribute like this, it has a date time. Variances like this make it difficult to support this well without creating painful issues to solve or heavily restricting the directory servers we support. In addition the feature does not currently exist for the file provider which must be considered. |
Basically if attribute is present, then force user to reset their password.
with sssd when attribute is present, the user is given a msg that they must change their password and force to type old pass then new pass.
Of course willing to test.
thanks!
The text was updated successfully, but these errors were encountered: