O365 IMAP Auth end of life 2022-10-01

[mmccarn]

IMAP Authentication in user_external uses basic authentication.

As of October 1, 2022 Microsoft will begin disabling basic authentication in Exchange365.

(There is information in the Microsoft link above describing how you can opt out of having Microsoft disable IMAP basic authentication for your tenant.)

Normally it is not possible to set a password in /settings/users for accounts authenticating through user_external. However, if you manually create an entry in oc_users with a uid that matches an entry in oc_users_external, it becomes possible to set a local nextcloud password.

My plan at the moment is to move my existing users from IMAP auth to internal Nextcloud Auth, then require twofactor_email for the migrated users.

The code snippet below works on my system to create entries in oc_users with matching uid values from oc_users_external.

My database settings from config.php:

  'dbtype' => 'pgsql',
  'dbname' => 'nextcloud',
  'dbtableprefix' => 'oc_',

1. Connect to the sql database

   sudo -u postgres psql -t -d nextcloud
   

2. Manually create an entry in 'oc_users' using the same value for uid and displayname used in oc_users_external:

   insert into oc_users(uid,displayname,uid_lower)
   select uid, displayname,lower(uid) from  oc_users_external where uid like '<uid-from-oc_users_external>';
   

3. Once there is an entry in "oc_users" with a uid that matches an entry in oc_users_external, the user's password can be set in /settings/users

4. The User now sees the same files & shares if logging in using the original IMAP password or the new locally set password

5. Requring two factor auth using twofactor_email ensures that security remains tied to the user's email

There is some fine-tuning that could be applied to this procedure:

• All accounts could be migrated (remove the "where..." clause)
• All accounts could have a pre-defined password applied
  • Create a bogus user
  • Set the password for the bogus user
  • Get the encrypted password info from oc_users for the bogus user
  • Add the encrypted password to the sql 'insert' command

This code snippet sets the selected user's local password to "badPassword" -

insert into oc_users(uid,displayname,uid_lower,password)
select 
  uid, 
  displayname,
  lower(uid),
  '3|$argon2id$v=19$m=65536,t=4,p=1$aWZKcTZsV08yczguSHlNWA$3Tdbsc4hVuiM4o6zLtsR1xxhL9T27HzE2cM1umYl7nI' 
from  oc_users_external where uid like '<uid-from-oc_users_external>';

[simonbuehler]

got hit by this issue last week, is this the only migration path possible?

[mmccarn]

It may be possible to re-factor the IMAP code to use SMTP instead (which may continue to work?)

I have also in the past customized the social-login app to use the email address as the UID, which also worked.

[Aquariu]

got hit by this issue last week, is this the only migration path possible?

Obvious path out of this is using an IMAP-conformant email provider, but in many corporate cases, getting out of that jail looks like a daunting task.

[violoncelloCH]

Hey, thanks for raising this. However I feel that there is no much we can do if companies drop support for standard protocols. Your migration approach sounds reasonable; other options might be using other types of authentications as LDAP/AD or possibly OAuth. Writing a user_external module capable of doing authentication over SMTP could work too, but for me personally it's out of scope. If anyone is up for doing this, contributions are obviously always welcome :)

[simonbuehler]

could nextcloud/mail#7722 help here also in any way?