View Issue Details

This bug affects 1 person(s).
 12
IDProjectCategoryView StatusLast Update
08865Bug reportsAuthenticationpublic2015-03-15 18:37
ReporterDenisChenu Assigned Toaesteban  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version2.05+ 
Target Version2.06+ 
Summary08865: User not in LDAP or in WebServer can log again
Description

If a user are created via LDAP, he can update his password, his email etc ....
But this can broke some security in some company

Steps To Reproduce

Example 1:

  • John Doe have his LDAP account,
  • Go to admin, update his password
  • John Doe leave company
  • John Doe have access to the survey of the company

Example 2

  • John Doe have his LDAP account,
  • Go to admin, update his email
  • John Doe leave company
  • John Doe ask a new password via email
Additional Information

Think we must have something to disallow such situation.

Idea 1 : user created via LDAP can not be identofied by core (or by webserver, or by Wordpress) : Need a column in user 'authvia'

Idea 2 : extend Permissions model to have all User update/create in Permission model, add the event beforePermission : then Plugin can use theses event to return false

TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)140317
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

has duplicate 09219 closedmdekker Bug reports blocked LDAP users can use "forgot password" to login locally -> security issue 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2014-03-17 18:16

developer   ~29303

There are another issue here : I think webserver and LDAP (or other plugin) don't need user->password or user->email.

I think it's better if we remove the rules for required email and password. Only username must be required.

lemeur

lemeur

2014-03-19 10:06

developer   ~29380

Last edited: 2014-03-19 10:06

First of all, I think the email synchronization from LDAP may be useful( in case you cant to contact users from a group, ...).

As for the password synchronization to the internal LS DB is concerned, some person would argue that it could be useful as a last resort login option when the LDAP directory is offline. Howerve I'm against this option, because it is a security hole, and because a directory must be online 24H/24H (with redundancy of course).

DenisChenu

DenisChenu

2014-03-19 10:10

developer   ~29384

@lemeur : i think user can allow 'local' logins or disallow. Maybe in external plugin but have a way to do it.

mdekker have some idea for this one with a combination of the 2 system.

lemeur

lemeur

2014-03-19 10:11

developer   ~29385

Ok, by reading agin more carefully the ticket description, I see that the issue is more related to the fact that an ldap-user can 'update' his personal data inside LS-db when, in fact, they should only be synchronized from LDAP.
Idea1 maybe easier to implement: it would enforce both login from a given plugin, and exclusive Data-Update from a given plugin.

DenisChenu

DenisChenu

2014-03-22 15:10

developer   ~29502

Quick fix (tested) : deactivate newLoginForm , this allow to use remote control with LS core access, but disallow HTTP login.

NOt great but it's a solution

DenisChenu

DenisChenu

2014-03-26 11:07

developer   ~29537

I add this in my WordPress autoLogin:

    if($this->get('authwp_cookies') && $this->get('authwp_default') && $this->get('authwp_redirect')){

        $sRedirectUrl=$this->get('authwp_redirect');
        if(in_array(parse_url($sRedirectUrl, PHP_URL_SCHEME),array('http','https'))){
            if(filter_var($sRedirectUrl, FILTER_VALIDATE_URL) !== false){
                //header('Status: 401 Unauthorized', false, 401);
                header("Location: $sRedirectUrl");
                exit();
            }
        }
    }

This disallow connexion via LS auth

aesteban

aesteban

2015-03-15 18:33

developer   ~31826

Fix committed to 2.06 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=15026

Related Changesets

LimeSurvey: 2.06 671c2044

2015-02-08 04:31:03

aesteban

Details Diff
AET: LÍNeas borrame me ayuda a ver qué pone en el mail

TODO:

- BORRAR temporary solution until issue 08865, el tema de no hacer el hash y el parámetro añadido en, busca "temporary solution""
- BORRAR borrame
- volver a validar correo (con los cambios ya no lo valido nunca)
- AÑADIR al mensaje de enviar correo forgotpassword el tema de tener permisos para usar autenticación method
- A LOS admines siempre se pueden logar y enviar correo ???????
Affected Issues
08865
mod - application/controllers/admin/useraction.php Diff File
mod - application/libraries/PluginManager/PluginManager.php Diff File

LimeSurvey: 2.06 afd22fcf

2015-03-15 17:06:56

aesteban

Details Diff
New feature: New authentication method management

Fixed issue 08865: User not in LDAP or in WebServer can log again
New feature #9431: Create LDAP users taking email and full name from LDAP server

Dev: Users have new permissions: Use DB internal authentication, use LDAP authentication, use WS authentication
Dev: When creating a user, we can choose LDAP or internal authentication. This configuration can be changed later. For example, we can change an user from internal to LDAP or we can allow both authentication methods for specific users.
Dev: If we choose LDAP authentication method, full name and email address are taken from LDAP at creation time (user and/or admins can change them later).
Dev: User not allowed to use internal DB authentication is not allowed to reset their password using "forgotten password" functionality
Dev: User not allowed to use internal DB authentication doesn't receive any password in welcome email
Affected Issues
08865, 09431
mod - application/controllers/admin/authentication.php Diff File
mod - application/controllers/admin/useraction.php Diff File
mod - application/core/plugins/AuthLDAP/AuthLDAP.php Diff File
mod - application/core/plugins/Authdb/Authdb.php Diff File
mod - application/core/plugins/Authwebserver/Authwebserver.php Diff File
mod - application/libraries/PluginManager/AuthPluginBase.php Diff File
mod - application/libraries/PluginManager/PluginManager.php Diff File
mod - application/models/Permission.php Diff File
mod - application/views/admin/user/editusers.php Diff File
mod - application/views/admin/user/setuserpermissions.php Diff File
mod - scripts/admin/users.js Diff File

Issue History

Date Modified Username Field Change
2014-03-17 16:31 DenisChenu New Issue
2014-03-17 17:23 c_schmitz Assigned To => mdekker
2014-03-17 17:23 c_schmitz Status new => assigned
2014-03-17 18:16 DenisChenu Note Added: 29303
2014-03-19 10:06 lemeur Note Added: 29380
2014-03-19 10:06 lemeur Note Edited: 29380
2014-03-19 10:10 DenisChenu Note Added: 29384
2014-03-19 10:11 lemeur Note Added: 29385
2014-03-22 15:10 DenisChenu Note Added: 29502
2014-03-26 11:07 DenisChenu Note Added: 29537
2014-09-09 12:12 DenisChenu Relationship added has duplicate 09219
2015-02-08 05:33 aesteban Changeset attached => LimeSurvey 2.06 671c2044
2015-03-15 18:19 aesteban Assigned To mdekker => aesteban
2015-03-15 18:33 aesteban Changeset attached => LimeSurvey 2.06 afd22fcf
2015-03-15 18:33 aesteban Note Added: 31826
2015-03-15 18:33 aesteban Resolution open => fixed
2015-03-15 18:34 aesteban Target Version => 2.06+
2015-03-15 18:35 aesteban Status assigned => resolved
2015-03-15 18:37 aesteban Status resolved => closed