posixldapauth plugin question

[ddbtest...@gmail.com]

Great plugin from David White!

I have one issue however:  It appears that whilst it works well in authenticating and auto creating the RS account based on the Active Directory credentials, it seems that the plugin does not seem to be honouring disabled or expired accounts.

This is quite a big issue here, as leavers should no longer gain access to the RS instance once their Active Directory account has been disabled/deleted/expired

Is there a setting that can be enabled to check these things at the point of login?  

Many thanks!

[ddbtest...@gmail.com]

I should also add, I'm attempting "simpleldap" but it keeps failing, and I can't see how to obtain verbose logs for the reasoning behind this..

Thanks.

[David Mac (new)]

Hi

Unfortunately I haven't tested to see how to check for disabled accounts, I'll do some work on that and get back to you.

It logs to the apache error logs, so you should see some detailed info in there.

Regards

David

[David Mac (new)]

Hi

I've just done some testing and I'm not sure how to overcome this.

If an account in the LDAP / AD is disabled then the plugin fails to authenticate. 

However if the user has logged in before they have will have a local account within RS which was created when they authenticated, and it's this account that is allowing the login.

I can't yet see how to overcome this problem.

Regards

David

[ddbtest...@gmail.com]

Hi David,

Surely that's a good thing:  if the plugin fails to authenticate, then login should be denied - the plugin should stop the process before it gets to the locally created RS account at that point.

There must be an initial check/communication with the domain controller already when using the plugin, as it appears to respect whatever the latest AD password is set to.

I'd suggest adding some code that says any failure to bind to AD at this point (with the user account) should result in the plugin returning a failed login.  This should then also work for expired/disabled/deleted accounts etc.

(If you have concerns, you could even have it as an option in the plugin - whether or not to respect this).

Let me know if you wish to do this, and need any help testing.  I'm always keen to help with these things! :)

[David Mac (new)]

Hi 

Unfortunately it's not that simple as the core of the RS authentication system falls back to the local accounts.

The plugin is returning a failure, but because the local account exists it lets the user in. If we were to disable the fallback then it would not be possible for a local administrator account to work :(

There is a way to check if an account is disabled in AD, but this is not possible with other LDAP directories such as OpenLDAP.

I'm discussing this issue with the other developers at the moment as it's likely it will require a change in the core.

I'll update this thread once we've had a chance to move this forwards.

Regards

David

[ddbtest...@gmail.com]

Thanks David, great news that you're investigating this.

Let me know if I can be of any assistance at any point.

Just for clarification, is the "simpleldap" plugin a totally separate project, or was it supposed to replace the posixldapauth plugin?

[David Mac (new)]

The simpleldap plugin is a separate project.

[ddbtest...@gmail.com]

Hi David,

Did you get any time to investigate this issue further perchance?

No problem if not.  I think my backup plan will be to write a PHP script that runs periodically:

It will compare RS accounts from the Users table (in the RS DB) and look up into AD for each matching user account.

It will then copy the expiry date from the AD account, and insert it into the matching RS account, so that expiry date is honoured.

If the account is non-existent or disabled in AD, then it will delete/disable the RS account accordingly.

I'd be happy to share this if you're interested (though not sure how useful it will be).  Though it's worth noting that if this sort of process is possible at the point of the plugin hooking into login, that could be a potential solution.  However, my knowledge of RS plugin structures is very limited, hence this approach.

Cheers

[ddbtest...@gmail.com]

David, I've completed this script, and have it working.

Let me know if you want me to send you a copy, in case it may be useful for adding this functionality to the plugin.

Cheers.