Question: why is the password for an LDAP enabled account stored in MongoDB? #6144
Comments
TwizzyDizzy
changed the title
|
LDAP settings in Rocket.Chat have option |
|
Hi @Rohlik, thanks for your answer! :) Unfortunately, the passwords are also saved on importing new users (from LDAP) when this checkbox (fallback login) is set to false. I tested this as follows: I deleted the user from Rocket.Chat and disabled the fallback login thereafter, logged in again as the user that has been deleted before and, again, the (hashed) password has been stored on importing the user from LDAP. Cheers |
|
Hi, I had the same thoughts when testing LDAP today. I was wondering that I was able to login with a user account, which was already removed from AD. The LDAP/AD passwords are stored in db.users. Run a db.users.find() and you can see the encrypted passwords. To my mind the passwords shouldn't be stored if LDAP_Login_Fallback is set to false, just for security reasons. If LDAP fails for some reasons one should be able to login with a local admin account. That should be sufficient to make changes on rocket.chat side. If the LDAP itself is the problem, rocket.chat users have to wait until it's fixed. ;) But the important security problem is, that an user, which is removed from LDAP/AD, is able to login as long as LDAP_Login_Fallback is not set to "false", in other words: forever. Are there any automatically scripts to remove non existent LDAP/AD users from rocket.chat? Ciao |
|
Hi @TwizzyDizzy Yes, Rocket.Chat stores the user's password encrypted when the user does the login. That is only for fallback purpose. You can enable or disable the fallback, but it will store the password always if you decide to enable the fallback. |
|
After reading this issue, I disabled the fallback and after that my only admin user which is a local non-ldap user couldn't login anymore. |
|
Why you don't want the fallback enabled? |
|
Because of
or is this wrong? |
|
To my mind storing password locally of a central login point like LDAP is a security risk. One uses LDAP because of not keeping any passwords. There should be an option to disable keeping passwords locally of LDAP users. Passwords of local users with admin role can be stored to have fallback admin accounts. |
|
So might I summarize what has been said so far and seems to be agreed upon:
I just did a matrix of how the behaviour on my Rocket.Chat instance (Version: 0.53.0) is (red = login NOT possible, green = login possible):
At least the combination local user + LDAP enabled + Fallback disabled = login NOT possible is - in my opinion - an erroneous behaviour. Cheers so far |
|
Alright, let's get things straight: We do now have a fix for
But it's still a problem, that a local admin account is not able to log in if "LDAP enabled + Fallback disabled". Cheers |
|
@TwizzyDizzy what a about a secret login URL for local accounts, like possible for registration? This would be helpful in case of SAML too, where the local login mask is completely disabled. |
|
Actually, I see no reason why there should be any hidden login-form. The key part is, that the backend works as expected... The code behind the login has to check
Cheers |
|
@TwizzyDizzy are you sure that there is a difference between a LDAP user and a local user? To my mind your "first" option will always be true, even if it's a LDAP user. That's why ldap fallback is working. |
|
Mhhh. I haven't actually had a look into the MongoDB but read in some other issue here on Github, that they are flagged as "LDAP users" or "Imported from LDAP". Otherwise, how would you try to authenticate against which backend, if you don't know what kind of user this is. You would have to start at step 2 (above) anyway. You're right, in that my first step is not well written: I meant: "try to determine what kind of account this is and by that, find out what backend to authenticate against". Cheers |
+1 |
I just looked that up - see the following screenshot for the difference... Admin is, of course, a local account, but the account with the ID mFFfETbmt3gxcFk2G is an LDAP account and "flagged" as such. Also you can see the bcrypt hash of the password.
|
|
API login is not possible with LDAP. Thus, you need the stored password to use the API. On the other hand, the password is never updated if the password in LDAP is changed. With login fallback ON, you have two valid passwords for the UI then. |
Erm... what? Why? I would've assumed that both actions (login via web UI + login via API) would trigger the same passages of code.
... which is even worse ... It seems as though it seems to be a bit harder to solve this issue than I initially thought. I think this issue needs somebody from the Rocket.Chat team who has insight into all of API, LDAP / storing of passwords then... Cheers |
|
This discussion is way off topic now, but there's a lot of confusion here so let me see if I can help. API use is possible with any auth method. Using any API method only involves making sure you pass a valid auth token. The problem with the REST API is that the login method (i.e. the call you make to actually get that token) only supports username and password-- and though I haven't looked at the code it probably can only use the local mongo database. So programmatic API logins are POSSIBLE, just not easily done via the REST API in rocketchat becuase there's no login method for SAML/Oauth etc that will return a valid token. Again... All you need is a token... You get the token whenever you login via any method (SAML/Oauth, etc). Just thought I should clear that up. Probably what we need is an improvement or addition to the login methods for REST API that will allow us to specify a SAML IDP or Oauth parameters or whatever people want to use. It's either that or use external libraries to login to rocketchat and capture that token and then go do your business via the native REST API. |
|
My opinion: Rocket chat should not store LDAP p/w (hashed or not) locally in MongoDB by default. There could arguably be a configuration option to do so, but that is something you do to break out of the default behavior, on your own. Even worse, if the "Fallback" is turned off, it seems R.C is still behaving like this? |
|
I think it is very basic concept. If "authentication system" property of a user is set to LDAP, Rocket should not keep passwords in the db. That's it. Now; |
|
I think that this request is the same that #4554. |
|
Just wanted to leave this here: since at least Rocket.Chat 3.2.1, cell C2 in the image in comment #6144 (comment) is now also green, meaning that login of local users is now possible with disabled login fallback. Cheers & Thanks |
Rocket.Chat Version: 0.52.0
Running Instances: 1
DB Replicaset OpLog: -
Node Version: v4.8.0
Hi folks,
I was wondering why we need to store the password in MongoDB, when a user is an LDAP-flagged user? Is the password that is stored in MongoDB even the real user password or some bogus string?
One would expect the authentication to go against the LDAP server and not against MongoDB. I think it's the case actually, but I don't see the reason for storing it in MongoDB.
Cheers
Thomas
The text was updated successfully, but these errors were encountered: