Project

General

Profile

Bug #1501

Existing users cannot be authenticated against LDAP when database is converted

Added by finlstrm 12 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Quassel Core
Target version:
Start date:
11/17/2018
Due date:
% Done:

0%

Estimated time:
Version:
0.13.0
OS:
Any

Description

When converting an existing quasselcore installation from Database to LDAP using --select-authenticator existing users do not authenticate against LDAP. New users authenticate fine.

History

#1 Updated by TC01 10 months ago

finlstrm wrote:

When converting an existing quasselcore installation from Database to LDAP using --select-authenticator existing users do not authenticate against LDAP. New users authenticate fine.

Quassel prioritizes local accounts over LDAP accounts; so if you already have an account on the core, your local password should continue to work. (If it doesn't, that's definitely a bug and something that needs to be fixed). There's no attempt to automatically convert existing accounts.

Unfortunately, there isn't currently a way to manually convert an account, either, short of editing the database. Off the top of my head, I think you would need to find the user in the quasseluser table, zero the password field and set the authenticator field to "LDAP". This will then cause the user's attempt to log in locally to fail, which will then cause authentication to fall back to using LDAP.

(If quassel had a core management interface, this would be a great feature to put there. Unfortunately, it does not, at this time).

#2 Updated by finlstrm 10 months ago

TC01,

I had to go back and replicate the issue, however yes you are absolutely correct, using the existing password (authenticating against the db) does in fact still work. Following your advice, I ran the following commands (after using some google-fu):

update quasseluser set password='' where userid=1;
update quasseluser set authenticator='LDAP' where userid=1;
select * from quasseluser;
   1|-redacted-||1|LDAP
   2|testuser|-redacted-|1|LDAP

However after zeroing out the password field and changing the authenticator field from Database to LDAP, I get login failures of:

...
2019-01-26 17:07:39 [Warn ] Password hash and salt were not in the correct format 
2019-01-26 17:07:39 [Warn ] Refusing connection from "-redacted-" (LDAP authentication failed)
...

If I re-add the original password salt and hash to the password field and leave the authenticator set as LDAP, I am then able to authenticate with the old password. Quassel will attempt to authenticate to LDAP only if I give it the incorrect or LDAP password. LDAP will however, return success if give the correct password (does not give the 'LDAP authentication failed' message as shown above), but Quassel will fail the login. Also, once logged into my account using the original password (but set as LDAP in the SQLite), if I change my password from the DB password to my LDAP password, Quassel will not hit LDAP at all unless the incorrect password is given.

May I suggest that if setting a given user to LDAP, Quassel should use LDAP as the source of truth. That is to say if LDAP returns success, that user should be 'initialized and authenticated successfully'.

#3 Updated by digitalcircuit 10 months ago

  • Version changed from 0.12.4 to 0.13.0

#4 Updated by DevUrandom 6 months ago

finlstrm wrote:

However after zeroing out the password field and changing the authenticator field from Database to LDAP, I get login failures
Quassel will attempt to authenticate to LDAP only if I give it the incorrect or LDAP password. LDAP will however, return success if give the correct password (does not give the 'LDAP authentication failed' message as shown above), but Quassel will fail the login.

So, do I understand correctly that currently there is no way to actually authenticate with LDAP?

#5 Updated by finlstrm 6 months ago

DevUrandom wrote:

So, do I understand correctly that currently there is no way to actually authenticate with LDAP?

The problem here is that the current implementation works great for new installs or new users; however on an installation originally using DB Auth, converted to LDAP (such as mine) existing users will not authenticate.

There's more details in PR#477 on github. That PR also contains working code for existing/new quassel-core installations. But it hasn't been merged as of yet.

https://github.com/quassel/quassel/pull/477

#6 Updated by mbichel7 about 2 months ago

finlstrm wrote:

When converting an existing quasselcore installation from Database to LDAP using --select-authenticator existing users do not authenticate against LDAP. New users authenticate fine.

I was facing the same issues logging in to https://mycoles.org/login/ and now it is fixed

Also available in: Atom PDF