Android: LDAP, AD authentification - locking users AD acounts after PW change
Enviroment
Nextcloud using LDAP authentification
Win Domain - with policies:
- change PW every X months
- Password can not be the same
- after 6x wrong password, Active Directory account is locked - User can not login into domain - can not using PC, VPNS and other services because account is locked and must be manually unlocked in AD
Actual behaviour
App is trying to log in with saved password, which leads to blocking users AD account.
Expected behaviour
After not successful login with saved password, ask for password for this nextcloud account
Steps to reproduce
- login in APP to nextcloud with LDAP account
- Change PW - forced domain policy - change PW every X months
- app using old PW til AD account is locked
Environment data
Android version: every version
Device model:
standard android phones like samsung etc
Stock or customized system:
all roms
Nextcloud app version:
latest
Nextcloud server version:
13.0.6
kokotko1337
All 16 comments
GitMate.io thinks possibly related issues are https://github.com/nextcloud/android/issues/120 (User agent has changed), https://github.com/nextcloud/android/issues/1522 (User manual), https://github.com/nextcloud/android/issues/259 (user login), https://github.com/nextcloud/android/issues/1566 (Refresh user avatar), and https://github.com/nextcloud/android/issues/2731 (When changing SD Card user should get a migration option).
nextcloud-android-bot
on 14 Nov 2018
@kokotko1337 are your Android users using the web-login flow within the app (which leads to the usage of server-side generated app-tokens) or are they using the fallback (legacy!) username/password login?
Also pinging @nextcloud/server-triage since @tobiasKaminsky is unavailable and I don't know much about the login process/flow and the server-side behavior.
AndyScherzinger
on 14 Nov 2018
The plan was to make app tokens to persist. Thus the change of the LDAP password should not cause trouble. But there were some pending issues - cc @ChristophWurst. Beside that: I already talked with @tobiasKaminsky about this to minimize the initial parallel requests on a wake up to avoid that 5 parallel requests are fired and then cause the lockup without a chance of the android app to pause and ask for the new credentials. Unfortunately I don't know if this went into any code or not.
MorrisJobke
on 14 Nov 2018
@AndyScherzinger my users are using domain username and password - same as in AD, sorry i can not answer your question, I dont know backround of NC and authentification process
in NC I have only Ldap cfg with Ldap server, ldap read only account and some user groups.
kokotko1337
on 14 Nov 2018
The plan was to make app tokens to persist. Thus the change of the LDAP password should not cause trouble. But there were some pending issues - cc @ChristophWurst.
That's implemented in 15
parallel requests on a wake up to avoid that 5 parallel requests are fired and then cause the lockup
But that's not limited to this only. The more clients you have, the more different applications auth at LDAP (i.e. not just Nextcloud), the sooner you will run into a lockout. That's a disadvantage of the lock-out-by-so-and-so-many-attempts approach.
blizzz
on 14 Nov 2018
Of course just because the apppassword persists still means the password that is stored in there will be checked against the backend.
rullzer
on 14 Nov 2018
So is this solved? I am not that familiar with LDAP…
tobiasKaminsky
on 18 Jan 2019
@tobiasKaminsky it is not solved ... it is big issue in Organisations with AD Accounts
kokotko1337
on 18 Jan 2019
There is nothing that android can do here. Android has no clue about eh backend of the app.
In NC15 it will be tried one and if the password is invalid it will be marked as such.
rullzer
on 18 Jan 2019
@rullzer it should after not successful auth stop trying to auth against LDAP with same credentials...
kokotko1337
on 18 Jan 2019
@kokotko1337 it isn't authenticating against ldap. it is authenticating against nextcloud. Nextcloud then auhtenticates against ldap.
Sure the client might do some exponential backoff but that won't solve the problem. As I said. This is improved in NC15. So please update.
rullzer
on 18 Jan 2019
It doesn't seem to have improved in NC15. Same problem on every password change
patit72
on 22 Mar 2019
It doesn't seem to have improved in NC15. Same problem on every password change
It it bad for Bussiness ... My solution is, that users are using Tokens for mobile devices ... it is annoying but it is not locking accounts out
kokotko1337
on 22 Mar 2019
Does these tokens expire? Tried tue same and it wasnt useful at all
johnripper1
on 22 Mar 2019
@rullzer can we do something here?
tobiasKaminsky
on 27 Mar 2019
Does these tokens expire? Tried tue same and it wasnt useful at all
nope, not expiring
kokotko1337
on 28 Mar 2019
Related issues
JSoko
·
3Comments
toobie83
·
3Comments
eppfel
·
3Comments
ThaDaVos
·
3Comments
tobiasKaminsky
·
3Comments
Most helpful comment
Of course just because the apppassword persists still means the password that is stored in there will be checked against the backend.