Bug #1501
Existing users cannot be authenticated against LDAP when database is converted
0%
Description
When converting an existing quasselcore installation from Database to LDAP using --select-authenticator existing users do not authenticate against LDAP. New users authenticate fine.
History
#1 Updated by TC01 almost 6 years ago
finlstrm wrote:
When converting an existing quasselcore installation from Database to LDAP using --select-authenticator existing users do not authenticate against LDAP. New users authenticate fine.
Quassel prioritizes local accounts over LDAP accounts; so if you already have an account on the core, your local password should continue to work. (If it doesn't, that's definitely a bug and something that needs to be fixed). There's no attempt to automatically convert existing accounts.
Unfortunately, there isn't currently a way to manually convert an account, either, short of editing the database. Off the top of my head, I think you would need to find the user in the quasseluser table, zero the password field and set the authenticator field to "LDAP". This will then cause the user's attempt to log in locally to fail, which will then cause authentication to fall back to using LDAP.
(If quassel had a core management interface, this would be a great feature to put there. Unfortunately, it does not, at this time).
#2 Updated by finlstrm almost 6 years ago
TC01,
I had to go back and replicate the issue, however yes you are absolutely correct, using the existing password (authenticating against the db) does in fact still work. Following your advice, I ran the following commands (after using some google-fu):
update quasseluser set password='' where userid=1;
update quasseluser set authenticator='LDAP' where userid=1;
select * from quasseluser;
1|-redacted-||1|LDAP
2|testuser|-redacted-|1|LDAP
However after zeroing out the password field and changing the authenticator field from Database to LDAP, I get login failures of:
... 2019-01-26 17:07:39 [Warn ] Password hash and salt were not in the correct format 2019-01-26 17:07:39 [Warn ] Refusing connection from "-redacted-" (LDAP authentication failed) ...
If I re-add the original password salt and hash to the password field and leave the authenticator set as LDAP, I am then able to authenticate with the old password. Quassel will attempt to authenticate to LDAP only if I give it the incorrect or LDAP password. LDAP will however, return success if give the correct password (does not give the 'LDAP authentication failed' message as shown above), but Quassel will fail the login. Also, once logged into my account using the original password (but set as LDAP in the SQLite), if I change my password from the DB password to my LDAP password, Quassel will not hit LDAP at all unless the incorrect password is given.
May I suggest that if setting a given user to LDAP, Quassel should use LDAP as the source of truth. That is to say if LDAP returns success, that user should be 'initialized and authenticated successfully'.
#3 Updated by digitalcircuit almost 6 years ago
- Version changed from 0.12.4 to 0.13.0
#4 Updated by DevUrandom over 5 years ago
finlstrm wrote:
However after zeroing out the password field and changing the authenticator field from Database to LDAP, I get login failures
Quassel will attempt to authenticate to LDAP only if I give it the incorrect or LDAP password. LDAP will however, return success if give the correct password (does not give the 'LDAP authentication failed' message as shown above), but Quassel will fail the login.
So, do I understand correctly that currently there is no way to actually authenticate with LDAP?
#5 Updated by finlstrm over 5 years ago
DevUrandom wrote:
So, do I understand correctly that currently there is no way to actually authenticate with LDAP?
The problem here is that the current implementation works great for new installs or new users; however on an installation originally using DB Auth, converted to LDAP (such as mine) existing users will not authenticate.
There's more details in PR#477 on github. That PR also contains working code for existing/new quassel-core installations. But it hasn't been merged as of yet.