View Issue Details

WikiJump to Notes
IDProjectCategoryView StatusDate SubmittedLast Update
0029861mantisbtldappublic2022-04-15 05:062022-05-05 15:02
ReporterJoachim082 Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Version2.25.1 
Summary0029861: LDAPS - no new users possible & password in cleartext
Description

we have the problem, that we activated ldaps on port 636 and the login for new users isn't possible anymore. Additionaly we have the problem that the password of some users is stored in plain text.

What can we do to enforce encryption for every login - we aren't sure why some users have an encrypted password.

Any hints?

TagsNo tags attached.
Attached Files
pwd.png (37,323 bytes)   
pwd.png (37,323 bytes)   

Relationships

related to 0012957 assigneddregad Password stored md5-unsalted in database when LDAP authentication is enabled 
related to 0015361 closedcommunity Add STARTTLS Support to LDAP 

Activities

dregad

dregad

2022-04-16 05:36

developer   ~0066433

login for new users isn't possible anymore

Did you try to set $g_log_level = LOG_LDAP; and review your log file ? Chances are there is a problem with your LDAP configuration.

More information is needed to get a clear understanding of the problem. The above-mentioned log would be a good start.

we have the problem that the password of some users is stored in plain text.

I'm very surprised that you would have unencrypted password stored in your DB though - the only way I know to make this happen is to set $g_login_method = PLAIN; in your config_inc.php, which is an undocumented, legacy setting that should not be used for obvious security reasons.

FYI, there is a known issue with LDAP password being stored as unsalted md5 (see 0012957) which is a security risk that I unfortunately do not have the time and resources to fix at the moment.
Joachim082

Joachim082

2022-04-18 01:43

reporter   ~0066442

yes, the log config is set, but I only get log infos in there when using LOG_ALL - but also without LDAP relations.
This is my config:
$g_log_level = LOG_LDAP;
$g_log_destination = 'file:c:/temp/mantisbt.log';

concerning my ldap config:
$g_login_method = LDAP;
$g_ldap_server = 'ldaps://...;
$g_ldap_use_starttls = OFF;
$g_ldap_root_dn = "OU=...;

what can I do to eliminate the plain passwords in my database? There is no plain login-method in there. I am only using LDAP. Can't there be a setting to avoid the storing of every ldap user?
dregad

dregad

2022-04-18 06:04

developer   ~0066444

only get log infos in there when using LOG_ALL - but also without LDAP relations

That does not make any sense. With correct settings (and what you posted seems OK), there must be LDAP entries in the log after loading a page, e.g.

2022-04-18 11:12 CEST LDAP ldap_api.php:376 ldap_authenticate_by_username() Binding to LDAP server
2022-04-18 11:12 CEST LDAP ldap_api.php:67 ldap_connect_bind() Checking syntax of LDAP server URI 'ldap://localhost/'.
2022-04-18 11:12 CEST LDAP ldap_api.php:76 ldap_connect_bind() LDAP server URI syntax check succeeded
2022-04-18 11:12 CEST LDAP ldap_api.php:89 ldap_connect_bind() Setting LDAP protocol version to 3
2022-04-18 11:12 CEST LDAP ldap_api.php:142 ldap_connect_bind() Attempting bind to ldap server as 'cn=ldapreader,dc=example,dc=com'
2022-04-18 11:12 CEST LDAP ldap_api.php:155 ldap_connect_bind() Bind to ldap server successful

what can I do to eliminate the plain passwords in my database? There is no plain login-method in there. I am only using LDAP

The LDAP API only stores md5-hashes, so these plain-text passwords must come from somewhere else. You should investigate and find the source.

As for eliminating them, these are your options

  • when the affected user(s) login, the password should automatically be updated to md5
  • manually update the password field via SQL (do this at your own risk, after a backup): UPDATE mantis_user_table SET password = md5(password) where id=2; (assuming MySQL)
Joachim082

Joachim082

2022-04-18 08:47

reporter   ~0066445

sorry for my confusion - I noticed that my config was completely wrong - now I get the log entries for ldap and everything works fine with ldap. But with ldaps I get the following logs:
2022-04-18 14:42 CEST LDAP ldap_api.php:316 ldap_get_field_from_username() Retrieving field 'mail' for ''
2022-04-18 14:42 CEST LDAP ldap_api.php:243 ldap_cache_user_data() Retrieving data for '' from LDAP server
2022-04-18 14:42 CEST LDAP ldap_api.php:67 ldap_connect_bind() Checking syntax of LDAP server URI 'ldaps://:636'.
2022-04-18 14:42 CEST LDAP ldap_api.php:76 ldap_connect_bind() LDAP server URI syntax check succeeded
2022-04-18 14:42 CEST LDAP ldap_api.php:89 ldap_connect_bind() Setting LDAP protocol version to 3
2022-04-18 14:42 CEST LDAP ldap_api.php:142 ldap_connect_bind() Attempting bind to ldap server as ''
2022-04-18 14:42 CEST LDAP ldap_api.php:50 ldap_log_error() ERROR #-1: Can't contact LDAP server
2022-04-18 14:42 CEST LDAP ldap_api.php:152 ldap_connect_bind() Bind to ldap server failed

I assume that there is something wrong with the certificate check. in other configs I had to set the correct one which is issued by our domain controller.

Any hints?
dregad

dregad

2022-04-18 20:17

developer   ~0066447

I'm sorry but I do not have a working LDAPS setup to test, so I can't really help you there. It is possible that this is caused by a certificate problem, but TBH I don't know how to troubleshoot that. The error -1: Can't contact LDAP server is what PHP gets from ldap_error(), after a failed ldap_bind() call.

That being said, considering that ldaps is deprecated in favor of StartTLS, you may want to try that instead, although I'm not sure this will help.
Joachim082

Joachim082

2022-04-19 12:49

reporter   ~0066453

hi, we solved the problem - we referenced the openldaps config and pointed to the certificate file.
dregad

dregad

2022-04-19 13:02

developer   ~0066454

Good to hear you found the solution. Thanks for the feedback.