Univention Bugzilla – Bug 39178
UMC modules should be able to use SAML-SSO authentication against LDAP
Last modified: 2015-11-17 12:11:44 CET
As we implemented single sign on login in UMC via SAML2 the UMC module processes can't rely on the password anymore. Instead we implemented a PAM module pam_saml.so and a cyrus-SASL plugin libsaml.so which are able to use the signed SAML message to authenticate against e.g. the LDAP server. Therefore we need to adapt the slapd configuration to allow SAML authentication in SASL. And all modules which currently rely on the password have to be adapted in a generic fashion e.g. by using some library methods.
The following modules(packages) are affected: univention-management-console-module-appcenter univention-management-console-module-lib univention-management-console-module-udm ucs-school-lib ucs-school-umc-computerroom ucs-school-umc-csv-import ucs-school-umc-exam ucs-school-umc-installer
The /etc/ldap/slapd.conf has been adapted in svn r63193. The UMC-server has been adapted to provide a generic function for the LDAP bind: Base.bind_user_connection(lo) (svn r63117). This function is used and overwritten in the UDM UMC module (including license check, error handling) (svn r63118). (In reply to Florian Best from comment #1) > The following modules(packages) are affected: > > univention-management-console-module-appcenter → Bug #39226 > univention-management-console-module-lib → Bug #39227 > univention-management-console-module-udm → done here > ucs-school-lib → Bug #39230 > ucs-school-umc-computerroom → Bug #39228 > ucs-school-umc-csv-import → Bug #39229 > ucs-school-umc-exam → Bug #39231 > ucs-school-umc-installer → Bug #39232
*** Bug 28828 has been marked as a duplicate of this bug. ***
Code looks good and works so far. I removed a duplicate changelog entry in r64105 Reopen: I wonder if we can and should catch the error that an action does not work with SSO login. If a module or app is not prepared to work with an SSO login, a traceback is shown. In the list of new bugs created, at least UCC is missing. Do we know how many apps need adaptions?
which traceback?
In case of the UCC Setup module: Execution of command 'uccsetup/info/networks' has failed: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 301, in execute function(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response result = _multi_response(self, request) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 462, in _response return list(function(self, iterator, *nones)) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 284, in _fake_func yield function(self, *args) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/uccsetup/__init__.py", line 58, in info_networks ldap_connection = util.get_ldap_connection() File "/usr/lib/pymodules/python2.7/univention/management/console/modules/uccsetup/util.py", line 116, in get_ldap_connection lo = udm_uldap.access(host=server, port=port, base=ucr['ldap/base'], binddn=_user_dn, bindpw=_password, follow_referral=True) File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 267, in __init__ raise univention.admin.uexceptions.authFail, _( "Authentication failed" ) authFail: Authentication failed
Well, but this is because that module does no error handling. We have to adapt this module, as well → Bug #39445.
The dialog which asks for the password should not be the regular login dialog. It should look like: +-----------------------------------------+ | For this action a password is required. | | | | Password: [_________________] [OK] | | | +-----------------------------------------+
(In reply to Florian Best from comment #8) > The dialog which asks for the password should not be the regular login > dialog. > > It should look like: > +-----------------------------------------+ > | For this action a password is required. | Which password? - a new random password - *my* password?
Technically this has been resolved. The dialog (text) has also been adapted. Please have a look.
OK: In my opinion, the default text is understandable now ("Diese Aktion erfordert die Eingabe Ihres Passwortes") Reopen: The text after entering a wrong password could be improved: "Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an" -> "Authentisierung ist fehlgeschlagen. Bitte geben Sie das korrekte Passwort ein" OK: Clicking Cancel aborts the action RFC: I am unsure about the current behavior: If the password was entered, it is cached and subsequent actions do not require to enter the password again.
(In reply to Erik Damrose from comment #11) > OK: In my opinion, the default text is understandable now ("Diese Aktion > erfordert die Eingabe Ihres Passwortes") > > Reopen: The text after entering a wrong password could be improved: > "Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an" -> > "Authentisierung ist fehlgeschlagen. Bitte geben Sie das korrekte Passwort > ein" This is currently OK as this is only visible after a failed authentication. We can improve this later. Better would be to remove this at all by making every module able to work without a password. > RFC: I am unsure about the current behavior: If the password was entered, it > is cached and subsequent actions do not require to enter the password again. yes, the module password is send to the modules and they store them. You are using a regular login then with the difference that the SAML session is still valid, too.
Reopen: See screenshot: If a password is required, the validation of the password field is immediately shown as if it contains an error - but i did not enter anything yet. Maybe just set the focus to the password field? And i think it would look better with less vertical white space between the inputfield and the button.
Created attachment 7241 [details] password dialog
done.
Looks really good. Changelog OK as well. -> Verified
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".