Bug 39178 - UMC modules should be able to use SAML-SSO authentication against LDAP
Summary: UMC modules should be able to use SAML-SSO authentication against LDAP
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: SAML
Version: UCS 4.0
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 4.1
Assignee: Florian Best
QA Contact: Erik Damrose
URL:
Keywords: interim-2
: 28828 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-08-14 12:19 CEST by Florian Best
Modified: 2015-11-17 12:11 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): API change
Customer ID:
Max CVSS v3 score:


Attachments
password dialog (15.23 KB, image/png)
2015-11-02 13:54 CET, Erik Damrose
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2015-08-14 12:19:29 CEST
As we implemented single sign on login in UMC via SAML2 the UMC module processes can't rely on the password anymore.
Instead we implemented a PAM module pam_saml.so and a cyrus-SASL plugin libsaml.so which are able to use the signed SAML message to authenticate against e.g. the LDAP server.

Therefore we need to adapt the slapd configuration to allow SAML authentication in SASL.
And all modules which currently rely on the password have to be adapted in a generic fashion e.g. by using some library methods.
Comment 1 Florian Best univentionstaff 2015-08-18 13:14:00 CEST
The following modules(packages) are affected:

univention-management-console-module-appcenter
univention-management-console-module-lib
univention-management-console-module-udm
ucs-school-lib
ucs-school-umc-computerroom
ucs-school-umc-csv-import
ucs-school-umc-exam
ucs-school-umc-installer
Comment 2 Florian Best univentionstaff 2015-08-25 12:54:48 CEST
The /etc/ldap/slapd.conf has been adapted in svn r63193.

The UMC-server has been adapted to provide a generic function for the LDAP bind:
Base.bind_user_connection(lo) (svn r63117).

This function is used and overwritten in the UDM UMC module (including license check, error handling) (svn r63118).

(In reply to Florian Best from comment #1)
> The following modules(packages) are affected:
> 
> univention-management-console-module-appcenterBug #39226
> univention-management-console-module-libBug #39227
> univention-management-console-module-udm
→ done here
> ucs-school-libBug #39230
> ucs-school-umc-computerroomBug #39228
> ucs-school-umc-csv-importBug #39229
> ucs-school-umc-examBug #39231
> ucs-school-umc-installerBug #39232
Comment 3 Florian Best univentionstaff 2015-08-25 12:56:11 CEST
*** Bug 28828 has been marked as a duplicate of this bug. ***
Comment 4 Erik Damrose univentionstaff 2015-09-30 13:14:18 CEST
Code looks good and works so far.
I removed a duplicate changelog entry in r64105

Reopen: I wonder if we can and should catch the error that an action does not work with SSO login. If a module or app is not prepared to work with an SSO login, a traceback is shown.

In the list of new bugs created, at least UCC is missing. Do we know how many apps need adaptions?
Comment 5 Florian Best univentionstaff 2015-09-30 13:25:15 CEST
which traceback?
Comment 6 Erik Damrose univentionstaff 2015-09-30 13:41:22 CEST
In case of the UCC Setup module: 

Execution of command 'uccsetup/info/networks' has failed:

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/base.py", line 301, in execute
    function(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 318, in _response
    result = _multi_response(self, request)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 462, in _response
    return list(function(self, iterator, *nones))
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/decorators.py", line 284, in _fake_func
    yield function(self, *args)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/uccsetup/__init__.py", line 58, in info_networks
    ldap_connection = util.get_ldap_connection()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/uccsetup/util.py", line 116, in get_ldap_connection
    lo = udm_uldap.access(host=server, port=port, base=ucr['ldap/base'], binddn=_user_dn, bindpw=_password, follow_referral=True)
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 267, in __init__
    raise univention.admin.uexceptions.authFail, _( "Authentication failed" )
authFail: Authentication failed
Comment 7 Florian Best univentionstaff 2015-09-30 14:01:19 CEST
Well, but this is because that module does no error handling.
We have to adapt this module, as well → Bug #39445.
Comment 8 Florian Best univentionstaff 2015-10-06 13:42:19 CEST
The dialog which asks for the password should not be the regular login dialog.

It should look like:
+-----------------------------------------+
| For this action a password is required. |
|                                         |
| Password: [_________________]     [OK]  |
|                                         |
+-----------------------------------------+
Comment 9 Philipp Hahn univentionstaff 2015-10-07 18:49:23 CEST
(In reply to Florian Best from comment #8)
> The dialog which asks for the password should not be the regular login
> dialog.
> 
> It should look like:
> +-----------------------------------------+
> | For this action a password is required. |

Which password?
- a new random password
- *my* password?
Comment 10 Florian Best univentionstaff 2015-10-21 05:19:09 CEST
Technically this has been resolved. The dialog (text) has also been adapted. Please have a look.
Comment 11 Erik Damrose univentionstaff 2015-10-30 09:01:34 CET
OK: In my opinion, the default text is understandable now ("Diese Aktion erfordert die Eingabe Ihres Passwortes")

Reopen: The text after entering a wrong password could be improved:
"Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an" ->
"Authentisierung ist fehlgeschlagen. Bitte geben Sie das korrekte Passwort ein"

OK: Clicking Cancel aborts the action

RFC: I am unsure about the current behavior: If the password was entered, it is cached and subsequent actions do not require to enter the password again.
Comment 12 Florian Best univentionstaff 2015-10-31 15:45:53 CET
(In reply to Erik Damrose from comment #11)
> OK: In my opinion, the default text is understandable now ("Diese Aktion
> erfordert die Eingabe Ihres Passwortes")
> 
> Reopen: The text after entering a wrong password could be improved:
> "Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an" ->
> "Authentisierung ist fehlgeschlagen. Bitte geben Sie das korrekte Passwort
> ein"
This is currently OK as this is only visible after a failed authentication. We can improve this later. Better would be to remove this at all by making every module able to work without a password.

> RFC: I am unsure about the current behavior: If the password was entered, it
> is cached and subsequent actions do not require to enter the password again.
yes, the module password is send to the modules and they store them. You are using a regular login then with the difference that the SAML session is still valid, too.
Comment 13 Erik Damrose univentionstaff 2015-11-02 13:54:16 CET
Reopen: See screenshot: If a password is required, the validation of the password field is immediately shown as if it contains an error - but i did not enter anything yet. Maybe just set the focus to the password field?

And i think it would look better with less vertical white space between the inputfield and the button.
Comment 14 Erik Damrose univentionstaff 2015-11-02 13:54:39 CET
Created attachment 7241 [details]
password dialog
Comment 15 Florian Best univentionstaff 2015-11-03 13:09:53 CET
done.
Comment 16 Erik Damrose univentionstaff 2015-11-04 11:34:02 CET
Looks really good. Changelog OK as well.
-> Verified
Comment 17 Stefan Gohmann univentionstaff 2015-11-17 12:11:44 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".