Univention Bugzilla – Bug 39181
Expired password change not demanded during SAML login
Last modified: 2015-11-17 12:12:49 CET
During testing I discovered that an expired password change is not requested when the user logs on to a SSO service. As SimpleSAMLphp is integrated in UCS, I expected a password expiration check. Reference: http://docs.univention.de/manual-3.1.html#users:passwords http://wiki.univention.de/index.php?title=SAML_Identity_Provider
I would implement this using the simplesamlphp module "expirycheck": https://simplesamlphp.org/docs/1.9/expirycheck:expirycheck This module requires a (pseudo)LDAP-Attribute which can be parsed by the PHP Date() function. The user password expiry is currently set in the LDAP attributes krb5PasswordEnd, sambaPwdLastSet, shadowLastChange, shadowMax. We probably also need to check the account deactivation. That would be the LDAP attributes: krb5ValidEnd, sambaKickoffTime, shadowExpire Implementation could look like: 1. Add a simplesamlphp module which evaluates the above attributes and creates a unified date-parseable pseudo-LDAP attribute which is evaluated by the expirycheck module. This could be written in PHP or we could make a subprocess in PHP with a python process which uses UDM for that task. 2. An alternative would be to switch from LDAP-bind to PAM by writing a simplesamlphp authentication module. There is a PHP extension for PAM (https://pecl.php.net/package/PAM) which provides the function: bool pam_auth(string $username, string $password [, string &$error [ $checkacctmgmt = true ] ]). I don't know if this is able to interact correctly with our PAM stack. It seems the conversation is only able to transmit username and password: http://svn.php.net/viewvc/pecl/pam/trunk/pam.c?view=markup#l213 Our PAM stack often also asks for PAM_TEXT_INFO and PAM_ERROR_MSG which would end in a PAM conversation error. I think 1) is the best variant if written in python as if we change the UDM users/user handler we don't need to adapt this implementation again. PHP must be set up to allow subprocesses then. Which LDAP attributes must be evaluated? What do you think, Stefan?
The expirycheck module unfortunately only has one message that is displayed for the user, which is something like 'permission denied'. I implemented an adapted uLDAP class which mimics the LDAP Auth behavior, and has additional checks for expired passwords, required password changes and locked / disabled accounts. Appropriate error messages will be given to the user. r64732 univention-saml 3.0.24-5.78.201510221159 r64734 changelog
Hi Erik, Good to hear that this is implemented! When will it be available in the repository? Kind regards, Remko
Hi Remko, this is a planned feature for UCS 4.1, which is scheduled to be released in November. See [1] for the release schedule and information about testing our milestone and release candidate [1] http://wiki.univention.de/index.php?title=UCS_4.1_Development
Accound disabled: OK Account locked: OK Account expired: OK Password change at next login: OK Password change in the future: OK Password change in the past: OK We should add automatic tests for it. I've created a bug for ucs-test: Bug #39694.
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".