Bug 52062 - SAML password change & Let's Encrypt with differing FQDN: broken message if password change if password doesn't meet complexity rules
SAML password change & Let's Encrypt with differing FQDN: broken message if p...
Status: RESOLVED MOVED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Florian Best
UCS maintainers
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-18 16:08 CEST by Ingo Steuwer
Modified: 2021-11-12 13:14 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
best: Patch_Available+


Attachments
patch (git:fbest/52062-saml-password-change-errorhandling) (1.06 KB, patch)
2020-09-30 12:27 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Steuwer univentionstaff 2020-09-18 16:08:27 CEST
steps to reproduce:

* environment with broken Samba4/Kerberos setup (currently not debugged)
* set the "password change on next login" flag for an account
* log in using SAML with this account
* SAML asks to set a new password
* use the current password as new password
* password change failes, error message is: 

"Passwort ändern fehlgeschlagen.
not translated (%s)"


Expected behaviour: A message with translation and without string replacement failures
Comment 1 Ingo Steuwer univentionstaff 2020-09-18 16:10:35 CEST
System is UCS 4.4-5 Errata 750 with Portal Preview App

Reason for failure during password change was: password to similar

Changing the password for this account in a shell session:

Administrator@ucs-ma:~$ su - fiona
Passwort: 
Sie müssen Ihr Passwort sofort ändern (Passwortablauf).
Current Kerberos password: 
Your password will expire at Thu Jan  1 01:00:00 1970

Geben Sie ein neues Passwort ein: 
Schlechtes Passwort: ist dem alten zu ähnlich
su: Fehler beim Ändern des Authentifizierungstoken
Comment 2 Ingo Steuwer univentionstaff 2020-09-18 16:14:36 CEST
broken error message appears at least for "password already used" and "password is too similar to last password"
Comment 3 Florian Best univentionstaff 2020-09-18 16:43:44 CEST
I cannot reproduce this with UCS 4.4-6-750 + Samba4.
Comment 4 Florian Best univentionstaff 2020-09-30 12:00:05 CEST
The logs contain:

Error: SSL: no alternative certificate subject name matches target host name 'ucs-ma.ucs-demopoint.intranet'
Password changing response: array (#012  0 => 0,#012  1 => false,#012)

This is a different hostname than the one which is used externally.
The following default UCR-Variables are set:
self-service/backend-server: ucs-ma.ucs-demopoint.intranet
ucs/server/saml-idp-server/ucs-ma.ucs-demopoint.intranet: ucs-ma.ucs-demopoint.intranet

a regular curl also fails:
# curl https://ucs-ma.ucs-demopoint.intranet/
curl: (51) SSL: no alternative certificate subject name matches target host name 'ucs-ma.ucs-demopoint.intranet'
Comment 5 Florian Best univentionstaff 2020-09-30 12:27:03 CEST
Created attachment 10505 [details]
patch (git:fbest/52062-saml-password-change-errorhandling)

Patch which adds correct error handling for curl errors.
Comment 6 Florian Best univentionstaff 2020-09-30 12:30:54 CEST
I could fix the error on your machine by setting 'hostfqdn' in the simplesamlphpconfig.
You probably should fix your SSL certificate handling.
The hostfqdn is hardcoded in the UCR template:
/etc/univention/templates/files/etc/simplesamlphp/config.php:
print(" 'hostfqdn'      => '%s.%s'," % (configRegistry.get('hostname', ''),configRegistry.get('domainname', '')))
Comment 7 Ingo Steuwer univentionstaff 2020-10-01 09:11:32 CEST
(In reply to Florian Best from comment #6)
> I could fix the error on your machine by setting 'hostfqdn' in the
> simplesamlphpconfig.
> You probably should fix your SSL certificate handling.
> The hostfqdn is hardcoded in the UCR template:
> /etc/univention/templates/files/etc/simplesamlphp/config.php:
> print(" 'hostfqdn'      => '%s.%s'," % (configRegistry.get('hostname',
> ''),configRegistry.get('domainname', '')))

The host is a typical Let's encrypt setup: the UCS FQDN is "internal" / for a private IP, the FQDN in the SSL certificate is "external" / for a public IP which does a port forwarding to the private IP.

Can we move the communication to localhost?
Comment 8 Florian Best univentionstaff 2021-11-12 13:14:34 CET
(In reply to Ingo Steuwer from comment #7)
> (In reply to Florian Best from comment #6)
> > I could fix the error on your machine by setting 'hostfqdn' in the
> > simplesamlphpconfig.
> > You probably should fix your SSL certificate handling.
> > The hostfqdn is hardcoded in the UCR template:
> > /etc/univention/templates/files/etc/simplesamlphp/config.php:
> > print(" 'hostfqdn'      => '%s.%s'," % (configRegistry.get('hostname',
> > ''),configRegistry.get('domainname', '')))
> 
> The host is a typical Let's encrypt setup: the UCS FQDN is "internal" / for
> a private IP, the FQDN in the SSL certificate is "external" / for a public
> IP which does a port forwarding to the private IP.
> 
> Can we move the communication to localhost?

In theory yes, At least make it configurable.
But this would break e.g. when htsts is configured.