Comments (5)
It's not currently possible to lock a field. But you might be interested in this issue created today: #570
It'll have to wait until after #67 though, to benefit from the field-level control and modularity.
from lldap.
I'm a bit curious of your threat model: who are your users? Usually LLDAP is meant for a self-hosted case where users are lovingly hand-created by the admin, with a certain amount of trust. At least, that's been the working model so far, without issues. The security features that involve non-user behavior have always been taken seriously, but so far not so much the ones involving user behavior.
(There is one exception to that, something I want to address: since any user can change their email to the email of someone else, they can get admin access to a system that identifies by email. But I'll make emails unique to prevent this)
Notes for future implementers: the email-reset flow is probably too complex, and I don't want to implement rate-limits in LLDAP (you can always do that at the proxy level in front), so if we implement something, it'd be a setting to disable changing your email without admin rights.
from lldap.
Yes, it's really the exception you mentioned that is the serious practical problem:
Currently a user can change their email address to the same address as an app's admin account. Then when they log in to the app using their own account, they'll be identified as the admin and have admin access.
You're right that requiring emails to be unique would solve this security issue, that's probably a better fix!
from lldap.
(Note that it's a breaking change, so the server will not start if you have duplicate emails)
from lldap.
I understand this issue has been closed already. But we ran into a similar, potential security issue.
Requiring emails to be unique within LLDAP definitely solves the issue here, but only if LLDAP is the only source for user authentication. But in our case, we are using ID federation (via Dex) which usually connects multiple ID providers. If I know the email of a user that uses Google for login, and I have an account on LLDAP, it is possible for me to "impersonate" the email of that user by just changing my email on LLDAP. And the solution we use relies on email for identifying users uniquely, regardless if they login via Google, or AD, or in this case LLDAP, same email means same user.
so if we implement something, it'd be a setting to disable changing your email without admin rights.
Is this already possible? Could not find anything in the config. That would at least reduce the risk above.
Another idea: Forced email verification (can be turned on/off via config).
This would apply to new users, as well as to changing the email of existing users. In order to become "active", means a login via LDAP can succeed, the new email must be always confirmed by the email owner first (a similar flow like the password reset). Otherwise, login should fail as if the credentials are wrong.
from lldap.
Related Issues (20)
- Use separate configuration options for database credentials HOT 1
- Display Name not required to be unique. HOT 10
- Format for changing password from inside container. HOT 4
- Samba integration HOT 4
- [Document] more log verbosity control HOT 1
- How to integrate UrBackup and lldap? HOT 10
- Emails do not have a message_id HOT 2
- SMTP configuration with environment variables is inconsistent HOT 2
- Add support handle several objectClass when creating a user
- Improved Image Versioning and Release Cycle HOT 2
- Connecting to an external mysql database in kubernetes cluster HOT 1
- Jellyfin LDAP Plugin Change Password Fails HOT 7
- WEBhook configuration HOT 1
- Sort groups list on user view HOT 1
- TOTP Support HOT 7
- Fallback note for useres with incompatible browsers HOT 3
- uidNumber attribute missing HOT 3
- [docker-mailserver] Hello need help for Dovecot Configuration HOT 9
- Terraform: adding new groups fail HOT 6
- Use Python LDAP3 To retrieve all USers and Groups HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lldap.