Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

providers/ldap: set password_change_date in check_pwd_last_set to avoid loop ending user sessions #11913

Open
wants to merge 6 commits into
base: main
Choose a base branch
from

Conversation

tograss
Copy link
Contributor

@tograss tograss commented Nov 4, 2024

Details

closes #11436
Explanation:
In (ms_)check_pwd_last_set the line
if created or pwd_last_set > user.password_change_date:
test if the pw in the ldap store is newer than the authentik one. If so
user.set_unusable_password() user.save()
Is executed. Changing the user password (correctly) ends all user sessions. See https://docs.djangoproject.com/en/5.1/topics/auth/default/#:~:text=Django%20also%20provides%20views%20and,log%20out%20all%20their%20sessions.
However, since user.password_change_date is not set the next ldap_sync will lockout the user again.
I think this wasn't a problem when during login the user pw was always saved to the authentik database. Since this changed a while ago this is now a bug.

The fix is to simply set the password_change_date to the ldap date. One might argue it should be the time the ldap sync run, but I think it is easier to understand for an administrator if the ldap date and the authentik date are the same.


Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@tograss tograss requested a review from a team as a code owner November 4, 2024 21:09
Copy link

netlify bot commented Nov 4, 2024

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 701f85d
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/67325a48aa0067000876da49
😎 Deploy Preview https://deploy-preview-11913--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link

netlify bot commented Nov 4, 2024

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 701f85d
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/67325a487fa9210008c7f0a4
😎 Deploy Preview https://deploy-preview-11913--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link

codecov bot commented Nov 4, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.49%. Comparing base (0f8d497) to head (701f85d).
Report is 31 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #11913      +/-   ##
==========================================
- Coverage   92.57%   92.49%   -0.09%     
==========================================
  Files         761      761              
  Lines       37813    37821       +8     
==========================================
- Hits        35004    34981      -23     
- Misses       2809     2840      +31     
Flag Coverage Δ
e2e 48.80% <84.61%> (-0.31%) ⬇️
integration 24.93% <38.46%> (+0.01%) ⬆️
unit 90.17% <73.07%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Our version always updates the user.password_change_date either to now or a given value
@tograss tograss requested a review from BeryJu November 11, 2024 20:26
@tograss
Copy link
Contributor Author

tograss commented Nov 18, 2024

@BeryJu
Hi Bery, can you provide an estimate when you can review / merge this pull request. The related issues will effect more and more users as time progresses.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Users have to login multiple times a day
2 participants