LDAP Password History Issue

[ados8000 8]

I've recently changed from FreeIPA which was completely unreliable to Windows Active Directory.

Setup works and filters out users from the "Emby" group.

I have no issues with login but something I noticed when using a testing account.

If you change the users password in AD the user can login with that password and any previous one.

Rebooted server, enable/disabled user, set authentication in Emby to default then LDAP but same issue.

If password is "Apples" and then changed to "Oranges", they can still login with "Apples" even when the LDAP server is online and the password doesn't match.

If you try a password the user has never had then it fails, if you delete the user account in Emby then the password must be correct.

Seems the plugin is keeping the password hashes in cache, not good.

Anyone able to provide insight into this?

Also, I had FreeIPA working with password writeback i.e. user can change their password in Emby and it updates but doesn't with Windows AD.
Anyone know the solution to that too?

Edited June 2, 2023 by ados8000

[Luke 37090]

Hi, passwords are not remembered, so perhaps one of the following is true:

• The user was already logged in. Normally changing a password in emby server will sign out existing sessions, but for ldap, there's no to know that you changed the password from the ldap side
• Or perhaps the ldap server is still accepting the old password for some reason

[ados8000 8]

Sorry but that doesn't match the findings through my testing above.

The plugin has to be the issue, test steps explained:

1. No test user in Emby, login and account created with current password Apples.

2. Log user out and change password in AD to Grapes.

3. Login works with new password Grapes but on logout and login so does Apples still.

4. Try a never used password Fruit and denied.

5. Logout and delete user from Emby.

6. Try to login With Apples and fails, try to login with Grapes and works.

It is keeping a record of hashes or some authentication until the account is new.

Edited June 3, 2023 by ados8000

[Luke 37090]

What do you mean by log user out? What exactly did you do?

[ados8000 8]

Used the Emby web portal to sign in and out for password testing.

I created the account for testing, it was only signed in for 1 browser.

[Luke 37090]

How did you sign out?

[ados8000 8]

using the profile icon -> sign out

[ados8000 8]

Could we possibly get the plugin developers opinion on the matter.
I would like to have Emby (LDAP plugin) not allow sign-ins of past passwords as it has obvious security risks.

Edited July 15, 2023 by ados8000

[Luke 37090]

11 hours ago, ados8000 said:

Could we possibly get the plugin developers opinion on the matter.
I would like to have Emby (LDAP plugin) not allow sign-ins of past passwords as it has obvious security risks.

For the scenario you described, can you temporarily enable debug logging in the server logs section, then repeat the problem, and then attach the server log? thanks.

[Luke 37090]

@ados8000?

[ados8000 8]

@Lukethanks for following up, I've been away for the past few weeks with email only access. I won't be able to test until end of next week.

 

[Luke 37090]

@ados8000did you see this?

https://github.com/metabase/metabase/issues/7635#issuecomment-400725424

Also if you do a google search on "ldap accepting old password", you'll find lots of hits on it. It's possible that other backends mimic this AD behavior.

[ados8000 8]

@Lukeyep, I had forgotten about this <facepalm>.

I still haven't been able to get Emby LDAP plugin to use SSL and I know my server works because I have Authentik using SSL.
Sunk a bit of time into it and I think the plugin doesn't work for new AD servers, it's still using SHA-1 for example.

Edited November 18, 2023 by ados8000

[Luke 37090]

4 hours ago, ados8000 said:

@Lukeyep, I had forgotten about this <facepalm>.

I still haven't been able to get Emby LDAP plugin to use SSL and I know my server works because I have Authentik using SSL.
Sunk a bit of time into it and I think the plugin doesn't work for new AD servers, it's still using SHA-1 for example.

Hi, what exactly is the ssl problem?

[ados8000 8]

If I use these settings with 389 and no SSL it works.

Soon as I use 636 and SSL it fails (see log)
It just thinks the password is wrong but switch back to 389 without SSL and works.
It's annoying the plugin doesn't have a test button so I have to login every time to test if it works and that doesn't confirm if the connection is working.
However I have Authentik and Organizr working with the same Windows Server AD system on SSL without issue.

SSL.txt

Edited November 19, 2023 by ados8000

[Luke 37090]

Hi, can you please attach the complete Emby server log? I don’t see any ldap activity in that one. Thanks.

[ados8000 8]

The account is called testing

 

Edited December 29, 2023 by GrimReaper
Log deleted

[Luke 37090]

Is there any chance this might help you resolve the issue:

2023-11-19 14:09:30.521 Error LDAP: Ssl certifiate error RemoteCertificateNameMismatch, RemoteCertificateChainErrors

https://stackoverflow.com/questions/60341743/why-do-i-get-remotecertificatenamemismatch

[ados8000 8]

On 11/19/2023 at 2:10 PM, ados8000 said:

The account is called testing

embyserver (1).txt 166.32 kB · 1 download

@GrimReapersorry, another. I assumed sanitised meant remove my domain a from log file at least, so odd.

[GrimReaper 3301]

16 minutes ago, ados8000 said:

@GrimReapersorry, another. I assumed sanitised meant remove my domain a from log file at least, so odd.

*Deleted*