LDAP users cannot remove devices #1131

Open
opened 2025-10-20 01:25:12 +00:00 by Clubs · 0 comments

When attempting to use a client to delete no-longer-used devices, LDAP users will be prompted for a password. From my understanding, the password that is expected is one that the user cannot easily provide, as LDAP accounts have generated passwords that are otherwise bypassed by the LDAP login process.

Example setup:

  • A server running Authentik, which connects to Continuwuity to provide LDAP services
  • A Continuwuity server running with these LDAP configurations:
[global.ldap]
enable = true
ldap_only = true
uri = "ldap://<address and port>"
base_dn = "dc=ldap,dc=goauthentik,dc=io"
bind_dn = "cn=<ldap user>,ou=users,dc=ldap,dc=goauthentik,dc=io"
bind_password_file = "<password path>"
uid_attribute = "name"
name_attribute = "displayName"
  • An unmodified version of the Cinny client

With this setup, the user is prompted with the password box when attempting to remove devices, and will find their LDAP password is routinely denied.

From my understanding this is because it's using the local matrix account to verify, instead of the LDAP account, so the user would need to provide the generated password (or have the password changed). Attempting to use curl to make the request using the LDAP name in place of the matrix account's username will also no work, due to "M_FORBIDDEN: User ID and access token mismatch", which would make sense as I believe this request does not make it to the LDAP server. This cannot be bypassed by manually resetting the matrix user password, as changing matrix user passwords that are tied to LDAP accounts is unsupported using admin commands

When attempting to use a client to delete no-longer-used devices, LDAP users will be prompted for a password. From my understanding, the password that is expected is one that the user cannot easily provide, as LDAP accounts have generated passwords that are otherwise bypassed by the LDAP login process. Example setup: - A server running Authentik, which connects to Continuwuity to provide LDAP services - A Continuwuity server running with these LDAP configurations: ``` [global.ldap] enable = true ldap_only = true uri = "ldap://<address and port>" base_dn = "dc=ldap,dc=goauthentik,dc=io" bind_dn = "cn=<ldap user>,ou=users,dc=ldap,dc=goauthentik,dc=io" bind_password_file = "<password path>" uid_attribute = "name" name_attribute = "displayName" ``` - An unmodified version of the Cinny client With this setup, the user is prompted with the password box when attempting to remove devices, and will find their LDAP password is routinely denied. From my understanding this is because it's using the local matrix account to verify, instead of the LDAP account, so the user would need to provide the generated password (or have the password changed). Attempting to use curl to make the request using the LDAP name in place of the matrix account's username will also no work, due to "M_FORBIDDEN: User ID and access token mismatch", which would make sense as I believe this request does not make it to the LDAP server. This cannot be bypassed by manually resetting the matrix user password, as changing matrix user passwords that are tied to LDAP accounts is unsupported using admin commands
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
continuwuation/continuwuity#1131
No description provided.