LDAP user authentication

In Progress

Comments

7 comments

  • Avatar
    Anton Babinov

    Hello Chi Wai Hui,

    Question.
    1. Regarding a), can I force Nx Witness to authenticate the user every time the user logs in?

    NX server caches user password in memory and uses this cache for user re-authentication. As a separate process, Nx validates cached data every 5 minutes to ensure that user's credentials are still up to date.

    2. Regarding b), what is the purpose of checking the LDAP user?

    Nx checks that LDAP server is online and user credentials are still valid. Check the following example:

    1. User enters credentials in Nx GUI.

    2. NX servers validate received credentials with LDAP server.

    3. User provided valid credentials and permission to connect is granted.

    4. At some point after user session is established someone disables user in LDAP server or changes user password.

    5. Nx server needs to stop user's session.


    3. Regarding c), can I configure to have shorter duration e.g. 10 seconds instead of 5 minutes?

    In theory we use shorter duration for testing purposes, but I wouldn't recommend this for production system. As i mentioned above, Nx validates user's credentials every 5 minutes, reducing this parameter to 10 seconds will significantly increase number of requests between Nx and LDAP server. Is there any specific reason you want to decrease this value?


    4. Regarding d), can I configure to terminate the users only if there is no user activity?

    At the moment it isn't possible, but we're considering to add this feature in the future.

     

    0
    Comment actions Permalink
  • Avatar
    Chi Wai Hui

    >NX server caches user password in memory and uses this cache for user re-authentication. As a separate process, Nx validates cached data every 5 minutes to ensure that user's credentials are still up to date
    [Chi Wai] Probably you are referring to the local user authentication. My observation is that "user re-authentication" does not happen.  There is no LDAP authentication request with the saved password.  This is a security problem as I view it as a way to bypass authentication.  How to configure NX server to enforce LDAP user re-authentication?

    >5. Nx server needs to stop user's session.

    [Chi Wai] This is not happening to the instance hosted by my partner.
    How to configure to make it happen?

     

    0
    Comment actions Permalink
  • Avatar
    Anton Babinov

    My observation is that "user re-authentication" does not happen.  There is no LDAP authentication request with the saved password.  This is a security problem as I view it as a way to bypass authentication.  How to configure NX server to enforce LDAP user re-authentication?

    Could you please provide steps on how to reproduce this issue and tell me version and build number of your NX server. Check my example below:

    1. User authenticates to NX GUI.

    2. 2 minutes later you change password for user at LDAP server.

    3. Can user continue his session authenticated with old password for 5+ minutes?

    4. Can user relogin to NX GUI with old password?

    0
    Comment actions Permalink
  • Avatar
    Chi Wai Hui

     

    The current version is 4.2.0.32658.

    The LDAP serer that we provide offers  secure 2FA login which does not require users to enter a password.

     

    1. The server is configured to authenticate users via LDAP.
    2. Users are sync and activated
    3. Wireshark is started to monitor the Nx server communication with LDAP server
    4. A user logs in to Nx GUI successfully by accepting the 2FA.
    5. The user continues to stay in the session for 5 minutes.
    6. According to Wireshark log, Nx server authenticates the user via LDAP.
    7. User rejects the login, LDAP server replies “user authentication fails”
    8. Nx server allows the user to continue to stay in the session without any interruption.
    9. Another 5 minutes later, step 6) above happens again otherwise the user proceeds to step 10)
    10. User logs out of Nx GUI.
    11. User logs in to Nx GUI successfully by accepting the 2FA. Step 5) above repeats.
    0
    Comment actions Permalink
  • Avatar
    Anton Babinov

    Thanks for the detailed description, could you please set server logLevel to DEBUG, reproduce the issue and send me server logs and WireShark capture? Here is the article explaining how to set log level.

     

    0
    Comment actions Permalink
  • Avatar
    Norman Graafsma

    Hi Chi Wai Hui,

    Just checking in to make sure you received our response as it has been a while since we have heard from you. Please let us know if you still need help by responding to this message.

    0
    Comment actions Permalink
  • Avatar
    Chi Wai Hui

    My customer is busy. I will wait for the log.

    0
    Comment actions Permalink

Please sign in to leave a comment.