LDAP user authentication
Answered
I have a LDAP for Nx Witness to authenticate the users.
The users are imported and enabled. This is my observation.
a) After the LDAP user has successfully logged in the system, then the user logs out and logs in again, Nx Witness does not authenticate the user from LDAP and simply restores the session.
b) While the user is still in the session for more than 5 minutes (seems hardcoded), Nx Witness keeps sending LDAP authenticate requests. The user can still stay in the session independent of the LDAP authentication result.
c) If the user has logged out for more than 5 minutes (seems hardcoded). Nx Witness will authenticate the LDAP user.
d) On the server setting, it is possible force terminate the session for all users e.g., 30 minutes (configurable).
e) When d) happens, Nx Witness will authenticate the LDAP user if the user logs in again.
Question.
1. Regarding a), can I force Nx Witness to authenticate the user every time the user logs in?
2. Regarding b), what is the purpose of checking the LDAP user?
3. Regarding c), can I configure to have shorter duration e.g. 10 seconds instead of 5 minutes?
4. Regarding d), can I configure to terminate the users only if there is no user activity?
Thank you
-
Hello Chi Wai Hui,
Question.
1. Regarding a), can I force Nx Witness to authenticate the user every time the user logs in?NX server caches user password in memory and uses this cache for user re-authentication. As a separate process, Nx validates cached data every 5 minutes to ensure that user's credentials are still up to date.
2. Regarding b), what is the purpose of checking the LDAP user?
Nx checks that LDAP server is online and user credentials are still valid. Check the following example:
1. User enters credentials in Nx GUI.
2. NX servers validate received credentials with LDAP server.
3. User provided valid credentials and permission to connect is granted.
4. At some point after user session is established someone disables user in LDAP server or changes user password.
5. Nx server needs to stop user's session.
3. Regarding c), can I configure to have shorter duration e.g. 10 seconds instead of 5 minutes?In theory we use shorter duration for testing purposes, but I wouldn't recommend this for production system. As i mentioned above, Nx validates user's credentials every 5 minutes, reducing this parameter to 10 seconds will significantly increase number of requests between Nx and LDAP server. Is there any specific reason you want to decrease this value?
4. Regarding d), can I configure to terminate the users only if there is no user activity?At the moment it isn't possible, but we're considering to add this feature in the future.
0 -
>NX server caches user password in memory and uses this cache for user re-authentication. As a separate process, Nx validates cached data every 5 minutes to ensure that user's credentials are still up to date
[Chi Wai] Probably you are referring to the local user authentication. My observation is that "user re-authentication" does not happen. There is no LDAP authentication request with the saved password. This is a security problem as I view it as a way to bypass authentication. How to configure NX server to enforce LDAP user re-authentication?>5. Nx server needs to stop user's session.
[Chi Wai] This is not happening to the instance hosted by my partner.
How to configure to make it happen?0 -
My observation is that "user re-authentication" does not happen. There is no LDAP authentication request with the saved password. This is a security problem as I view it as a way to bypass authentication. How to configure NX server to enforce LDAP user re-authentication?
Could you please provide steps on how to reproduce this issue and tell me version and build number of your NX server. Check my example below:
1. User authenticates to NX GUI.
2. 2 minutes later you change password for user at LDAP server.
3. Can user continue his session authenticated with old password for 5+ minutes?
4. Can user relogin to NX GUI with old password?
0 -
The current version is 4.2.0.32658.
The LDAP serer that we provide offers secure 2FA login which does not require users to enter a password.
- The server is configured to authenticate users via LDAP.
- Users are sync and activated
- Wireshark is started to monitor the Nx server communication with LDAP server
- A user logs in to Nx GUI successfully by accepting the 2FA.
- The user continues to stay in the session for 5 minutes.
- According to Wireshark log, Nx server authenticates the user via LDAP.
- User rejects the login, LDAP server replies “user authentication fails”
- Nx server allows the user to continue to stay in the session without any interruption.
- Another 5 minutes later, step 6) above happens again otherwise the user proceeds to step 10)
- User logs out of Nx GUI.
- User logs in to Nx GUI successfully by accepting the 2FA. Step 5) above repeats.
0 -
Thanks for the detailed description, could you please set server logLevel to DEBUG, reproduce the issue and send me server logs and WireShark capture? Here is the article explaining how to set log level.
0 -
Hi @...,
Just checking in to make sure you received our response as it has been a while since we have heard from you. Please let us know if you still need help by responding to this message.
0 -
My customer is busy. I will wait for the log.
0 -
I set up the environment using server 4.2.0.32840.
The server is able to disconnect the user session when LDAP authentication fails.
The behavior is reasonable.
0
Please sign in to leave a comment.
Comments
8 comments