Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums
  • Feature tour
    Feature tour

Content

You are here:
  1. Forums
  2. General discussion

LDAP Authentication Issue

Added by Kendell Welch over 8 years ago

Hi All,

To preface, I’m not sure that this is an OpenProject issue, but I’m running out of ideas and there may be some correlation, maybe.

I am a happy admin of OpenProject. My IT department uses it heavily, and love it. However, I have one user, who only in the last few months has started participating as invited in projects relating to them, and they are having an issue that I can’t quite figure out.

My OpenProject installation is local (on Debian Jessie) and uses LDAP against my Windows 2008 R2 Active Directory. Auto-Account creation works great, and everybody is happy. However, I did (I am a member of IT and am not yet forced to update my password regularly) change my password a while back. I noticed that my new password did not propagate to OpenProject, and ended up having to set my account to Internal Authentication. I really didn’t think about it at the time more than “I’ll look in to that when I think about it.” I never looked in to it.

Now (just in the last couple weeks,) the one user I have that actually looks at the OpenProject interface, rather than relying just on Email updates, had to change his password due to Active Directory GPO rule (every 90 days.) All of the sudden, his account started locking. After a few days of trying things and scratching our heads and trying things to resolve the issue, we thought we’d solved the problem…I changed the password on his phone email client, and for several days, the problem went away (nothing in OP has been changed yet.) Then, after a few days, their account Locked in AD again.

I have no evidence of this yet, as I have just asked my user, but I wonder if they were attempting to log in to the OP interface (unsuccessfully) and didn’t tell me. Further, I’m guessing, when an OP user account is created, it actually creates an Internal account that has the same password as entered for Internal account creation. That is, when an invalid login/password is provided, OP queries the LDAP server (in my case Active Directory) using the Internal credentials NOT THE PROVIDED CREDENTIALS, thus producing a failed authentication attempt on AD, three in a row of which LOCK the AD account. More likely, this particular user has a Shortcut/Favorite/Bookmark/Whatever in their browser directly to a specific Work Package, and is not prompted for credentials. Rather, they are denied.

Here’s my theory: Something in the URL that the user saves as a Shortcut/Favorite/Bookmark/Whatever associated with a user’s session/authentication rights. When the user changes their LDAP password, the LDAP server receives a failed authentication request, but still allows the user access due to Internal authentication in OP; completely oblivious to the user.

I’m completely grasping at straws here, and definitely not pointing fingers, but is something like this the possible cause of my user’s AD account getting locked out?

Thanks,
Kendell


Loading...