[Users] ***UNCHECKED*** Re: Reset password from Zimbra when using Active Directory
Barry De Graaff
barrydg at zetalliance.org
Sun Apr 3 11:28:37 CEST 2016
most likely OpenLDAP can be configured to allow the password change,
It will take me some time before I have time to look into it.
----- Original Message -----
From: "David Sommerseth" <dazo at eurephia.org>
To: "Barry De Graaff" <barrydg at zetalliance.org>
Cc: "Jorge de la Cruz" <jdelacruz at zetalliance.org>, "Adam Cody" <ajcody at zetalliance.org>, users at lists.zetalliance.org
Sent: Sunday, April 3, 2016 11:15:22 AM
Subject: Re: ***UNCHECKED*** Re: [Users] Reset password from Zimbra when using Active Directory
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/04/16 07:12, Barry De Graaff wrote:
> Hello David,
>
> Sounds like you have a nice SSO solution there, looking back on AD
> Password extension, even if it had kerberos support (it is not likely to
> have that any time soon) there still would be use cases for the user
> wanting to change the user' password.
>
> Even with kerberos at least the new password would go `over the wire` as
> it does now. I agree sending the password over the wire for each session
> is less secure... but seems that cannot be avoided for a password
> change.
That's correct.
> Then the only thing left for the extension is to support OpenLDAP
> (assuming that is what you use in FreeIPA) and I am planning on testing
> that soon.
FreeIPA uses LDAP, but it is uses on the 389 Directory Server (Originally
the Netscape Directory Server which Red Hat "grabbed" and open sourced).
I don't believe FreeIPA (or AD for that matter) allows password changes over
LDAP, but I might be wrong. The reason is that even though the passwords
may technically be stored in LDAP, I believe they are stored as Kerberos KDC
objects. But I haven't dug too deep into how FreeIPA works on internally.
And if you (or anyone else for that matter) haven't tried setting up
FreeIPA, it is not a very difficult task. The ipa-server-install script
which is included does all the magic for you very easy. And running an IPA
server doesn't require loads of resources either, at least not for a small sit
e.
David S.
> ----- Original Message ----- From: "David Sommerseth"
> <dazo at eurephia.org> To: "Barry De Graaff" <barrydg at zetalliance.org> Cc:
> "Jorge de la Cruz" <jdelacruz at zetalliance.org>, "Adam Cody"
> <ajcody at zetalliance.org>, users at lists.zetalliance.org Sent: Saturday,
> April 2, 2016 8:03:12 PM Subject: Re: [Users] Reset password from Zimbra
> when using Active Directory
>
> On 02/04/16 15:59, Barry De Graaff wrote:
>> Hello David,
>
>> What would be the benefits from using kerberos?
>
> The key concepts for Kerberos is single-sign-on (SSO). I do not have
> the details on the Windows side, but it should not differ that much from
> the Linux world I live in - as Kerberos is a well defined standard.
>
> It is probably easier to explain this using real life examples.
>
> I have SL7 laptop, which is enrolled into a IPA domain (using FreeIPA).
> So when I log into my laptop with my username/password, once my laptop
> gets a network connection I get a kerberos ticket automatically based on
> my login credentials (SSSD provides caching for off-line situations and
> does the 'kinit' process once the Kerberos server - the KDC - is
> reachable).
>
> I have also enabled Kerberos on my Zimbra server, which means that when
> I access the webmail (or the admin webUI) - I am automatically logged in.
> The same if I use IMAP. POP3 and SMTP is also supported
>
> With that said, there are a few bugs in Heimdal which Zimbra builds
> with, which breaks Kerberos for SMTP and if IMAP/POP3 goes via a nginx
> proxy (using GSSAPI) - but that's details in this context (Quanah and I
> have done some debugging on this already, and it is slowly moving
> forward, and it seems related to RHEL platforms). SPNEGO support is also
> lacking on the webdav interface. Once all of these issues are solved,
> Zimbra will provide a fairly well integrated SSO experience.
>
> But the key user experience is: Once you're logged in, you don't type
> your password any more.
>
> The security side of Kerberos is that the password is almost never
> transferred over the wire. Kerberos is actually designed to be used
> over insecure networks. There are basically two scenarios where the
> password goes over the wire. 1) When you change the password (the KDC
> needs to have a copy of your password), and 2) when you don't have a
> possibility to obtain a Kerberos ticket and the service you access can do
> the Kerberos authentication on behalf of you (Zimbra supports this too).
>
> Further on the security side, when you do have a Kerberos ticket and
> that has been provided to a service using GSSAPI (IMAP/POP3/SMTP) or
> SPNEGO over HTTP/HTTPS, the service also have no clue what the password
> might be. It only knows that you are authenticated by the same KDC the
> service it is configured to trust. (Each service needs a separate
> service ticket granted by the KDC)
>
> If GSSAPI or SPNEGO is not used, the password is only temporarily
> available on the Zimbra platform. Otherwise the Zimbra platform does not
> have any password hashes stored locally.
>
> On top of this, you can also enable a KDC Proxy. which allows the
> Kerberos authentication to be done over an HTTPS connection over an
> insecure Internet connection; which again provides SSO capabilities even
> when the KDC is not directly available [1]. In fact the KDC can be put
> inside a very strict and well controlled network with only specific
> hosts/networks being allowed to initiate contact directly with it.
>
>
> [1] For this to work, you need krb5 libraries on your client which
> supports KDC proxy. RHEL7 and newer Fedora releases have at least
> support for that out of the box. KDC Proxy is also a standard designed
> by Microsoft, so I take it for granted that Windows supports this as
> well. More info: <http://www.freeipa.org/page/V4/KDC_Proxy>
> <https://msdn.microsoft.com/en-us/library/hh553774.aspx>
>
>
>> There are some known flaws in the Kerberos implementation for windows
>> http://www.theregister.co.uk/2015/12/15/devastating_flaw_in_windows_authent
i
>
>>
cation/
>
>> The Extension uses 2 an Ldap Bind DN AND uses the existing users's
>> credentials to change the password. It requires the use of LDAP over
>> SSL (TLS).
>
>> For a secure implementation one can create a service account in
>> Windows that can act as bind dn, with limited access rights (and
>> read-only access on the ldap)
>
>> So... Kerberos, would not add much in terms of security, but would add
>> a lot of complexity to the code.
>
>> Anyways, maybe I am missing something, so please explain your comment
>> further.
>
> I beg to differ. With Kerberos you get proper SSO, and the reason for
> wanting support for changing the Kerberos password is for those
> scenarios where you using the webmail from a computer where Kerberos
> tickets are not possible to establish. The Kerberos server (in practise
> the KDC) manage password history, expiry dates, attempt counters and so
> on. So if your password has expired, you should ideally get the "change
> password" dialogue instead of a failed login.
>
> If you're on a computer enrolled in a Kerberos domain, you'll get a
> change password dialogue during the normal login. But that isn't always
> the case. And if a Zimbra user is travelling without his Kerberos
> enrolled computer, there's no possibility to change the password until he
> can access the KDC again from a computer enrolled to that KDC. Otherwise
> you need side-channel solutions with different login-portals to change
> the password. But if the Kerberos password is expired and try to log in
> via the webmail, AFAIR you just get a login failed error.
>
> With that said, it isn't ideal to pass any Kerberos passwords over the
> Internet. But sometimes you need to do a pragmatic compromise between
> practical solutions and security. For any setups involving more than a
> few computers, having Kerberos available simplifies a lot of things
> while enhancing the overall security. I am also not saying this Kerberos
> password change should be enforced enabled, but having this possibility
> would benefit many sites.
>
> At the same time, I must confess I do not know much about weaknesses in
> the Windows AD/Kerberos implementation. I just know that Kerberos is
> fairly well supported on a lot of platforms and is a de-facto standard
> for SSO. Which can also have a lot of other authentication schemes on top
> of that (ipsilon, SAML, shibboleth, to mention a few). Newer FreeIPA
> versions also supports TOTP/HOTP for Kerberos passwords too, it would
> surprise me a lot if the AD/Kerberos implementation does/will not support
> this as well.
>
> If the Kerberos implementation have weaknesses and that is isolated the
> implementation Microsoft have done - that doesn't problem should not
> concern us that much. That is something Microsoft needs to take care of
> in Windows. And it should not make Kerberos a less regarded solution.
>
> And a quick note regarding LDAP authentication (which is possible with
> Zimbra too). This is a SSO solution. It is just reusing the password
> database stored somewhere else. But it requires the password to be
> passed over the wire each time a user must be authenticated. When a
> Kerberos tickets is available, the password is never transferred over the
> wire.
>
> I hope this made it clearer.
>
>
> David S.
>
>
>
>> ----- Original Message ----- From: "David Sommerseth"
>> <dazo at eurephia.org> To: "Jorge de la Cruz"
>> <jdelacruz at zetalliance.org>, "Adam Cody" <ajcody at zetalliance.org> Cc:
>> users at lists.zetalliance.org Sent: Saturday, April 2, 2016 2:28:00 PM
>> Subject: Re: [Users] Reset password from Zimbra when using Active
>> Directory
>
>> On 02/04/16 10:10, Jorge de la Cruz wrote:
>>> I will create couple of Blog Posts and a Wiki around it :)
>
>>> Why is this not natively in Zimbra?
>
>> You're probably in a better position to ask the proper persons about
>> that ;-) But nevermind my snarky comment, not blaming anyone :)
>
>> I just wanted to say that I would really appreciate that the Change
>> Password feature would work using the Kerberos/kpassw protocol. I
>> have no chance to really check if that works against AD servers, I just
>> think it would be odd if it doesn't as AD otherwise depend on Kerberos
>> for authentication and SSO.
>
>
>> David S.
>
>
>>> ----- Original Message ----- From: "Adam Cody"
>>> <ajcody at zetalliance.org> To: "Barry De Graaff"
>>> <barrydg at zetalliance.org> Cc: users at lists.zetalliance.org Sent:
>>> Saturday, April 2, 2016 2:05:55 AM Subject: Re: [Users] Reset
>>> password from Zimbra when using Active Directory
>
>>> Awesome job. It will be interesting to see how much activity this
>>> creates in the next couple of months.
>
>>> -Ajcody
>
>>> ----- Original Message ----- From: "Barry De Graaff"
>>> <barrydg at zetalliance.org> To: users at lists.zetalliance.org Sent:
>>> Friday, April 1, 2016 12:33:38 PM Subject: [Users] Reset password
>>> from Zimbra when using Active Directory
>
>>> Hello All,
>
>>> Today I have confirmed that the ADPassword Zimbra server extension to
>>> change Active Directory passwords from the Zimbra web client by
>>> Antonio Messina works with Zimbra 8.6 and Windows 2012 R2 Active
>>> Directory.
>
>>> I have send a pull request with updated documentation to Antonio.
>
>>> https://github.com/Zimbra-Community/ADPassword
>
>>> See the readme:
>>> https://github.com/Zimbra-Community/ADPassword/blob/master/README.md
>
>>> Also I created a video that demonstrates the readme:
>>> https://www.youtube.com/watch?v=AYmsdw3tHoU
>
>>> Also Antonio indicated he is willing to transfer his repository to
>>> the Zimbra-Community Github, allowing us to work closely together and
>>> also keeping things bundled together nicely for our users.
>
>>> Best regards,
>
>>> Barry
>
>
>>> Related: https://bugzilla.zimbra.com/show_bug.cgi?id=6697
>
>
>
>> -- kind regards,
>
>> David Sommerseth
>
>
> -- kind regards,
>
> David Sommerseth
>
- --
kind regards,
David Sommerseth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlcA3yoACgkQDC186MBRfro8gACZARJMqktS4LbunbOUJ454al/8
sCgAoK1J7wsQOOoxrBukuEj54dixxAp7
=AdW9
-----END PGP SIGNATURE-----
More information about the Users
mailing list