sources/ldap: add ability to disable password write on login #8377
Conversation
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
rissson
force-pushed
the
ldap-password-write-disable
branch
from
a031785 to
0228274
Compare
authentik translations instructionsThanks for your pull request! authentik translations are handled using Transifex. Please edit translations over there and they'll be included automatically. |
rissson
force-pushed
the
ldap-password-write-disable
branch
from
0228274 to
2efa566
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #8377 +/- ##
===========================================
+ Coverage 46.62% 92.27% +45.64%
===========================================
Files 626 626
Lines 30996 30998 +2
===========================================
+ Hits 14451 28602 +14151
+ Misses 16545 2396 -14149
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-ccaaf97850ca75be0f762b704d4bc5e739be42d8
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sFor arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-ccaaf97850ca75be0f762b704d4bc5e739be42d8-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)sAfterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-ccaaf97850ca75be0f762b704d4bc5e739be42d8For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-ccaaf97850ca75be0f762b704d4bc5e739be42d8-arm64Afterwards, run the upgrade commands from the latest release notes. |
rissson
force-pushed
the
ldap-password-write-disable
branch
from
2efa566 to
d14f6d6
Compare
There was a problem hiding this comment.
Perfect. I have no strong opinion about the variable name. They are not exposed to the user so a more technical name using the phrasing of the source (i.e. bind for ldap) would also be fine for me but keeping it consistent across sources which also will use this could also be appealing.
rissson
force-pushed
the
ldap-password-write-disable
branch
from
d14f6d6 to
3497d58
Compare
rissson
force-pushed
the
ldap-password-write-disable
branch
from
3497d58 to
2155ea5
Compare
rissson
force-pushed
the
ldap-password-write-disable
branch
2 times, most recently
from
e703102 to
25c6099
Compare
✅ Deploy Preview for authentik ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Yeah I suppose after going through this again we can probably set it to False for new sources as there isn't really a strong case for leaving it enabled by default (the only thing being a future built in scheduled HIBP check, which could just check for this We should probably also add all of the points from #8377 (comment) to the documentation, so we can update them as they are resolved (especially the first one) |
rissson
force-pushed
the
ldap-password-write-disable
branch
from
25c6099 to
bba200a
Compare
Changed it back again. |
✅ Deploy Preview for authentik ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
I agree in both aspects. For now this should default to false for newly created sources and the drawbacks of enabling should be documented such that one can weight the ups and downs. Regarding the HIBP check: How would that even work with stored password (hashed and salted)? This seems like it would only work upon logging in (when we have access to the raw password) or if the leaked database used exactly the same hash function (including number of rounds etc) and salt? Regarding my first point (password update) this should already work for sources which have a At some point I was thinking if it would make more sense to drop this from the providers and instead make this into a flow step. I.e. upon successful login one would issue a user update and set the received password. This would likely make the updating more clear, reduce code duplication and offer more customizability (e.g. skip the update of admins where the redundant password store and delay until a password gets invalidated might be considered a security risk). |
rissson
force-pushed
the
ldap-password-write-disable
branch
from
bba200a to
4cc0aa1
Compare
Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
rissson
force-pushed
the
ldap-password-write-disable
branch
from
4cc0aa1 to
d726f9a
Compare
|
Documentation updated to document this feature and associated security risks. |
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Any outlook on getting this merged soon? |
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* main: web: bump API Client version (#9021) sources/ldap: add ability to disable password write on login (#8377) web: bump API Client version (#9020) lifecycle: migrate: ensure template schema exists before migrating (#8952) website/integrations: Update nextcloud Admin Group Expression (#7314) web/flow: general ux improvements (#8558) website: bump @types/react from 18.2.67 to 18.2.69 in /website (#9016) core: bump requests-oauthlib from 1.4.0 to 2.0.0 (#9018) web: bump the sentry group in /web with 2 updates (#9017) web/admin: small fixes (#9002) website: bump webpack-dev-middleware from 5.3.3 to 5.3.4 in /website (#9001) core: bump ruff from 0.3.3 to 0.3.4 (#8998) website/docs: Upgrade nginx reverse porxy config (#8947) website/docs: improve flow inspector docs (#8993) website/deverlop-docs website/integrations: add links to integrations template (#8995)
* main: (27 commits) web: bump API Client version (#9035) website/docs: maintenance, re-add system settings (#9026) core: bump duo-client from 5.2.0 to 5.3.0 (#9029) website: bump express from 4.18.2 to 4.19.2 in /website (#9027) web: bump express from 4.18.3 to 4.19.2 in /web (#9028) web: bump the eslint group in /web with 2 updates (#9030) core: bump goauthentik.io/api/v3 from 3.2024022.3 to 3.2024022.5 (#9031) website: bump @types/react from 18.2.69 to 18.2.70 in /website (#9032) web: bump the eslint group in /tests/wdio with 2 updates (#9033) web: bump katex from 0.16.9 to 0.16.10 in /web (#9025) translate: Updates for file locale/en/LC_MESSAGES/django.po in fr (#9023) website/docs: include OS-specific docker-compose install instructions + minor fixes (#8975) web: bump API Client version (#9021) sources/ldap: add ability to disable password write on login (#8377) web: bump API Client version (#9020) lifecycle: migrate: ensure template schema exists before migrating (#8952) website/integrations: Update nextcloud Admin Group Expression (#7314) web/flow: general ux improvements (#8558) website: bump @types/react from 18.2.67 to 18.2.69 in /website (#9016) core: bump requests-oauthlib from 1.4.0 to 2.0.0 (#9018) ...
Details
Closes #6122
Checklist
ak test authentik/)make lint-fix)If an API change has been made
make gen-build)If changes to the frontend have been made
make web)make i18n-extract)If applicable
make website)