Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

O365 IMAP Auth end of life 2022-10-01 #205

Open
mmccarn opened this issue Jul 16, 2022 · 5 comments
Open

O365 IMAP Auth end of life 2022-10-01 #205

mmccarn opened this issue Jul 16, 2022 · 5 comments
Labels
0. Needs triage bug Something isn't working

Comments

@mmccarn
Copy link

mmccarn commented Jul 16, 2022

IMAP Authentication in user_external uses basic authentication.

As of October 1, 2022 Microsoft will begin disabling basic authentication in Exchange365.

(There is information in the Microsoft link above describing how you can opt out of having Microsoft disable IMAP basic authentication for your tenant.)

Normally it is not possible to set a password in /settings/users for accounts authenticating through user_external. However, if you manually create an entry in oc_users with a uid that matches an entry in oc_users_external, it becomes possible to set a local nextcloud password.

My plan at the moment is to move my existing users from IMAP auth to internal Nextcloud Auth, then require twofactor_email for the migrated users.

The code snippet below works on my system to create entries in oc_users with matching uid values from oc_users_external.

My database settings from config.php:

  'dbtype' => 'pgsql',
  'dbname' => 'nextcloud',
  'dbtableprefix' => 'oc_',
  1. Connect to the sql database

    sudo -u postgres psql -t -d nextcloud
    
  2. Manually create an entry in 'oc_users' using the same value for uid and displayname used in oc_users_external:

    insert into oc_users(uid,displayname,uid_lower)
    select uid, displayname,lower(uid) from  oc_users_external where uid like '<uid-from-oc_users_external>';
    
  3. Once there is an entry in "oc_users" with a uid that matches an entry in oc_users_external, the user's password can be set in /settings/users

  4. The User now sees the same files & shares if logging in using the original IMAP password or the new locally set password

  5. Requring two factor auth using twofactor_email ensures that security remains tied to the user's email

There is some fine-tuning that could be applied to this procedure:

  • All accounts could be migrated (remove the "where..." clause)
  • All accounts could have a pre-defined password applied
    • Create a bogus user
    • Set the password for the bogus user
    • Get the encrypted password info from oc_users for the bogus user
    • Add the encrypted password to the sql 'insert' command

This code snippet sets the selected user's local password to "badPassword" -

insert into oc_users(uid,displayname,uid_lower,password)
select 
  uid, 
  displayname,
  lower(uid),
  '3|$argon2id$v=19$m=65536,t=4,p=1$aWZKcTZsV08yczguSHlNWA$3Tdbsc4hVuiM4o6zLtsR1xxhL9T27HzE2cM1umYl7nI' 
from  oc_users_external where uid like '<uid-from-oc_users_external>';
@mmccarn mmccarn added bug Something isn't working 0. Needs triage labels Jul 16, 2022
@simonbuehler
Copy link

got hit by this issue last week, is this the only migration path possible?

@mmccarn
Copy link
Author

mmccarn commented Nov 11, 2022

It may be possible to re-factor the IMAP code to use SMTP instead (which may continue to work?)

I have also in the past customized the social-login app to use the email address as the UID, which also worked.

@Aquariu
Copy link

Aquariu commented Nov 23, 2022

got hit by this issue last week, is this the only migration path possible?

Obvious path out of this is using an IMAP-conformant email provider, but in many corporate cases, getting out of that jail looks like a daunting task.

@violoncelloCH
Copy link
Member

Hey, thanks for raising this. However I feel that there is no much we can do if companies drop support for standard protocols. Your migration approach sounds reasonable; other options might be using other types of authentications as LDAP/AD or possibly OAuth. Writing a user_external module capable of doing authentication over SMTP could work too, but for me personally it's out of scope. If anyone is up for doing this, contributions are obviously always welcome :)

@simonbuehler
Copy link

could nextcloud/mail#7722 help here also in any way?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants