Passcore does not recognize RestrictedADGroups/AllowedADGroups

[samtun]

PassCore Server

• OS: Windows
• Provider: Active Directory
• Settings file (without sensitive information):

{
  "Logging": {
    "IncludeScopes": false,
    "LogLevel": {
      "Default": "Debug",
      "System": "Information",
      "Microsoft": "Information"
    }
  },
  "WebSettings": {
    "EnableHttpsRedirect": true
  },
  "AppSettings": {
    // The following options for AD Provider (remove if you don't use this Provider)
    "UseAutomaticContext": false, // Set true to allow PassCore to reset password using the same credentials, or false if you will fill the credentials below
    "CheckRestrictedAdGroups": true,
    "RestrictedADGroups": [
      "Administrators",
      "Domain Admins",
      "Enterprise Admins"
    ], // Set the AD groups to restrict the use of PassCore
    "AllowedADGroups": [ 
        "GroupA" 
    ], // Set the AD Groups to allow PassCore, if the array is empty all the groups no-restricted above are allowed
    "IdTypeForUser": "UPN", // Possible values are "DN", "GUID", "Name", "SAM", "SID" and "UPN" (Default UPN)
    "UpdateLastPassword": true, // Set true to allow PassCore to  update the last password timestamp
    // The following options are for LDAP Provider (remove if you don't use this Provider)
    "LdapSearchBase": "ou=My_Users,dc=mydomain",
    "LdapSecureSocketLayer": false, // Default for AD is true when using LDAPS 636
    "LdapStartTls": true, // Default for AD is true when using LDAP 389
    "LdapChangePasswordWithDelAdd": true,
    "LdapSearchFilter": "(sAMAccountName={Username})", // Another value: "(&(objectClass=person)(cn={Username}))"
    // General options (valid for both providers)
    "LdapHostnames": [ "<mydomain>" ], // Set your hostname(s)
    "LdapPort": 389, // Default for AD is 389, for LDAPS 636
    "LdapUsername": "<MyAdmin>", // Set the username or distinguish name (DN) to bind the LDAP server
    "LdapPassword": "<adminPW>", // Set the password for the username
    "DefaultDomain": "<mydomain>" // Set your default AD domain here, or non "@" logins will not work! Use empty value to allow user to set the domain. This option is ONLY available with UPN.
  },
  <Rest should be irrelevant>
}

Describe the bug
Users that are not members of the defined AllowedADGroups can still change their password.

To Reproduce
Steps to reproduce the behavior:

1. Configure Passcore as shown with AD
2. Test PW-reset with users that belong to GroupA and those who do not

Expected behavior
Users that are not members of GroupA should not be allowed to change their password.

Desktop (please complete the following information):

• OS: Windows
• Browser firefox
• Version 67.0.4

Additional context
I am trying to configure PassCore so only Users in GroupA can change their password.
This should be possible with the AllowedADGroups option. But none of the Groups I tried changed the behaviour of PassCore.

I also tried inserting the full LDAP-path as group-name but that did not change the discribed behaviour too.

I also read about the option CheckRestrictedAdGroups (which seems to be missing in the default appsettings.json) but that did not fix it too.

I saw v3.6.3 states "Fix issues with Groups" which I hoped to fix this issue but it apparently does not. (btw: the mainpage of PassCore still says 3.6.2 in the footer)

[geoperez]

The CheckRestrictedAdGroups is not a valid setting, I need to update the README file.

And yes, we did a fix in the group validation. Can you check your logs and find a possible exception from source ValidateGroups? Sometimes AD is not returning properly the groups and then the validation is skipped.

[samtun]

Each time a user in a restricted group changes his password the log shows the following fail and dbug messages. But the password still is changed successfully.

fail: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[888]
      ValidateGroups
Unosquare.PassCore.Common.ApiErrorException: Error Code: ChangeNotPermitted
The User principal is listed as restricted
   at Unosquare.PassCore.PasswordProvider.PasswordChangeProvider.ValidateGroups(UserPrincipal userPrincipal) in C:\Unosquare\passcore\src\Unosquare.PassCore.PasswordProvider\PasswordChangeProvider.cs:line 144
dbug: Unosquare.PassCore.PasswordProvider.PasswordChangeProvider[0]
      The User principal password updated with setPassword

Changing the password of users that are in an allowed group shows only the dbug message without the fail. Looks like it is correctly evaluated but still executes the password change no matter what?

Edit:
I checked line 144 in PasswordChangeProvider.cs and it looks like userPrincipal.UserCannotChangePassword is never set to true. So the check in line 60 might always come out false and skip the error? Then again I'm no C# expert and unsure how the exception from line 144 is handled.

[geoperez]

I found the issue! Are you using a custom build, or do you need me to publish a new release?

[samtun]

A new release would be nice, thank you very much.

[geoperez]

Done, let me know if it is working fine.

[samtun]

Working like a charm. Thanks again!

[jameelboonzaaier]

Hi Guys

I need some help.

When i change IdTypeForUser to DN i get a error we can not find user account.

The reason why i want to change to DN is AD sync tool looking at AD uses the DN name to sync users.

Is there anyway to get DN to work on passcore.

Please help