Community

Cannot modify 'admin' user's empty password in LifeTime-managed on-prem environment

New Post
Apologies if I have posted this in the incorrect forum.

I have an issue with an on-premises OutSystems environment managed by LifeTime running on version 9.0.1.50 (9.0.1.50 (build 56481: tags/v9_0_1_50 @ 2016-01-06 10:49:55).

In short, the 'admin' user in LifeTime and in ServiceCenter for my dev/test/prod environments has a blank password and I am unable to change it. When I login to LifeTime with this blank password and attempt to edit the 'admin' user's password via Administrator -> My Settings, only the email address text field is editable. I cannot enter any text into the password fields.

Curiously, if I access the Users application on my LifeTime host and login as 'admin', it does not accept an empty password and instead requires the password I configured at install time, which seems like the correct and expected behavior.

If I query the ossys_user database table in my LifeTime or other environments, I can see that I have two 'admin' user accounts: the first with ID=1 and TENANT_ID=1, the second with ID=2 and TENANT_ID=13 (which corresponds to the Users app). Both of these 'admin' accounts have the exact same crypted data in the PASSWORD column in LifeTime's database; yet the Users application requires a password and the LifeTime application does not.

I would like to have the 'admin' user in LifeTime and ServiceCenter require a password as otherwise this appears extremely insecure. Can anybody offer any guidance?

Thanks!
Dislike(0)
Like(1)
Dislike(0)
Like(1)

Hi Brian,


Pretty sure it shouldn't let you enter without a password. Did you configure any external authentication providers like LDAP? (not sure if those were added in 9.0.1 or 9.1)


If you continue with the problem I recommend you to open a support ticket and get it thoubleshooted.


Regards,

João Rosado

Dislike(0)
Like(0)
Dislike(0)
Like(0)
Thank you João, I agree that it should not work like this.  I do have LDAP authentication enabled against our Active Directory system, but we have no user named 'admin' in Active Directory that it could be authenticating against. The LDAP authentication appears to be working correctly for other user accounts.

I will follow up with a support ticket. 

Cheers,
-Brian
Dislike(0)
Like(0)
Dislike(0)
Like(0)
We have same issue (9.0.1.35).  If I try to change the password for admin, I can't; the fields are read-only.  I can change other user passwords.  I can't log into Lifetime with Admin because the password is unknown.  I tried admin/admin but that didn't work. 

Brian, did you find anything out?

Thanks!
Dislike(0)
Like(0)
Dislike(0)
Like(0)
Hi David,

I filed a support case yesterday, at low priority, but I have not yet received any response. I will follow up here when I have any new information. The issue you are seeing sounds similar, with the difference that in my case I (correctly) cannot edit other users' passwords as we are authenticating them against an external auth provider.

-Brian
 
Dislike(0)
Like(0)
Dislike(0)
Like(0)
Brian Pardy wrote:
Hi David,

I filed a support case yesterday, at low priority, but I have not yet received any response. I will follow up here when I have any new information. The issue you are seeing sounds similar, with the difference that in my case I (correctly) cannot edit other users' passwords as we are authenticating them against an external auth provider.

-Brian
 
Hi Brian. 

We are not using any external providers and I don't think I've ever used the admin account.  We are in the middle of a migration and one of the steps is to ensure I can log in to LT as the admin.  Which I can't.  I look forward to hearing back when you get some news.

Thank you for your help,
Dave

Dislike(0)
Like(0)
Dislike(0)
Like(0)
Hi Dave,

After filing a support ticket, my issue is now resolved. Support provided an updated version of the LDAPAuthProvider that eliminated the ability to login as 'admin' with an empty password. They also pointed out that in my situation I needed to have my LDAPAuthProvider configured to fall back to internal OutSystems authentication when LDAP authentication failed in order to be able to login to the 'admin' user.  After checking the box in the LDAPAuthProvider configuration screen to enable fallback authentication, my 'admin' user password now works correctly.

In your case, I would suggest filing a support ticket for assistance resetting the admin user's password in LT. You (or your database administrator) may be able to directly update the admin user's hashed password in LT's ossys_users table by copying the hash from an account that you do know, but it is probably safest to pursue that with guidance from support.

Cheers,
-Brian
Dislike(0)
Like(0)
Dislike(0)
Like(0)
Hi Brian - Thank you for updating me on this and I'm glad to hear you got your issue resolved.  We hope to be using LDAP in the near future so this will come in handy. 

I'll see about opening a ticket and trying to get my issue resolved. 

Thank you again,
Dave
Dislike(0)
Like(0)
Dislike(0)
Like(0)
Solution

Hello everyone,

As João Rosado stated, the behavior originally reported here is not the intended behavior. The OutSystems Platform should not allow you to authenticate using an empty password.

What happened was that Brian (unwittingly) uncovered a security flaw in the OutSystems Platform. Please refer to this Knowledge Base article for further details, and a fix for the issue.

Best regards,

Ricardo Silva

Solution
Dislike(0)
Like(1)
Dislike(0)
Like(1)

Thank you for the follow up and communication to users, Ricardo.  It's great to see things like this fixed so quickly. Had I realized this was an issue that didn't stem from a simple misconfiguration on my side, I would have reported it in a more private setting. Please offer the team my apologies for the unintended public disclosure!


Cheers!

-Brian

Dislike(0)
Like(0)
Dislike(0)
Like(0)

Hi Brian or Ricardo, 


Where can I find the checkbox you've mentioned "After checking the box in the LDAPAuthProvider configuration screen to enable fallback authentication"?

Cheers, 

Gabriel


Dislike(0)
Like(1)
Dislike(0)
Like(1)

Hi Gabriel,


To get to that checkbox, first login to your OutSystems LifeTime environment, then select "Users & Roles" from the top of the page.  After that, select "Authentication", and it should bring up a screen allowing you to choose between the built-in OutSystems authentication provider and an external authentication provider. Make sure the "external authentication provider" radio button is selected, and select LDAPAuthProvider from the selection list. Look at the "Configure plugin in environment" drop down list and select the environment you want to work with, then click "Configure". You may then get prompted to login as the admin user for that environment, but you will probably just be sent straight to the "LDAP Authentication Configuration" page. On that page, where you specify the LDAP host/port and base DN, you should see the "Fallback to built-in authentication" checkbox.


Cheers!

-Brian

Dislike(0)
Like(1)
Dislike(0)
Like(1)
Login to reply
Company
Corporate Site
Contacts
Cookie Policy
Support
Technical Support
Community Forums
 OutSystems© All rights reserved. Custom built with (h) and (o)