50 Replies Latest reply on Nov 24, 2017 7:06 AM by milan.hulik

    Web Help Desk® 12.5.1 Hotfix 1

    rodegard

      Hi Twack Community.

       

      I'm confused about 12.5.1 Hotfix 1.  The release notes state the correction will prevent Techs from signing on via LDAP authentication.  I ran the first script in the Hotfix and it identified all of our active Techs.  Does this vulnerability mean I have to have all Techs use a separate password?  Or does it mean I have to prevent clients from using LDAP.  Asking clients to provide a password to use WHD will not be an acceptable solution for our company.

       

      Any and all advice is welcome !!

       

      Thanks.

       

      Rick

        • Re: Web Help Desk® 12.5.1 Hotfix 1
          typhoon87

          I agree that the language in the description is confusing.

          • Re: Web Help Desk® 12.5.1 Hotfix 1
            mbelcik

            Would also like clarification on this.

            • Re: Web Help Desk® 12.5.1 Hotfix 1
              rodegard

              In the Solarwinds Customer Portal, under Downloads.  Click on the What’s New in this Hot Fix for details.

               

               

              1 of 1 people found this helpful
                • Re: Web Help Desk® 12.5.1 Hotfix 1
                  pabely

                  The way this was described to me by support was that in doing this routine (which only applies to LDAP enabled Techs), is should the LDAP Server go down, the new recorded Password in the DB can be used as a fallback which is correctly stored with a MD5 hash in the DB.

                  Thus your Techs can still login without you having to manually change the LDAP enable settings per Tech in the TECH table, previously we advised any Tech Admins not to use LDAP so they had a backdoor, with this change they can have a LDAP login as well.

                  2 of 2 people found this helpful
                    • Re: Web Help Desk® 12.5.1 Hotfix 1
                      johndcciu

                      If this is the case, why does the script clear the LDAP flag?  Why not just generate a new local password, but leave the LDAP flag in place?  This hotfix is very badly explained/documented.  It says nothing official about "two or more LDAP connectons" and there doesn't seem to be any reason to disable LDAP in the script if the issue is just to generate a new fallback password.

                       

                      Can someone official from SolarWinds weigh in on this?  And whoever does that should also tell whoever wrote the documentation for this HotFix to rewrite it to be complete and make some sense.

                        • Re: Web Help Desk® 12.5.1 Hotfix 1
                          milan.hulik

                          It clears it to get you ready for upcoming release, where there will be no LDAP flag for tech (even if you have only 1 LDAP connection). So the best thing you can do now, is to set WHD password for all your techs, link all tech accounts with respective client accounts and have LDAP enabled for client (where you use full email address to log in to WHD).

                    • Re: Web Help Desk® 12.5.1 Hotfix 1
                      rodegard

                      I’m not sure – but it appears this may be an authentication issue with your MySQL database?  The Tech table is core.  I ran the SQL against our MS SQL table and it worked.  I have to run the SQL using an ID that has access to the tables.

                      • Re: Web Help Desk® 12.5.1 Hotfix 1
                        milan.hulik

                        This HotFix is optional. Vulnerability exists only if you use 2 or more LDAP connections.

                         

                        1st script will return you a list of all tech accounts, that are vulnerable.

                        2nd script will then disable affected Techs to log in with their LDAP password, but will force all techs to use WHD password to log in.

                         

                        You can then link Tech account with tech's Client account (create 1 if you do not have for each tech) - this will enable tech to use his client's account LDAP credentials to connect to Tech view.

                          • Re: Web Help Desk® 12.5.1 Hotfix 1
                            ddevore9

                            Quick question, currently all of my tech accounts are linked to client accounts.  On my own tech account I removed the LDAP authentication and set a password manually.  I verified there is a client account associated with my account but now I can't login using my LDAP password.  I have not applied this patch yet, will the patch correct this?  If so since all of my techs are linked to their client accounts will our guys need to change anything if I don't want them to have the local non-ldap password?

                              • Re: Web Help Desk® 12.5.1 Hotfix 1
                                mbelcik

                                I'm able to confirm this as well.  I am unable to to login with client account via ldap after disabling ldap on my tech account.

                                  • Re: Web Help Desk® 12.5.1 Hotfix 1
                                    milan.hulik

                                    Are you guys using full email address as a username? You need to login with the client account and once you are logged in, switch to tech account by clicking the blue icon in the top right corner.

                                      • Re: Web Help Desk® 12.5.1 Hotfix 1
                                        johndcciu

                                        Yes, I can confirm the same issue:

                                        • Logged into my Tech (Admin) account with username "JohnD"
                                        • Uncheckmarked LDAP on my Tech account
                                        • Set a password (different from my LDAP password) for my Tech account
                                        • Confirmed that my Tech account was linked to my LDAP Client account
                                        • Logged out
                                        • Attempted to login as "JohnD@mydomain.org" with my LDAP password.  Login failed with "invalid user name or password" message.
                                        • Still able to login to my Tech account with the new manually-set non-LDAP password.

                                         

                                        Note that all of my users have always logged in with their plain username (the part before the "@" in their email address), not their full email address.  That's the way it has been since we set up WHD, which has always been linked/synced to our Active Directory.

                                          • Re: Web Help Desk® 12.5.1 Hotfix 1
                                            ddevore9

                                            This exactly what we are seeing. 

                                             

                                            How is making out technicians login with a non-ldap password or as a client then switching every time more secure?  Pretty much every other service we use manages to securely work using LDAP connections.  This leaves more passwords to manage and depends on the users picking a secure password and changing it on a regular basis.

                                             

                                            Having the techs login as a client then switch is really a very cheesy approach.

                                              • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                mbelcik

                                                Agreed.  This is completely unacceptable.  LDAP authentication for techs is a necessity in our implementation.  I can't believe such a core feature would be removed.

                                                • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                  milan.hulik

                                                  Dennis, WHD remembers, what view (tech or client) you logged out from. If you log out from tech view and then use your client's account LDAP credentials, you'll be automatically logged in to your tech view.

                                                   

                                                  I am not going to explain, how to reproduce the vulnerability (I don't want to give advice to malicious users). If you want to know more about the vulnerability, send me private message with your availability and I'll give you a call.

                                                • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                  milan.hulik

                                                  Hi John,

                                                  so you use User Name as a client login attribute. I assumed, that you use email, as that is the default setting.

                                                  So when you link the tech and client account:

                                                  1. log in using your client user name and client's LDAP password (HF is not touching client LDAP functionality, so your clients should be able to log in as usually).
                                                  2. when you're logged in, switch to your tech account
                                                  3. log out
                                                  4. log in again using your client's credentials
                                                  5. you should end up in tech view for the tech account (WHD remembers, what view you logged out from).

                                                   

                                                  Let me know, if that worked.

                                                  Milan

                                                    • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                      ddevore9

                                                      I really do appreciate that your following up with our questions, if the product will use our client LDAP passwords and remember the tech view we will be good to go. 

                                                       

                                                      I am on 12.5.1 without the hotfix, if applying the hotfix will fix the logins for linked tech accounts I can apply it this weekend.  I just really don't want to come in Monday to a bunch of grumpy techs that can't get to their workloads .

                                                        • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                          milan.hulik

                                                          ddevore9, johndcciu

                                                          we'll retest it again to make sure, that HF works in the scenario, when clients use User Name as a primary login attribute.

                                                          If engineering won't be able to reproduce this issue, I'll have to ask you to open a support ticket

                                                          If engineering will be able to reproduce the issue, we'll ship HotFix2

                                                          Stay tuned.

                                                            • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                              milan.hulik

                                                              ddevore9, johndcciu,

                                                               

                                                              we cannot reproduce this issue internally. Even with the client login login attribute set to username, everything works fine after applying the HotFix.

                                                              If you have issues and you cannot connect to your Client accounts using LDAP credentials, please open a support ticket with SolarWinds and our support team will be more than happy to help you.

                                                               

                                                              Milan

                                                                • Re: Web Help Desk® 12.5.1 Hotfix 1
                                                                  johndcciu

                                                                  Just coincidentally, we were thinking about switching to the Email Address authentication instead of User Name anyway, because we originally matched WHD to our old email system that used User Name, but now we're on O365 that uses Email Address.

                                                                   

                                                                  So I did a test and changed WHD over to Email Address authentication and suddenly the whole thing works:  I can login with my LDAP Email Address and my LDAP password and switch between Client and Tech accounts, and it remembers which mode I left it in.  I switched back to User Name (until I can prepare my users for the change) and the bug came back:  I can't login with my User Name and my LDAP password, I have to use the manual WHD Tech password.

                                                                   

                                                                  So that seems seems to confirm that there's a bug with User Name authentication and the new Client-linked Tech login, but I'll leave it to those that want to stick with User Name to work with Support to track down the issue.