docs(auth): update LDAP config description with admin account security warning

adamoutler · adamoutler · commit 363b6384cac1 · 2026-04-21T12:11:35.000-04:00
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -67,6 +67,21 @@ services:
       GRAPHQL_PORT: ${GRAPHQL_PORT:-20212}                      # GraphQL API port
       ALWAYS_FRESH_INSTALL: ${ALWAYS_FRESH_INSTALL:-false}      # Set to true to reset your config and database on each container start
       NETALERTX_DEBUG: ${NETALERTX_DEBUG:-0}                    # 0=kill all services and restart if any dies. 1 keeps running dead services.
+      # LDAP Authentication Variables
+      LDAP_ENABLED: ${LDAP_ENABLED:-}
+      LDAP_SERVER: ${LDAP_SERVER:-}                             # LDAP server hostname or IP
+      LDAP_PORT: ${LDAP_PORT:-389}
+      LDAP_USE_SSL: ${LDAP_USE_SSL:-false}
+      LDAP_USE_START_TLS: ${LDAP_USE_START_TLS:-false}
+      LDAP_TLS_VERIFY_CERT: ${LDAP_TLS_VERIFY_CERT:-true}
+      LDAP_CA_CERT_PATH: ${LDAP_CA_CERT_PATH:-}
+      LDAP_DISABLE_LOCAL_ADMIN: ${LDAP_DISABLE_LOCAL_ADMIN:-false}
+      LDAP_DIRECT_BIND_FORMAT: ${LDAP_DIRECT_BIND_FORMAT:-}
+      LDAP_BIND_DN: ${LDAP_BIND_DN:-}
+      LDAP_BIND_PASSWORD: ${LDAP_BIND_PASSWORD:-}               # Service account password for LDAP
+      LDAP_BASE_DN: ${LDAP_BASE_DN:-}
+      LDAP_USER_FILTER: ${LDAP_USER_FILTER:-(uid={username})}
+      LDAP_USERNAME_ATTRIBUTE: ${LDAP_USERNAME_ATTRIBUTE:-uid}
 
     # Resource limits to prevent resource exhaustion
     mem_limit: 2048m            # Maximum memory usage
diff --git a/front/php/templates/security.php b/front/php/templates/security.php
@@ -26,12 +26,9 @@ function getConfigLine($pattern, $config_lines) {
     return !empty($matches) ? explode("=", array_values($matches)[0]) : null;
 }
 
-function getConfigValue($pattern, $config_lines) {
+function getConfigValue($pattern, $config_lines, $delimiter = "'") {
     $line = preg_grep($pattern, $config_lines);
-    if (empty($line)) return '';
-    $val = explode('=', array_values($line)[0], 2);
-    if (!isset($val[1])) return '';
-    return trim(trim($val[1]), "\"'");
+    return !empty($line) ? explode($delimiter, array_values($line)[0])[1] : '';
 }
 
 function redirect($url) {
@@ -96,7 +93,7 @@ function redirect($url) {
     $nax_WebProtection = 'true';
 }
 $nax_Password = getConfigValue('/^SETPWD_password\s*=/', $configLines);
-$api_token = getConfigValue('/^API_TOKEN\s*=/', $configLines);
+$api_token = getConfigValue('/^API_TOKEN\s*=/', $configLines, "'");
 if (empty($api_token)) {
     $api_token = getenv('API_TOKEN') ?: '';
 }
diff --git a/front/plugins/auth_ldap/config.json b/front/plugins/auth_ldap/config.json
@@ -202,7 +202,7 @@
       "description": [
         {
           "language_code": "en_us",
-          "string": "Upgrade a plain-text LDAP connection to TLS using the STARTTLS command. Typically used with port 389. Mutually exclusive with LDAPS.<br><br><b>Recommended: set to true (or use LDAP_USE_SSL=true with port 636) before production.</b>"
+          "string": "Upgrade a plain-text LDAP connection to TLS using the STARTTLS command.  Typically used with port 389.  Mutually exclusive with LDAPS."
         }
       ]
     },
@@ -304,7 +304,7 @@
       "description": [
         {
           "language_code": "en_us",
-          "string": "When enabled, local admin login is completely disabled — only LDAP users can authenticate. <b>Recommended</b> for strict LDAP enforcement. <br><br><span style='color: #cc0000;'>Warning: If disabled (default), a compromised or unreachable LDAP server may allow attackers to fall back to the local password. However, enabling this risks lockout if the LDAP server goes down.</span>"
+          "string": "When enabled, local admin login is completely disabled — only LDAP users can authenticate. <b>Recommended</b> for strict LDAP enforcement. <br><br><span style='color: #cc0000;'>Warning: If disabled (default), the local admin account with username \"admin\" (default password \"123456\", configurable via \"Set Password->SETPWD_password\") remains active and accessible via the LDAP login form. This can be used as a fallback during LDAP setup, but it also creates a significant security risk if the default password is not changed or if a compromised/unreachable LDAP server allows attackers to fall back to this local account. Enabling this feature overrides the `SETPWD_enable_password` setting.</span>"
         }
       ]
     },
diff --git a/server/api_server/api_server_start.py b/server/api_server/api_server_start.py
@@ -1991,16 +1991,15 @@ def _get_client_ip():
 def api_auth_login(payload=None):
     """Authenticate a user and return provider + username on success."""
     data = payload
-    # For internal admin, there is no username on the login page, so we default to 'admin'
-    username = data.username if data and data.username else "admin"
+    username = data.username if data else ""
     password = data.password if data else ""
     client_ip = _get_client_ip()
 
-    if not password:
+    if not username or not password:
         return jsonify({
             "success": False,
             "message": "Missing credentials",
-            "error": "password is required",
+            "error": "username and password are required",
         }), 400
 
     # Rate limiting check (thread-safe)
@@ -2018,6 +2017,7 @@ def api_auth_login(payload=None):
             attempts, last_attempt = FAILED_LOGINS[client_ip]
             if attempts >= max_attempts:
                 if now - last_attempt < lockout_time:
+                    from auth.ldap_provider import _sanitize_for_log
                     write_notification(
                         f"[auth] Rate limit exceeded for IP {client_ip} trying to log in as '{_sanitize_for_log(username)}'",
                         "alert",
diff --git a/server/auth/manager.py b/server/auth/manager.py
@@ -52,9 +52,10 @@ def authenticate(self, username: str, password: str) -> AuthResult:
                 # If the user doesn't exist in LDAP, we can fallback to local auth
                 if ldap_result.error == LdapProvider.USER_NOT_FOUND:
                     if not disable_local:
-                        # Fallback decision is delegated to the LocalProvider policy
-                        if not LocalProvider.is_fallback_allowed(username):
-                            mylog("verbose", [f"[auth.manager] Local fallback denied for non-recovery user '{_sanitize_for_log(username)}'"])
+                        # Only the built-in local admin is a recovery account;
+                        # all other identities must exist in LDAP.
+                        if username != "admin":
+                            mylog("verbose", [f"[auth.manager] Local fallback denied for non-admin user '{_sanitize_for_log(username)}'"])
                             return ldap_result
                         mylog("warning", ["[auth.manager] User not found in LDAP, falling back to local provider"])
                         local_result = LocalProvider().authenticate(username, password)

Original file line number	Diff line number	Diff line change
`@@ -26,12 +26,9 @@ function getConfigLine($pattern, $config_lines) {`
`26`	`26`	`return !empty($matches) ? explode("=", array_values($matches)[0]) : null;`
`27`	`27`	`}`
`28`	`28`
`29`		`-function getConfigValue($pattern, $config_lines) {`
	`29`	`+function getConfigValue($pattern, $config_lines, $delimiter = "'") {`
`30`	`30`	`$line = preg_grep($pattern, $config_lines);`
`31`		`- if (empty($line)) return '';`
`32`		`- $val = explode('=', array_values($line)[0], 2);`
`33`		`- if (!isset($val[1])) return '';`
`34`		`- return trim(trim($val[1]), "\"'");`
	`31`	`+ return !empty($line) ? explode($delimiter, array_values($line)[0])[1] : '';`
`35`	`32`	`}`
`36`	`33`
`37`	`34`	`function redirect($url) {`
`@@ -96,7 +93,7 @@ function redirect($url) {`
`96`	`93`	`$nax_WebProtection = 'true';`
`97`	`94`	`}`
`98`	`95`	`$nax_Password = getConfigValue('/^SETPWD_password\s*=/', $configLines);`
`99`		`-$api_token = getConfigValue('/^API_TOKEN\s*=/', $configLines);`
	`96`	`+$api_token = getConfigValue('/^API_TOKEN\s*=/', $configLines, "'");`
`100`	`97`	`if (empty($api_token)) {`
`101`	`98`	`$api_token = getenv('API_TOKEN') ?: '';`
`102`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@`
`202`	`202`	`"description": [`
`203`	`203`	`{`
`204`	`204`	`"language_code": "en_us",`
`205`		`- "string": "Upgrade a plain-text LDAP connection to TLS using the STARTTLS command. Typically used with port 389. Mutually exclusive with LDAPS.<br><br><b>Recommended: set to true (or use LDAP_USE_SSL=true with port 636) before production.</b>"`
	`205`	`+ "string": "Upgrade a plain-text LDAP connection to TLS using the STARTTLS command. Typically used with port 389. Mutually exclusive with LDAPS."`
`206`	`206`	`}`
`207`	`207`	`]`
`208`	`208`	`},`
`@@ -304,7 +304,7 @@`
`304`	`304`	`"description": [`
`305`	`305`	`{`
`306`	`306`	`"language_code": "en_us",`
`307`		`- "string": "When enabled, local admin login is completely disabled — only LDAP users can authenticate. <b>Recommended</b> for strict LDAP enforcement. <br><br><span style='color: #cc0000;'>Warning: If disabled (default), a compromised or unreachable LDAP server may allow attackers to fall back to the local password. However, enabling this risks lockout if the LDAP server goes down.</span>"`
	`307`	+ "string": "When enabled, local admin login is completely disabled — only LDAP users can authenticate. <b>Recommended</b> for strict LDAP enforcement. <br><br><span style='color: #cc0000;'>Warning: If disabled (default), the local admin account with username \"admin\" (default password \"123456\", configurable via \"Set Password->SETPWD_password\") remains active and accessible via the LDAP login form. This can be used as a fallback during LDAP setup, but it also creates a significant security risk if the default password is not changed or if a compromised/unreachable LDAP server allows attackers to fall back to this local account. Enabling this feature overrides the `SETPWD_enable_password` setting.</span>"
`308`	`308`	`}`
`309`	`309`	`]`
`310`	`310`	`},`