Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2FA Setup with Domain-Users #349

Open
Speed7811 opened this issue Aug 4, 2022 · 1 comment
Open

2FA Setup with Domain-Users #349

Speed7811 opened this issue Aug 4, 2022 · 1 comment
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@Speed7811
Copy link

Dear all,

our Nextcloud is attached to our Windows Domain and the users will be created automatically. I read some issues here about the first setup/first login of 2AF-Email and I had the same problems like e.g. in the Issue #83.

I know and understand that this app is limited and not really implement this feature but maybe somebody can give me a workaround.

My goal:

I want to enforce 2FA-Mail OR i want to check that every user has 2FA activated (both can be done by a script from my side, e.g. Bash, SQL, php, etc.)

  1. Possible solution: If I force to enable 2FA nobody can login because 2FA is not enable and setup by any user. How can I as admin setup the 2FA (maybe direct in the database aso.) in the background for each user.
  2. Possible solution: If I not enforce 2FA I want to check (e.g. every hour) that every user has 2FA enabled. How can I do this

Has anybody a tipp for me where to find these informations?

Best regards

Rainer
@nursoda
Copy link
Owner

nursoda commented Aug 23, 2022

Sorry that I did not react yet. If you want to implement a feature, I'm happy to discuss with you how. If you want to work around it, your "possible solution 1" (to enforce 2FA) is the way intended by Nextcloud. #83 will solve that. Unfortunately, the PR is stalled.

Concerning your "possible solution 2", were you looking for the user and 2FA occ commands?

occ user:list
occ user:setting <USER>
occ twofactorauth:state <USER>

I also checked on my instances for which users which 2FA is activated using this script:

for u in $(php occ user:list | sed 's/^  - \(.*\):.*$/\1/')
do
php occ twofactorauth:state $u | perl -p0e 's/Disabled providers:\n(- [^\n]*\n)+//se' | perl -p0e 's/\nEnabled providers:\n//se' | sed '/not enabled/d' | sed '/^$/d'
done

And another script to check who hasn't (should probably be optimized since it seems to do nothing for a long time if you have many users):

php occ user:list | sed -E 's/^  - ([^:]*):.*$/\1/' | while read i; do php occ twofactorauth:state $i; done | grep "is not ena" | sed -E 's/^.* user (.*)$/\1/'

Apart from the workarounds, I rethink that there are use cases that should be implemented, like "IF email is present for every user, allow admin to enforce twofactor_email independently of user settings (and forcing the admin-provided email address to be used)". This MIGHT be a separate app though…or a SERVER PR.

@nursoda nursoda added enhancement New feature or request help wanted Extra attention is needed labels Nov 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nursoda @Speed7811