[GH-ISSUE #583] lldap_admin users cannot modify passwords for other users unless they are also in the lldap_admin #211

New issue

Closed

opened 2026-02-27 08:15:54 +03:00 by kerem · 1 comment

kerem commented

2026-02-27 08:15:54 +03:00

Owner

Originally created by @ksladowski on GitHub (May 16, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/583

Here are logs from when I tried to change the password of user2 when logged in as myself. My user was a member of lldap_admin and lldap_password_manager. User2 was just a member of lldap_password_manager.

I get a 401 denied error here, but if I make user2 an admin, I can then change user2's password from my account.

2023-05-16T01:28:11.473007648+00:00  INFO     HTTP request [ 255µs | 15.86% / 100.00% ]
2023-05-16T01:28:11.473011596+00:00  INFO     ┝━ ｉ [info]:  | uri: /auth/opaque/register/start
2023-05-16T01:28:11.473041342+00:00  DEBUG    ┝━ opaque_register_start [ 214µs | 11.21% / 84.14% ]
2023-05-16T01:28:11.473043200+00:00  DEBUG    │  ┝━ check_if_token_is_valid [ 16.6µs | 6.51% ]
2023-05-16T01:28:11.473059613+00:00  DEBUG    │  │  ┕━ 🐛 [debug]:  | return: ValidationResults { user: UserId("kevin"), permission: Regular }
2023-05-16T01:28:11.473077646+00:00  DEBUG    │  ┕━ get_user_groups [ 169µs | 66.42% ]
2023-05-16T01:28:11.473079447+00:00  DEBUG    │     ┝━ 🐛 [debug]:  | user_id: UserId("user2")
2023-05-16T01:28:11.473709090+00:00  DEBUG    │     ┕━ 🐛 [debug]:  | return: {GroupDetails { group_id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-05-14T18:26:07.656991, uuid: Uuid("a22d977f-fc9e-3541-8f2c-6eae3eb6a319") }, GroupDetails { group_id: GroupId(4), display_name: "jellyfin", creation_date: 2023-05-15T22:18:53.055041, uuid: Uuid("e1f8d9b8-b711-3f1a-b34b-dfa5e7238f94") }}
2023-05-16T01:28:11.473726538+00:00  INFO     ┕━ ｉ [info]:  | status_code: 401

Originally created by @ksladowski on GitHub (May 16, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/583 Here are logs from when I tried to change the password of user2 when logged in as myself. My user was a member of lldap_admin and lldap_password_manager. User2 was just a member of lldap_password_manager. I get a 401 denied error here, but if I make user2 an admin, I can then change user2's password from my account. ``` 2023-05-16T01:28:11.473007648+00:00 INFO HTTP request [ 255µs | 15.86% / 100.00% ] 2023-05-16T01:28:11.473011596+00:00 INFO ┝━ ｉ [info]: | uri: /auth/opaque/register/start 2023-05-16T01:28:11.473041342+00:00 DEBUG ┝━ opaque_register_start [ 214µs | 11.21% / 84.14% ] 2023-05-16T01:28:11.473043200+00:00 DEBUG │ ┝━ check_if_token_is_valid [ 16.6µs | 6.51% ] 2023-05-16T01:28:11.473059613+00:00 DEBUG │ │ ┕━ 🐛 [debug]: | return: ValidationResults { user: UserId("kevin"), permission: Regular } 2023-05-16T01:28:11.473077646+00:00 DEBUG │ ┕━ get_user_groups [ 169µs | 66.42% ] 2023-05-16T01:28:11.473079447+00:00 DEBUG │ ┝━ 🐛 [debug]: | user_id: UserId("user2") 2023-05-16T01:28:11.473709090+00:00 DEBUG │ ┕━ 🐛 [debug]: | return: {GroupDetails { group_id: GroupId(2), display_name: "lldap_password_manager", creation_date: 2023-05-14T18:26:07.656991, uuid: Uuid("a22d977f-fc9e-3541-8f2c-6eae3eb6a319") }, GroupDetails { group_id: GroupId(4), display_name: "jellyfin", creation_date: 2023-05-15T22:18:53.055041, uuid: Uuid("e1f8d9b8-b711-3f1a-b34b-dfa5e7238f94") }} 2023-05-16T01:28:11.473726538+00:00 INFO ┕━ ｉ [info]: | status_code: 401 ```

kerem

2026-02-27 08:15:54 +03:00

closed this issue
added the
invalid
label

kerem commented

2026-02-27 08:15:55 +03:00

Author

Owner

@nitnelave commented on GitHub (May 16, 2023):

I see a non-admin user user: UserId("kevin"), permission: Regular trying to change another user's password user_id: UserId("user2"), which is not allowed.

Maybe the current user was added to the admin group while being still logged in and the permissions were not refreshed?

@nitnelave commented on GitHub (May 16, 2023): I see a non-admin user `user: UserId("kevin"), permission: Regular` trying to change another user's password `user_id: UserId("user2")`, which is not allowed. Maybe the current user was added to the admin group while being still logged in and the permissions were not refreshed?

kerem referenced this issue

2026-02-27 08:18:19 +03:00

[PR #260] [MERGED] Add UUID and creation date to the frontend #650