#573 closed task (fixed)
Grant access to QGIS VM
| Reported by: | wildintellect | Owned by: | warmerdam |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | SysAdmin | Keywords: | infrastructure migration |
| Cc: | macho, timlinux, gsherman, jef, dassau |
Description
QGIS admin team needs access to their new Virtual Machine qgis.osgeo.osuosl.org OSGeo IDs: macho, timlinux, gsherman, jef, dassau
Does this need to be configured in LDAP somehow?
Marked as major since this is significant in moving services off of osgeo2
Change History (6)
comment:1 by , 14 years ago
| Cc: | added |
|---|---|
| Owner: | changed from to |
comment:2 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Based on discussion in #qgis, I'm setting it up to use the qgis commit group for logins.
The change is in place (in /etc/ldap/ldap.conf).
As noted, the listed admins are also now in the sudoers group in /etc/group.
Closing ticket - it seems to work.
comment:3 by , 14 years ago
| Resolution: | fixed |
|---|---|
| Status: | closed → reopened |
Reopening, it isn't working right...
comment:4 by , 14 years ago
OK, now I seem to have hosed the VM.
After a reboot it is no longer accessable, though several previous reboots were fine. It may be due to changes I made in /etc/pam.d/common-auth.
Grr. I sought assistance on #osuosl, but none was immediately forthcoming. I think I'm going to call it a day and try again tomorrow.
comment:5 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
OK, I have fiddled around a bunch based on various slightly related reports on the net, and now I seem to have the desired behavior. The key change appears to have been adding a pam_env entry in /etc/pam.d/common-auth so it now looks like this:
auth required pam_env.so auth required pam_ldap.so #auth sufficient pam_unix.so nullok_secure use_first_pass
This appears to ensure that the pam_groupdn line in /etc/ldap/ldap.conf actually has an effect though I don't understand it at all well.
Those already in the qgis shell group can now visit this url to add more people:
https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=qgis
comment:6 by , 14 years ago
Note, on further review it is actually the /etc/nsswitch.conf file that needed changing as documented in #578.
I'll take a crack at this.
I see that qgis.osgeo.osuosl.org already supports LDAP logins using the sac shell group based on the config in /etc/ldap/ldap.conf. Those with sudo access are explicitly listed in /etc/group.
I could alter this so that anyone in the qgis commit group can login and the above listed users have sudo. Does that do the trick? I'd hate to have to create a new LDAP group just for qgis-admin's but I could also do that if needed.
Alternatively, we could disable ldap logins, and let qgis folks create local accounts on the VM to meet their needs.
As a first step, I have added to listed id's to the sudo list in /etc/group.