Opened 9 years ago

Last modified 4 months ago

#1668 new task

Provide instructions to block LDAP users

Reported by: strk Owned by: sac@…
Priority: normal Milestone:
Component: SysAdmin/LDAP Keywords:
Cc:

Description

There are thousands of fake OSGeo users just waiting to start spam storms, it is useful as soon as they become active (or otherwise found spammy) to quickly put those accounts on hold/block. As I couldn't find information about doing that in https://wiki.osgeo.org/wiki/SAC:LDAP this ticket is to provide such info.

I know Martin and Alex recently both did some disabling, it would be useful to make more SAC members capable of doing so.

Another option would be to make the blacklist service-specific, but I personally hadn't found a way to do that for Trac, for example.

Attachments (1)

regBydata.png (6.0 KB ) - added by wildintellect 9 years ago.

Download all attachments as: .zip

Change History (4)

by wildintellect, 9 years ago

Attachment: regBydata.png added

comment:1 by wildintellect, 9 years ago

I managed to dump what I think is the last months worth of user registrations, with creation times. IP is not a stored attribute from what I can see. There does seem to be a spike the last few days, and I can easily make a list of the accounts (though no way to tell which are spam accounts). See attached plot of the trend over time (will share R code later if people want it).

ldapsearch -H ldaps://ldap.osgeo.org/ -b dc=osgeo,dc=org -x "(&(createTimestamp>=20160401100000Z))" + > osgeoldapsince040116.ldif

comment:2 by strk, 9 years ago

I've added your query to the example queries at https://wiki.osgeo.org/wiki/SAC:LDAP (and restructured that page a little bit).

Now I think we need to add, in that page, a commandline to disable (or drop) those accounts. Maybe by moving them from osgeo.org dc to something else like "spammers" organization ?

comment:3 by strk, 4 months ago

Component: SysAdminSysAdmin/LDAP

For the record: dropping account is now supported by a script and is documented in https://wiki.osgeo.org/wiki/SAC:LDAP#Command_line_interface

Only thing left is _BLOCKING_ an account. That is, keep the name "taken" while not allowing that user to authenticate. It may be as simple as setting an unguessable password, but I'm not expert. In unix systems you'd use an impossible password to lock (what passwd -l does)

Note: See TracTickets for help on using tickets.