Opened 8 years ago

Last modified 5 months ago

#1786 new task

ldap_shell.py does not let revoking shell access

Reported by: strk Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2024-I
Component: SysAdmin/LDAP Keywords: ldap
Cc:

Description

I noticed that ldap_shell.py allows granting shell access (posixAccount) but doesn't allow *dropping* it.

All you can drop is the membership in the "telascience" group, but shell access remains. I had to completely delete my test account to remove shell access.

NOTE: this was also true before unification of ldap_shell.py and ldap_group.py (see #1785)

Change History (9)

comment:1 by strk, 2 years ago

I just removed https://id.osgeo.org/ldap/search?query=h4ck3rm1k3 user from the "shell" group after waiting 1.5 months for an email reply from the email associated with that account. It should be verified if the LDAP account still have access to shell (ie: is part of the "posixAccount" group) as this ticket suggest it would still be...

comment:2 by strk, 2 years ago

I confirm the h4ck4rm1k3 account still has the posixAccount objectClass in its LDAP record. This should be fixed in the shell script

comment:3 by strk, 2 years ago

I stubbed a shell script to revoke shell access, should be improved: https://git.osgeo.org/gitea/sac/web-tools/commit/395432516d5b045b5f760de42340cb385f55ec74

comment:4 by strk, 21 months ago

Milestone: Sysadmin Contract 2022-II

comment:5 by strk, 21 months ago

Related ticket (same script): #2804

comment:6 by robe, 17 months ago

Milestone: Sysadmin Contract 2022-IISysadmin Contract 2023-I

pushing to next milestone since my contract funds have been used.

comment:7 by strk, 7 months ago

Component: SysAdminSysAdmin/Postfix

comment:8 by strk, 7 months ago

Component: SysAdmin/PostfixSysAdmin/LDAP

comment:9 by robe, 5 months ago

Milestone: Sysadmin Contract 2023-ISysadmin Contract 2024-I

Moving my prior still open items to the next proposed Milestone

Note: See TracTickets for help on using tickets.