Opened 8 years ago
Last modified 11 months ago
#1786 new task
ldap_shell.py does not let revoking shell access
| Reported by: | strk | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2024-I |
| Component: | SysAdmin/LDAP | Keywords: | ldap |
| Cc: |
Description
I noticed that ldap_shell.py allows granting shell access (posixAccount) but doesn't allow *dropping* it.
All you can drop is the membership in the "telascience" group, but shell access remains. I had to completely delete my test account to remove shell access.
NOTE: this was also true before unification of ldap_shell.py and ldap_group.py (see #1785)
Change History (9)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
I confirm the h4ck4rm1k3 account still has the posixAccount objectClass in its LDAP record. This should be fixed in the shell script
comment:3 by , 3 years ago
I stubbed a shell script to revoke shell access, should be improved: https://git.osgeo.org/gitea/sac/web-tools/commit/395432516d5b045b5f760de42340cb385f55ec74
comment:4 by , 2 years ago
| Milestone: | → Sysadmin Contract 2022-II |
|---|
comment:6 by , 23 months ago
| Milestone: | Sysadmin Contract 2022-II → Sysadmin Contract 2023-I |
|---|
pushing to next milestone since my contract funds have been used.
comment:7 by , 13 months ago
| Component: | SysAdmin → SysAdmin/Postfix |
|---|
comment:8 by , 13 months ago
| Component: | SysAdmin/Postfix → SysAdmin/LDAP |
|---|
comment:9 by , 11 months ago
| Milestone: | Sysadmin Contract 2023-I → Sysadmin Contract 2024-I |
|---|
Moving my prior still open items to the next proposed Milestone
I just removed https://id.osgeo.org/ldap/search?query=h4ck3rm1k3 user from the "shell" group after waiting 1.5 months for an email reply from the email associated with that account. It should be verified if the LDAP account still have access to shell (ie: is part of the "posixAccount" group) as this ticket suggest it would still be...