Opened 14 years ago

Closed 14 years ago

#578 closed task (fixed)

LDAP authentication not properly strict on OSU VMs

Reported by: warmerdam Owned by: warmerdam
Priority: normal Milestone:
Component: SysAdmin Keywords: ldap
Cc:

Description

The normal configuration of the VMs at OSU OSL is supposed to be that they only allow shell logins from those in the "sac" shell group from LDAP. However, I have discovered that anyone with the shell attributes in LDAP can in fact login though a message is reported: 

warmerda@gdal64[33]% ssh backup.osgeo.org -l osgeotest123
osgeotest123@backup.osgeo.org's password: 
You must be a uniquemember of cn=sac,ou=Shell,dc=osgeo,dc=org to login.
Creating directory '/home/osgeotest123'.

Note that osgeotest123 is not in the "sac" group:

https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=sac

Change History (7)

comment:1 by warmerdam, 14 years ago

Keywords: ldap added
Status: newassigned

On the qgis VM, changing /etc/pam.d/common-auth to look like this seemed to do the trick: 

auth    required        pam_env.so
auth    required        pam_ldap.so
#auth   sufficient      pam_unix.so nullok_secure use_first_pass

Testing the same approach on backup.osgeo.org now...

comment:2 by warmerdam, 14 years ago

This does not seem to have done the trick on backup.osgeo.org - I shall have to return to this later.

comment:3 by wildintellect, 14 years ago

I believe this page may have the answers http://wiki.debian.org/LDAP/PAM Specifically that we want to use the pam_ldap method and use either "Allowing logins on a per-group basis" or "Allowing logins on a per-host basis"

comment:4 by warmerdam, 14 years ago

I've looked over the LDAP/PAM page but it does not seem to address use of the pam_groupdn attribute in the ldap.conf file.

Hmm, I don't know how I messed this up, but it seems the qgis vm is not secured properly. I can still login to it with the osgeotest123 account even though that is not the qgis group.

So - back to basics - we don't really have group limiting working at all yet.

comment:5 by warmerdam, 14 years ago

Based on:

http://old.nabble.com/pam_groupdn-test-fails,-authentication-allowed-anyway--td21320915.html

I tried removing ldap from the shadow entry in /etc/nsswitch.conf and this seemed to enforce the desired behavior! The updated line should look like:

shadow: files

The change has been confirmed, and I have established that the VM does not need to be rebooted after the change to nsswitch.conf file.

so far I have updated the qgis and backup VMs.

comment:6 by warmerdam, 14 years ago

Also updated Web, tracsvn, wiki, and webextra.

Still need to update the template VM.

comment:7 by warmerdam, 14 years ago

Resolution: fixed
Status: assignedclosed

base.osgeo.osuosl.org has been booted, updated, and shutdown.

Note: See TracTickets for help on using tickets.