Opened 15 years ago
Closed 15 years ago
#578 closed task (fixed)
LDAP authentication not properly strict on OSU VMs
Reported by: | warmerdam | Owned by: | warmerdam |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | SysAdmin | Keywords: | ldap |
Cc: |
Description
The normal configuration of the VMs at OSU OSL is supposed to be that they only allow shell logins from those in the "sac" shell group from LDAP. However, I have discovered that anyone with the shell attributes in LDAP can in fact login though a message is reported:
warmerda@gdal64[33]% ssh backup.osgeo.org -l osgeotest123 osgeotest123@backup.osgeo.org's password: You must be a uniquemember of cn=sac,ou=Shell,dc=osgeo,dc=org to login. Creating directory '/home/osgeotest123'.
Note that osgeotest123 is not in the "sac" group:
Change History (7)
comment:1 by , 15 years ago
Keywords: | ldap added |
---|---|
Status: | new → assigned |
comment:2 by , 15 years ago
This does not seem to have done the trick on backup.osgeo.org - I shall have to return to this later.
comment:3 by , 15 years ago
I believe this page may have the answers http://wiki.debian.org/LDAP/PAM Specifically that we want to use the pam_ldap method and use either "Allowing logins on a per-group basis" or "Allowing logins on a per-host basis"
comment:4 by , 15 years ago
I've looked over the LDAP/PAM page but it does not seem to address use of the pam_groupdn attribute in the ldap.conf file.
Hmm, I don't know how I messed this up, but it seems the qgis vm is not secured properly. I can still login to it with the osgeotest123 account even though that is not the qgis group.
So - back to basics - we don't really have group limiting working at all yet.
comment:5 by , 15 years ago
Based on:
http://old.nabble.com/pam_groupdn-test-fails,-authentication-allowed-anyway--td21320915.html
I tried removing ldap from the shadow entry in /etc/nsswitch.conf and this seemed to enforce the desired behavior! The updated line should look like:
shadow: files
The change has been confirmed, and I have established that the VM does not need to be rebooted after the change to nsswitch.conf file.
so far I have updated the qgis and backup VMs.
comment:6 by , 15 years ago
Also updated Web, tracsvn, wiki, and webextra.
Still need to update the template VM.
comment:7 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
base.osgeo.osuosl.org has been booted, updated, and shutdown.
On the qgis VM, changing /etc/pam.d/common-auth to look like this seemed to do the trick:
Testing the same approach on backup.osgeo.org now...