Nethserver-delegation needs testers

Awesome! I can confirm that it works on 2 of my Nethservers. :+1: But it only works in one direction: Enabling sudo changes users shell to /bin/bash, but disabling does not change it back. A user sudoenabled once has SSH access forever, even if disabling sudo. So I think what’s missing is the possibility to change SSH access in “Users and Groups”. So delegate module would be able to revert to the default setting in “Users and Groups” but may override it when user is delegated. Just in idea…

1 Like

Yeah it is the official behaviour, if the shell access is allowed to a user, you cannot remove it when you use the samba AD accoount provider, or you must delete the user and recreate it.

It makes me think that it is something not finished @dev_team

Indeed I could remove the bash access myself in the module, or wait to see if a PR is needed in the core

1 Like

This would be the fastest solution and ok for me, but when I really think about it the best approach would be to change it in “Users and Groups” module, because it is not logical or intuitive to say: "When creating a user you are able to set SSH access once, but for disabling you have to install another module."
Another approach would be to have the ability to change SSH access only in your delegation module…so a newly created user has no SSH access per default. Again just ideas…

It’s the desired behavior, since we do not want to directly edit the AD using any LDAP client.
Actually it is a limitation of samba-tool.

By the way, I just added a card to NethServer project, but we need to review it and decide if it worth implementing it.

3 Likes

Please more tests needed also with openldap (nethserver-directory)

1 Like

Did another test with Samba AD(ldap will follow) and noticed just 2 points:

  • A not sudo delegated user gets a “403 - Forbidden” error window, when entering NetworkAdapter page. I had to close the error window. Clicking OK shows the error again.
  • If you logout a delegated user, the url is kept, and if you login with a not delegated user for that specific page afterwards you get an empty “403 - Forbidden” page. Maybe redirect users to profile page per default?
1 Like

good catch the ‘Admin todo messages’ must be delegated also, probably I need to delegate it by default. WHen you delegate all panels you don’t have this bug (because ‘Admin todo messages’ is delegated)

1 Like

Un message a été déplacé vers un nouveau sujet : Redirect the user logout to the Dashboard

new version of nethserver-delegation

yum install http://mirror.de-labrusse.fr/NethDev/nethserver-delegation/nethserver-delegation-0.1.8-1.ns7.sdl.noarch.rpm

changelog:

* Mon Sep 18 2017 stephane de LAbrusse <stephdl@de-labrusse.fr> 0.1.8-1.ns7
- Allow Admin todo by default
1 Like

Works as expected! :ok_hand:
Maybe put away the admin todo messages checkbox in module user settings, because now it has no function anymore…
Another thought: Some admin todo messages may include a link(i.e. Check Firewall rules) to a not delegated module -> 403 forbidden error

1 Like

do you have an example that I can reproduce please

I deactivated the firewall to produce an admin todo message:

When I now click on “Check firewall rules” I get a 403 error, because it links to /FirewallRules/CheckRules:

1 Like

Update:

When having delegation to Firewall Rules, you won’t get the 403 error, so there are delegations that depend on others.

[root@testserver ~]# cat /etc/nethserver/todos.d/* | grep url
            "url": '/NetworkAdapter?renameInterface'
            "url": '/NetworkAdapter'
            "url": '/Account'
    msg = {"action": {"label": _('Change password strength'), "url": '/Password'}, "text": _('Password policy is too weak'), "icon": "warning"}
            "url": "/BackupData"
    msg = {"action": {"label": _('Check firewall rules'), "url": '/FirewallRules/CheckRules'}, "text": _('The firewall is NOT running'), "icon": "exclamation-triangle"}
    msg = {"action": {"label": _('Deep Packet Inspection (DPI) module is not available'), "url": '/Shutdown'}, "text": _('Restart the system and select a Linux kernel with DPI module support'), "icon": "refresh"}
            "url": '/BackupConfig#!BackupConfig_Reinstall'
            "url": '/BackupData'

So Admin Todo, NetworkAdapter, Account, Password, BackupConfig, BackupData, FirewallRules and Shutdown are a “delegation group”.

I changed on my testserver from AD to LDAP, gave new passwords and delegations are working as good as with AD.

These rpms are on Steph repositories, so I’d like to set up a process to

  • define them “stable” enough
  • close a topic like this
  • announce that NethServer has a delegation module :slight_smile:

What do you think guys?

3 Likes

Agree!

If possible, I’d also add the paypal button for Stephane inside the announcement. :wink:

2 Likes

Hi @mrmarkuz I’m not sure to catch you. I understand that some url won’t be allowed to a user, but I cannot delegate them by default. It is from my point of view a choice of the sysadmin.

For example the todo message displays a warning related to a weak password and of course if this panel is not delegated then a 403 message is displayed.

it means that the sysadmin needs to grant each needed panel. After said that we could imagine also some preconfigured delegation group

I agree with you. I wanted to bring away the errors, but in this case it’s just ok to have a forbidden error.

I think grouping or roles would make sense because there are many checkboxes, but it’s a nice to have.
From my point of view the delegation module is working properly with AD and LDAP.

well the nethserver-delegation version for NS7 is now available in my repo, thank to all @dnutan @mrmarkuz and all people involved here

time to close this thread, all NFR needs another thread

@alefattorini you can go

2 Likes

Your PR is now in the core, in 7.4.1708/updates:

nethserver-dc-1.4.0-1.ns7.x86_64.rpm
nethserver-dc-debuginfo-1.4.0-1.ns7.x86_64.rpm
nethserver-sssd-1.3.4-1.ns7.noarch.rpm
5 Likes