Special account for applications with simple LDAP bind

stephdl (Stéphane de Labrusse) 2017-10-29 16:36:19 UTC #1

looking for this @dev_team , I’m not sure but I fear a time bomb for all web applications with ldap bind…in a really short time. what did you suggest, create a dedicated user and use it to bind the ldap, manual actions are not good (from my point of view)

actually with ns7.4 i can see new install with sogod services crashes, and probably soon some fun with webtop.

Release of NethServer 7.4.1708 Final

davidep (Davide Principi) 2017-10-29 22:19:52 UTC #2

How can we improve it?

I agree! Wherever possible we ought to automate the configuration steps.

giacomo (Giacomo Sanchietti) 2017-10-30 14:14:33 UTC #3

WebTop should be already fixed, but I agree with you we could encounter some troubles.

I have a suggestion to workaround the problem at least for Samba AD, but I didn’t have time to write it down on a new thread for discussion.

stephdl (Stéphane de Labrusse) 2017-10-30 15:55:09 UTC #4

I’m not expert here…I have one but i (really) don’t like it, write the password in /var/lib/nethserver/secrets in a human readable format.

Just for our curiosity, what is your solution @davidep and @giacomo

davidep (Davide Principi) 2017-10-30 15:58:27 UTC #5

By now, we are fixing broken apps… The password is generated by Samba, we cannot decide it.

The idea is a dedicated account, being it created automatically or manually. We can see it how…

stephdl (Stéphane de Labrusse) 2017-10-30 20:55:27 UTC #6

Ok, this might be fixed in sogo with two db properties and eventually with a panel in nethgui.

davidep (Davide Principi) 2017-10-30 22:08:35 UTC #7

I was thinking about a unique identity, shared by all applications. Something like the “admins” key in config DB or the already existing sssd props BindUser/BindPassword.

stephdl (Stéphane de Labrusse) 2017-10-31 05:05:39 UTC #8

yes, it could be documented and well known by everybody

davidep (Davide Principi) 2017-10-31 08:58:40 UTC #9

I think it shouldn’t need end-user documentation.

For a remote accounts provider we already have the UI fields and docs. Nothing changes for it, I guess.

On a local accounts provider installation we can replace the existing machine credentials with a new dedicated identity which is created automatically once, during RPM install/update. I’d choose a random user name and a random password. If possible set it hidden in Users&Groups page. The credentials should be visible in the UI, like the LDAP provider do, to cut/paste them to a remote host.

stephdl (Stéphane de Labrusse) 2017-10-31 10:08:41 UTC #10

seems good for me…this credentials could be saved somewhere to be accessible by the template system file ?

giacomo (Giacomo Sanchietti) 2017-10-31 10:27:41 UTC #11

I was thinking to create new credentials for each services, like we did in NS 6.

But I really like much more @davidep approach: simple and backward-compatible.

Totally agree!

Credentials will be accessible using NethServer::SSSD library, but in the end, I think we will save it under /var/lib/nethserver/secrets.

davidep (Davide Principi) 2017-10-31 10:30:25 UTC #12

…furthermore, existing applications should not be changed if they rely on NethServer::SSSD!

stephdl (Stéphane de Labrusse) 2017-10-31 10:37:05 UTC #13

YES YES YES

giacomo (Giacomo Sanchietti) 2017-11-03 08:19:47 UTC #14

Added to the roadmap, I hope we will work on it next week

davidep (Davide Principi) 2017-11-16 17:29:38 UTC #15

I’m experimenting with “userWorkstations” LDAP attribute:

By setting the attribute to “,” the resulting account can do simple LDAP binds with AD, but still having denied access when logging in on workstations and connecting SMB shares.

What do you think? Could it be a viable implementation? /cc @quality_team @dev_team

giacomo (Giacomo Sanchietti) 2017-11-17 09:15:32 UTC #16

I like it. By the way, event if the special crafted user could be used to login into workstations, it doesn’t sounds like a problem to me

davidep (Davide Principi) 2017-12-14 16:19:01 UTC #17

This feature is on testing! /cc @quality_team

https://github.com/NethServer/dev/issues/5396

The ldapservice user will be available from AD accounts provider like OpenLDAP already does.

davidep (Davide Principi) 2018-01-10 15:15:10 UTC #18

Feature released in

nethserver-dc-1.4.1-1.ns7.x86_64.rpm
nethserver-sssd-1.3.5-1.ns7.noarch.rpm