3 Commits

Author SHA1 Message Date
Veiko Aasa
67b6c0f9e8
users: Inactivate users in LDAP user database
Previously, users were inactivated only in plinth users database. This change
adds ability to inactivate users in LDAP database.

Changes:
- Inactive users in plinth users database are also inactivated in LDAP
  during app upgrade.
- Inactivated users can't login using LDAP password.
- Apache2 single-sign-on module now requires LDAP connection. SSO
  sessions are now invalidated when users are inactivated.
- PAM/nslcd now performs authorization checks against LDAP, which means
  inactivated users can't do passwordless ssh logins and running their
  crontabs are blocked.
- When inactivating a user, all user's processes are killed.

Also, update LDAP diagnostics:
 - Fix LDAP checks returned always passed results.
 - Fix `ou=people` entry doesn't exist in LDAP.
 - Add diagnostics checks for `ou=policies` and `cn=DefaultPPolicy`.

Tests performed:
 - App upgrade works.
 - App upgrade with previously disabled user works, user is inactivated
   also in LDAP.
 - App upgrade with disabled user that doesn't exists in LDAP database works.
 - Increment app version again, to 7, app upgrade works second time.
 - Inactivate user and test logins:
   - can't login using direct LDAP (nextcloud, ejabberd, matrixsynapse)
   - can't login using Apache2 LDAP module (gitweb, ikiwiki, rssbridge,
     transmission)
   - can't login using apache sso module (featherwiki, gitweb, rssbridge,
     sharing, syncthing, tiddlywiki, transmission, wordpress).
   - can't login using ssh with password or passwordless
- Inactivate user and test exsisting sessions:
   - ssh, cockpit and samba sessions are killed.
   - Configure crontab, configured crontab is failing to run after user
     is inactivated.
- All the users app tests pass.

Notes:
- Only Apache2 SSO sessions are disabled. Apps that create their own
  sessions keep working, like nextcloud, ejabberd, matrix-synapse,
  ikiwiki. In the future, we could add a feature that apps can implement
  their own users locking functions.
- When testing inactivated users, users and IP-s can be banned by the system,
  banned IP-s/users can be viewed with commands `fail2ban-client banned` and
  `pam_abl`.
- Existing sessions keep working when deleting a user or removing
  a user from an access group.
- I didn't test e-mail app.

Signed-off-by: Veiko Aasa <veiko17@disroot.org>
2024-09-24 13:27:13 -07:00
Sunil Mohan Adapa
f3bad4a880
sso: Use drop-in config component for /etc files
Tests:

- Config files are all symlinks in /etc/
- Single-sing-on for searx works

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2023-06-05 20:29:49 -04:00
Sunil Mohan Adapa
40eecb6446
*: Move modules-enabled files to /usr/share
- This will leave /etc/{plinth,freedombox} empty by default making service more
robust to run across various environments and situations. See systemd's
explanation for more details.

- Use Debian maintainer scripts remove all the existing files in
/etc/plinth/modules-enabled.

- Read from /usr/share/freedombox/modules-enabled then from
/etc/plinth/modules-enabled and finally from /etc/freedombox/modules-enabled.
Later read ones override previously read files. Any file pointing to /dev/null
will mean the module must be ignored.

Tests:

- Clean up /etc/plinth, /etc/freedombox and
/usr/share/freedombox/modules-enabled. Run service and notice that files are
getting loaded from development folder using a debug message.

- Run setup.py and notice that files get installed in
/usr/share/freedombox/modules-enabled/ and in the next run they get loaded from
there.

- Create a override file in /etc/plinth/modules-enabled/transmission and notice
that overriden file gets priority over the one in
/usr/share/freedombox/modules-enabled.

- Link the file /etc/plinth/modules-enabled/transmission to /dev/null and notice
that is not loaded.

- Create another file in /etc/freedombox/modules-enabled/transmission and notice
that it overrides the previous two files.

- All affected modules are loaded.

- Build a new Debian package and ensure that upgrading 23.8 to new version
removes are all configuration files.

- Build developer documentation and test that Tutorial -> Full Code and Tutorial
-> Skeleton sections have been updated with references to
-.../modules-enabled/... paths.

- Install quassel and notice that certificates were copied to /var/lib/quassel
directory. Change domain to another domain and notice that certificates were
copied again to that directory.

Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2023-05-13 07:08:43 -04:00