nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/plinth/modules/sso
History
Veiko Aasa 67b6c0f9e8
users: Inactivate users in LDAP user database 
Previously, users were inactivated only in plinth users database. This change
adds ability to inactivate users in LDAP database.

Changes:
- Inactive users in plinth users database are also inactivated in LDAP
  during app upgrade.
- Inactivated users can't login using LDAP password.
- Apache2 single-sign-on module now requires LDAP connection. SSO
  sessions are now invalidated when users are inactivated.
- PAM/nslcd now performs authorization checks against LDAP, which means
  inactivated users can't do passwordless ssh logins and running their
  crontabs are blocked.
- When inactivating a user, all user's processes are killed.

Also, update LDAP diagnostics:
 - Fix LDAP checks returned always passed results.
 - Fix `ou=people` entry doesn't exist in LDAP.
 - Add diagnostics checks for `ou=policies` and `cn=DefaultPPolicy`.

Tests performed:
 - App upgrade works.
 - App upgrade with previously disabled user works, user is inactivated
   also in LDAP.
 - App upgrade with disabled user that doesn't exists in LDAP database works.
 - Increment app version again, to 7, app upgrade works second time.
 - Inactivate user and test logins:
   - can't login using direct LDAP (nextcloud, ejabberd, matrixsynapse)
   - can't login using Apache2 LDAP module (gitweb, ikiwiki, rssbridge,
     transmission)
   - can't login using apache sso module (featherwiki, gitweb, rssbridge,
     sharing, syncthing, tiddlywiki, transmission, wordpress).
   - can't login using ssh with password or passwordless
- Inactivate user and test exsisting sessions:
   - ssh, cockpit and samba sessions are killed.
   - Configure crontab, configured crontab is failing to run after user
     is inactivated.
- All the users app tests pass.

Notes:
- Only Apache2 SSO sessions are disabled. Apps that create their own
  sessions keep working, like nextcloud, ejabberd, matrix-synapse,
  ikiwiki. In the future, we could add a feature that apps can implement
  their own users locking functions.
- When testing inactivated users, users and IP-s can be banned by the system,
  banned IP-s/users can be viewed with commands `fail2ban-client banned` and
  `pam_abl`.
- Existing sessions keep working when deleting a user or removing
  a user from an access group.
- I didn't test e-mail app.

Signed-off-by: Veiko Aasa <veiko17@disroot.org>
2024-09-24 13:27:13 -07:00
..
data/usr/share/freedombox
users: Inactivate users in LDAP user database
2024-09-24 13:27:13 -07:00
templates
sso: Switch to django-axes >= 5.0
2023-08-23 21:47:39 -04:00
tests
sso: Use privileged decorator for actions
2022-10-08 18:53:18 -04:00
__init__.py
*: Add type hints for app init methods
2024-03-09 14:22:14 -05:00
forms.py
sso: Switch to django-axes >= 5.0
2023-08-23 21:47:39 -04:00
privileged.py
sso: Use privileged decorator for actions
2022-10-08 18:53:18 -04:00
urls.py
sso: Switch to django-axes >= 5.0
2023-08-23 21:47:39 -04:00
views.py
sso: Switch to django-axes >= 5.0
2023-08-23 21:47:39 -04:00