LDAP users should only be able to change their own password #128
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/chef#128
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
I found out about this while researching groups and roles. Right now a user can search for users and get data including their email address. We do not want that
Example:
Needs something similar to https://www.zytrax.com/books/ldap/ch5/step2.html#step2-access but for 389 Directory Server (the link is for OpenLDAP)
We want users to not be able to search, only change their own mail or password
They shouldn't see any data from other users really. Not just the email address.
LDAP users should not be able to list other users' email addressto LDAP users should only be able to change their own password and emailSetting ACIs is what we need.
This example denies everything (reading, search, writing, etc) for all users (except for the admin account, since its dn is not under
dc=kosmos,dc=org
) but a user can change their password. We should also create read-only accounts that can perform the LDAP searches for the different services, probably using groups to set the ACIsI don't think
akkounts-api
should have credentials to a master admin account. But it does need to write to the directory.If there are ACLs for reading, then there are probably also ACLs for writing, no?
By the way, shouldn't we also restrict access to the entire LDAP server by IP address? Why does a user have to be able to connect to it directly?
Yes, there are ACIs for everything. We can create an account for
akkounts-api
that can create users and nothing elseI think you mean create and query users.
The title of this issue is still misleading. LDAP users shouldn't be able to directly change anything in the directory. They should always go through akkounts, and I think we should enforce 2FA there for everyone as well.
I agree that everything should be locked down (and the LDAP server should only be accessible by servers that need access) once we have added these features to akkounts. However I think the changes for akkounts should go in another issue. For now we need users to be able to change their passwords.
OK, but then they still don't need to be able to change their email address.
Makes sense, I'm fixing the title
LDAP users should only be able to change their own password and emailto LDAP users should only be able to change their own password