Univention Bugzilla – Full Text Bug Listing |
Summary: | Support monitoring of last successful LDAP bind to simplify identifying inactive accounts | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | LDAP | Assignee: | Johannes Keiser <keiser> |
Status: | CLOSED FIXED | QA Contact: | Erik Damrose <damrose> |
Severity: | normal | ||
Priority: | P5 | CC: | ahrnke, best, botner, bremer, grandjean, hpeter, keiser, michelsmidt, steuwer |
Version: | UCS 4.4 | ||
Target Milestone: | UCS 4.4-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Feature Request | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2019062021000216 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Arvid Requate
2019-06-20 17:55:51 CEST
Can't we create a LDAP ACL, which disallows read access to the attribute for servers not having the overlay activated? (instead of adjusting replication.py) access to attrs="authTimestamp" by filter="&((objectType=DC_computer)(!(univentionService=slapo_lastbind)))" none stop by * +0 break Good additional layer of protection, thanks for proposing this. But see point 1: slapd hangs after schema replication if replicaton.py doesn't filter the attrivute out of the schema. What I described in detail in the list is a standard procedure as you can see by checking out e.g. the handling of memberof replication.py. Also I think that each system is repsonsible of protecting itself. FYI: If Samba/AD is installed the customer may refer to the lastLogonTimeStamp attribute, see https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx Sites like https://www.epochconverter.com/ldap may bew helpful to convert Windows FILETIME to something readable. Just FYI, the consulting point of view: Samba/AD "lastLogonTimeStamp" is usually the way to go for customers in PS projects. Unfortunately this only works in environments where all users authenticate primarily against Samba/AD. In environments without Samba/AD, the most used workaround is to implement password policies where users are forced to renew their password regularly. Users which didn't renew their expired password in a certain time interval are considered inactive. This is not very practical and the overlay slapo-lastbind sounds like the "correct" approach to solve such requirements. It may be a good idea to e.g. create a cli tool then, that can be used to query the max of lastLogonTimeStamp and authTimestamp, if present. requested by another customer who is using the S4-based workaround atm. This customer is using Linux/LDAP-based clients it may happen that there is no lastLogonTimeStamp is available. PCI-DSS regulations may apply to this customer with the requirement to disable accounts that havent been used for some time. 7d1ae69d4f Bug #49700: Merge branch 'jkeiser/4.4-3/lastbind' into 4.4-3 d1023a2ddb Bug #49700: yaml 34ddd880e6 Bug #49700: debian changelog e4868a7e52 Bug #49700: tests bf9ccce3c7 Bug #49700: univention-lastbind script a1d8eb4b47 Bug #49700: filter out authTimestamp from ldap schema 0933293824 Bug #49700: slapo-lastbind config Successful build Package: univention-directory-replication Version: 12.0.0-4A~4.4.0.202002241532 Successful build Package: univention-ldap Version: 15.0.0-35A~4.4.0.202002241534 Successful build Package: ucs-test Version: 9.0.3-158A~4.4.0.202002241534 ----------- Added ldap/overlay/lastbind ldap/overlay/lastbind/precision ucr variables. If ldap/overlay/lastbind is activated then the timestamp of an successful ldap bind is stored in the 'authTimestamp' attribute on the user (on that ldap server; not replicated). Added the script /usr/share/univention-ldap/univention_lastbind.py The script can be executed for one or all users and it will collect all 'authTimestamp' values from all reachable ldap servers and store the youngest of them into the newly added 'lastbind' extended attribute on the user. OK: schema extension OK: UCRv ldap/overlay/lastbind; ldap/overlay/lastbind/precision + templates OK: authTimestamp gets written on every LDAP bind OK: authTimestamp is not replicated OK: /usr/share/univention-ldap/univention_lastbind.py {--user,--allusers} writing to UDM attribute lastbind, ldap Attribute univentionAuthTimestamp ~~: authTimestamp is written for every account that does a bind, e.g. cn=admin, computerobjects, etc. The lastbind overlay has no option to limit the account by a filter. To avoid too many LDAP modifications ldap/overlay/lastbind/precision should be defined - the overlay example configures an example of 1 week (604800). I guess the test tests/10_ldap/110_univention_lastbind.py broke the jenkins tests. e.g. slave: *** BEGIN *** [u'/usr/bin/py.test', '110_univention_lastbind.py'] *** *** 10_ldap/110_univention_lastbind.py *** Test the management/univention-ldap/scripts/univention_lastbind.py script *** *** START TIME: 2020-02-25 01:04:48 *** ============================= test session starts ============================== platform linux2 -- Python 2.7.13, pytest-3.0.6, py-1.4.32, pluggy-0.4.0 rootdir: /usr/share/ucs-test/10_ldap, inifile: collected 6 items 110_univention_lastbind.py ...... ========================== 6 passed in 51.60 seconds =========================== *** END TIME: 2020-02-25 01:05:41 *** *** TEST DURATION (H:MM:SS.ms): 0:00:52.993215 *** *** END *** 0 *** after that ldap replication seems to be broken 25.02.20 01:05:54.441 LISTENER ( WARN ) : replication: Can't contact LDAP server: retrying 25.02.20 01:05:54.444 LISTENER ( ERROR ) : replication: Undefined attribute type; dn="cn=slave094,cn=dc,cn=computers,dc=autotest094,dc=local": Error 25.02.20 01:05:54.444 LISTENER ( ERROR ) : additional info: entry update failed 25.02.20 01:05:54.445 LISTENER ( PROCESS ) : Exporting /etc/krb5.keytab on domaincontroller_slave 25.02.20 01:05:54.528 LISTENER ( ERROR ) : 'failed.ldif' exists. Check for /var/lib/univention-directory-replication/failed.ldif I will disable the test! (In reply to Felix Botner from comment #9) > I will disable the test! done, restarted the test, lets see if this helps QA feedback fbf0e1df5d Bug #49700: yaml 18ae51a511 Bug #49700: yaml 1daff19713 Bug #49700: debian changelog 6192d44d6c Bug #49700: install script only on master/backup in new binary package. gt/lt filtering for lastbind extended attribute Successful build Package: univention-ldap Version: 15.0.0-36A~4.4.0.202002261432 Successful build Package: univention-server Version: 14.0.0-12A~4.4.0.202002261435 Documentation in jkeiser/4.4-3/lastbind http://jenkins.knut.univention.de:8080/view/Doku/job/BuildDocBookBranch/192/artifact/webroot/handbuch-4.4.html#users:lastbind-overlay-module http://jenkins.knut.univention.de:8080/view/Doku/job/BuildDocBookBranch/192/artifact/webroot/manual-4.4.html#users:lastbind-overlay-module SDB article (unlisted): https://help.univention.com/t/activating-the-lastbind-overlay-module/14404 7e586515c1 Bug #49700: yaml 4375d3b2c7 Bug #49700: Merge branch 'jkeiser/4.4-3/lastbind' into 4.4-3 a15502b2bd Bug #49700: debian changelog dc7dff3762 Bug #49700: adjust 10_ldap/110_univention_lastbind.py 8a822c9e7a Bug #49700: adjust configuration of lastbind precision default 3cbf171905 Bug #49700: doc for ucs manual and sdb article Successful build Package: univention-ldap Version: 15.0.0-37A~4.4.0.202002281212 Successful build Package: ucs-test Version: 9.0.3-161A~4.4.0.202002281215 d1448fb1e0 Bug #49700: yaml 234fb751cd Bug #49700: Merge branch 'jkeiser/4.4-3/lastbind' into 4.4-3 12750924d7 Bug #49700: debian changelog fa15028c31 Bug #49700: increase default for ldap/overlay/lastbind/precision 6f01e7551b Bug #49700: lastbind docs OK: univention-ldap -- UCR template for lastbind module, UCRVs ldap/overlay/lastbind ldap/overlay/lastbind/precision in package univention-ldap-server OK: NEW package univention-ldap-config-master (gets installed on DC Master + Backup) with script /usr/share/univention-ldap/univention_lastbind.py univention_lastbind.py: - collect authTimestamp from all users with --allusers, or only one with --user - Written to UDM Attribute lastbind, LDAPattr univentionAuthTimestamp OK: ldapsearch for univentionAuthTimestamp with ">=" and "<=" comparison is possible OK: docs, i added a small change in commit e585026d64 OK: SDB article https://help.univention.com/t/14404 OK: univention-ldap.yaml, univention-server.yaml todo: tests 10_ldap.110_univention_lastbind failed in AD Member Mode Setup's see https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/ADMemberMultiEnv/lastCompletedBuild/testReport/ and on s4 backup in the errata Tests https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-3/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=backup/testReport/ I fixed the test in 232ba22a Explicitly use portnumber with -h in ldapsearch f7ef0efd5f Bug #49700: debian changelog cdce8fa501 Bug #49700: 110_univention_lastbind.py cleanup + test tracebacks Successful build Package: ucs-test Version: 9.0.3-169A~4.4.0.202003051705 ---- Added warning about deactivating the lastbind overlay module to sdb article https://help.univention.com/t/activating-the-lastbind-overlay-module/14404 OK: Tests OK: SDB article OK: yaml Verified Test still fails in ad-member mode. Is guess the reason is the fixed binddn and bindpwd in the test. Please use the value of tests/domainadmin/account as binddn and the filename in tests/domainadmin/pwdfile as bindpwdfile. Lets see if my fix works: ce788281 ucs-test 9.0.3-177A~4.4.0.202003121752 I found no scenario where the test failed in the last test run. Setting bug back to verified |