Skip to content

users: Inactivate users in LDAP user database

Veiko Aasa requested to merge vexch/freedombox:ldap-lock-account into main

Previously, users were inactivated only in plinth users database. This change adds ability to inactivate users in LDAP database.

Changes:

  • Inactive users in plinth users database are also inactivated in LDAP during app upgrade.
  • Inactivated users can't login using LDAP password.
  • Apache2 single-sign-on module now requires LDAP connection. SSO sessions are now invalidated when users are inactivated.
  • PAM/nslcd now performs authorization checks against LDAP, which means inactivated users can't do passwordless ssh logins and running their crontabs are blocked.
  • When inactivating a user, all user's processes are killed.

Also, update LDAP diagnostics:

  • Fix LDAP checks returned always passed results.
  • Fix ou=people entry doesn't exist in LDAP.
  • Add diagnostics checks for ou=policies and cn=DefaultPPolicy.

Tests performed:

  • App upgrade works.
  • App upgrade with previously disabled user works, user is inactivated also in LDAP.
  • App upgrade with disabled user that doesn't exists in LDAP database works.
  • Increment app version again, to 7, app upgrade works second time.
  • Inactivate user and test logins:
    • can't login using direct LDAP (nextcloud, ejabberd, matrixsynapse)
    • can't login using Apache2 LDAP module (gitweb, ikiwiki, rssbridge, transmission)
    • can't login using apache sso module (featherwiki, gitweb, rssbridge, sharing, syncthing, tiddlywiki, transmission, wordpress).
    • can't login using ssh with password or passwordless
  • Inactivate user and test exsisting sessions:
    • ssh, cockpit and samba sessions are killed.
    • Configure crontab, configured crontab is failing to run after user is inactivated.
  • All the users app tests pass.

Notes:

  • Only Apache2 SSO sessions are disabled. Apps that create their own sessions keep working, like nextcloud, ejabberd, matrix-synapse, ikiwiki. In the future, we could add a feature that apps can implement their own users locking functions.
  • When testing inactivated users, users and IP-s can be banned by the system, banned IP-s/users can be viewed with commands fail2ban-client banned and pam_abl.
  • Existing sessions keep working when deleting a user or removing a user from an access group.
  • I didn't test e-mail app.

Closes #1661 (closed).

Signed-off-by: Veiko Aasa veiko17@disroot.org

Edited by Veiko Aasa

Merge request reports