Enhancement #2063

Directory: backup service accounts passwords

Added by Davide Principi about 8 years ago. Updated over 7 years ago.

Status:CLOSEDStart date:11/21/2013
Priority:NormalDue date:11/21/2013
Assignee:-% Done:

100%

Category:nethserver-directory
Target version:v6.5-beta3
Resolution: NEEDINFO:No

Description

Passwords for "service" accounts are currently stored under /etc/openldap/ directory, which is not automatically included in backup list.

See http://dev.nethserver.org/issues/2043#note-7 for a rationale on this.


Related issues

Related to NethServer 6 - Enhancement #2043: Backup: implement and document full restore CLOSED

Associated revisions

Revision b8822945
Added by Davide Principi over 7 years ago

New NethServer::Password module implementation. Refs #2063

Replaces and obsoletes esmith::util::genRandomPassword() and
esmith::util::genRandomHash(). Digest::SHA1 module is no longer
required. The default path to store passwords is

/var/lib/nethserver/secrets/

Revision 6db95263
Added by Davide Principi over 7 years ago

Use NethServer::Password module to store NSS password. Refs #2063

Revision c6f6994a
Added by Davide Principi over 7 years ago

Moved /etc/pam_ldap.secret metadata settings to nethserver-directory. Refs #2063

Revision 52623be1
Added by Davide Principi over 7 years ago

Password characters restricted to [A-Za-z0-9_]. Refs #2063

Revision 7c628b91
Added by Davide Principi over 7 years ago

Use NethServer::Password module to store secrets. Refs #2063

The default path is /var/lib/nethserver/secrets, which is already
included in the backup rules.

Added /etc/pam_ldap.secret template to cope with the special case of
"pam" service account in a standard way.

Revision 7417c992
Added by Davide Principi over 7 years ago

Configure LDAP before starting samba daemons. Refs #2063

Revision efd1b71d
Added by Davide Principi over 7 years ago

Use NethServer::Password module. Refs #2063

Replaces NethServer::Directory::getUserPassword() call.

Revision 24274591
Added by Davide Principi over 7 years ago

Use NethServer::Password module to store sogo password. Refs #2063

History

#1 Updated by Davide Principi about 8 years ago

  • Description updated (diff)

#2 Updated by Davide Principi about 8 years ago

  • Target version set to v6.4-beta2

#3 Updated by Giacomo Sanchietti about 8 years ago

  • Target version changed from v6.4-beta2 to ~FUTURE

This is not needed at the moment, because the backup works right (even for nethserver-sogo).

But it's a really useful improvement.

#4 Updated by Filippo Carletti almost 8 years ago

  • Target version changed from ~FUTURE to v6.5-beta3

#6 Updated by Davide Principi over 7 years ago

  • Due date set to 11/21/2013
  • Status changed from NEW to TRIAGED
  • Start date set to 11/21/2013
  • % Done changed from 0 to 20
  • Estimated time set to 6.00

#7 Updated by Davide Principi over 7 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#8 Updated by Davide Principi over 7 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

MODIFIED

  • Modified packages nethserver-{lib,base,directory,samba,mail-server}
  • Password generation and persistence is provided by NethServer::Password module
  • Functions genRandomPassword(), genRandomHash() from esmith::utils and getUserPassword(), configServiceAccount() from NethServer::Directory now relies on NethServer::Password and are backward-compatible
  • Default directory to store secrets is /var/lib/nethserver/secrets

Release notes

There are two ways to upgrade to the modified version. You are free to choose one of the following:
  1. Before upgrade (faster). Migrate secrets to new directory:
        # mkdir /var/lib/nethserver/secrets
        # for F in /etc/openldap/.*.pw; do N=`basename ${F} .pw`; D=/var/lib/nethserver/secrets/${N#.}; cp -v $F $D; done;
        # cp -v /etc/pam_ldap.secret /var/lib/nethserver/secrets/pam
    
  2. After upgrade (slower). Reconfigure all, generating new passwords:
        # /etc/e-smith/events/actions/system-adjust
    

Whatever procedure you chose, at the end you can remove the old files /etc/openldap/.*.pw.

Test case

Execute one of the upgrade procedures described above.

Get the list of LDAP service accounts:

    # ldapsearch -Y EXTERNAL -LLL objectClass=simpleSecurityObject dn 2>/dev/null

Password in LDAP must be aligned with the contents of /var/lib/nethserver/secrets:

    # for F in /var/lib/nethserver/secrets/*; do echo -n "$F: "; ldapwhoami -D cn=`basename $F`,dc=directory,dc=nh -x -y $F || echo $F has FAILED; done
...

Some of the above tests can fail, if the file name does not correspond to a LDAP service account.

The following identities are registered on a system with all nethserver-* packages installed. This is a list of identity/test to execute after the upgrade:

  • ejabberd
    check user login
  • samba
        # net -d 10 sam list users
    ...
    ldap_connect_system: Binding to ldap server ldap://127.0.0.1 as "cn=samba,dc=directory,dc=nh" 
    ldap_connect_system: successful connection to the LDAP server
    ldap_connect_system: LDAP server does support paged results
    The LDAP server is successfully connected
    
  • sogo
    check user login
  • vmail (not an LDAP service account)
    read master user <PASSWORD> from /etc/dovecot/master-users. The password must be equal to /var/lib/nethserver/secrets/vmail contents. Replace it in the command below:
        # (sleep 1; echo "A LOGIN admin*vmail <PASSWORD>"; sleep 1; echo "B SELECT INBOX"; sleep 2) | nc -C localhost 143
    ...
    B OK [READ-WRITE] Select completed.
    
  • libuser
        # id nsstest
    uid=501(nsstest) gid=501(nsstest) groups=501(nsstest)
    
  • pam
    change user password with passwd command

#9 Updated by Davide Principi over 7 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-lib-1.3.2-18.0gitff4d2640.ns6.noarch.rpm
nethserver-base-1.4.3-11.0gitc6f6994a.ns6.noarch.rpm
nethserver-directory-1.2.3-8.0git7c628b91.ns6.noarch.rpm
nethserver-samba-1.3.6-3.0git7417c992.ns6.noarch.rpm
nethserver-mail-server-1.4.6-7.0gitefd1b71d.ns6.noarch.rpm

#10 Updated by Giacomo Sanchietti over 7 years ago

  • Assignee set to Giacomo Sanchietti

#11 Updated by Giacomo Sanchietti over 7 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

All tested services work fine.

Marking as VERIFIED.

#12 Updated by Davide Principi over 7 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm

Also available in: Atom PDF