Enhancement #2063
Directory: backup service accounts passwords
Status: | CLOSED | Start date: | 11/21/2013 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 11/21/2013 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-directory | |||
Target version: | v6.5-beta3 | |||
Resolution: | NEEDINFO: | No |
Description
Passwords for "service" accounts are currently stored under /etc/openldap/
directory, which is not automatically included in backup list.
See http://dev.nethserver.org/issues/2043#note-7 for a rationale on this.
Related issues
Associated revisions
New NethServer::Password module implementation. Refs #2063
Replaces and obsoletes esmith::util::genRandomPassword() and
esmith::util::genRandomHash(). Digest::SHA1 module is no longer
required. The default path to store passwords is
/var/lib/nethserver/secrets/
Use NethServer::Password module to store NSS password. Refs #2063
Moved /etc/pam_ldap.secret metadata settings to nethserver-directory. Refs #2063
Password characters restricted to [A-Za-z0-9_]. Refs #2063
Use NethServer::Password module to store secrets. Refs #2063
The default path is /var/lib/nethserver/secrets, which is already
included in the backup rules.
Added /etc/pam_ldap.secret template to cope with the special case of
"pam" service account in a standard way.
Configure LDAP before starting samba daemons. Refs #2063
Use NethServer::Password module. Refs #2063
Replaces NethServer::Directory::getUserPassword() call.
Use NethServer::Password module to store sogo password. Refs #2063
History
#1 Updated by Davide Principi about 8 years ago
- Description updated (diff)
#2 Updated by Davide Principi about 8 years ago
- Target version set to v6.4-beta2
#3 Updated by Giacomo Sanchietti about 8 years ago
- Target version changed from v6.4-beta2 to ~FUTURE
This is not needed at the moment, because the backup works right (even for nethserver-sogo).
But it's a really useful improvement.
#4 Updated by Filippo Carletti almost 8 years ago
- Target version changed from ~FUTURE to v6.5-beta3
#6 Updated by Davide Principi over 7 years ago
- Due date set to 11/21/2013
- Status changed from NEW to TRIAGED
- Start date set to 11/21/2013
- % Done changed from 0 to 20
- Estimated time set to 6.00
#7 Updated by Davide Principi over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#8 Updated by Davide Principi over 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
MODIFIED
- Modified packages
nethserver-{lib,base,directory,samba,mail-server}
- Password generation and persistence is provided by
NethServer::Password
module - Functions
genRandomPassword()
,genRandomHash()
fromesmith::utils
andgetUserPassword()
,configServiceAccount()
fromNethServer::Directory
now relies onNethServer::Password
and are backward-compatible - Default directory to store secrets is
/var/lib/nethserver/secrets
Release notes
There are two ways to upgrade to the modified version. You are free to choose one of the following:- Before upgrade (faster). Migrate secrets to new directory:
# mkdir /var/lib/nethserver/secrets # for F in /etc/openldap/.*.pw; do N=`basename ${F} .pw`; D=/var/lib/nethserver/secrets/${N#.}; cp -v $F $D; done; # cp -v /etc/pam_ldap.secret /var/lib/nethserver/secrets/pam
- After upgrade (slower). Reconfigure all, generating new passwords:
# /etc/e-smith/events/actions/system-adjust
Whatever procedure you chose, at the end you can remove the old files /etc/openldap/.*.pw
.
Test case
Execute one of the upgrade procedures described above.
Get the list of LDAP service accounts:
# ldapsearch -Y EXTERNAL -LLL objectClass=simpleSecurityObject dn 2>/dev/null
Password in LDAP must be aligned with the contents of /var/lib/nethserver/secrets
:
# for F in /var/lib/nethserver/secrets/*; do echo -n "$F: "; ldapwhoami -D cn=`basename $F`,dc=directory,dc=nh -x -y $F || echo $F has FAILED; done ...
Some of the above tests can fail, if the file name does not correspond to a LDAP service account.
The following identities are registered on a system with all nethserver-*
packages installed. This is a list of identity/test to execute after the upgrade:
- ejabberd
check user login - samba
# net -d 10 sam list users ... ldap_connect_system: Binding to ldap server ldap://127.0.0.1 as "cn=samba,dc=directory,dc=nh" ldap_connect_system: successful connection to the LDAP server ldap_connect_system: LDAP server does support paged results The LDAP server is successfully connected
- sogo
check user login - vmail (not an LDAP service account)
read master user<PASSWORD>
from/etc/dovecot/master-users
. The password must be equal to/var/lib/nethserver/secrets/vmail
contents. Replace it in the command below:# (sleep 1; echo "A LOGIN admin*vmail <PASSWORD>"; sleep 1; echo "B SELECT INBOX"; sleep 2) | nc -C localhost 143 ... B OK [READ-WRITE] Select completed.
- libuser
# id nsstest uid=501(nsstest) gid=501(nsstest) groups=501(nsstest)
- pam
change user password withpasswd
command
#9 Updated by Davide Principi over 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-lib-1.3.2-18.0gitff4d2640.ns6.noarch.rpm
nethserver-base-1.4.3-11.0gitc6f6994a.ns6.noarch.rpm
nethserver-directory-1.2.3-8.0git7c628b91.ns6.noarch.rpm
nethserver-samba-1.3.6-3.0git7417c992.ns6.noarch.rpm
nethserver-mail-server-1.4.6-7.0gitefd1b71d.ns6.noarch.rpm
#10 Updated by Giacomo Sanchietti over 7 years ago
- Assignee set to Giacomo Sanchietti
#11 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 70 to 90
All tested services work fine.
Marking as VERIFIED.
#12 Updated by Davide Principi over 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-samba-1.4.0-1.ns6.noarch.rpm
nethserver-directory-1.3.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.0-1.ns6.noarch.rpm
nethserver-shorewall-1.0.3-1.ns6.noarch.rpm
nethserver-mail-server-1.5.0-1.ns6.noarch.rpm
nethserver-mail-filter-1.1.4-1.ns6.noarch.rpm
nethserver-nethgui-1.3.0-1.ns6.noarch.rpm
nethserver-base-1.5.0-1.ns6.noarch.rpm
nethserver-lib-1.4.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.1.0-1.ns6.noarch.rpm
nethserver-yum-1.2.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.0-1.ns6.noarch.rpm