[om-infra] sso - custom username support is working now
Robert Xu
robxu9 at gmail.com
Fri Jan 22 12:48:14 EST 2016
Umm... So I just checked - I think we're only checking if we're
authenticated, and if so, we're allowing everyone access to the
manager.
I think we should probably set some rule or something..
On 22 January 2016 at 12:34, Jean-Claude Vanier <jclvanier at gmail.com> wrote:
> I'm not sure we can do it with lemonldap as a general rule. But it's
> easy with phpldapadmin.
> Btw, I have reorganized the bbw pages about SSO stuffs.
>
> 2016-01-22 17:56 GMT+01:00 Robert Xu <robxu9 at gmail.com>:
>> I forget how lemonldap determines who is an admin and who isn't..
>>
>> On 22 Jan 2016 10:35, "Jean-Claude Vanier" <jclvanier at gmail.com> wrote:
>>>
>>> On one hand, even if manager has a dns set, a non logged user
>>> attempting to open it is redirected to auth and a logged user without
>>> admin permission get a frightening black page.
>>> On the other hand, manager will be seldom used, so a simple record in
>>> one's /etc/host can be enough.
>>> I have no strong opinion on this matter.
>>>
>>> 2016-01-22 15:27 GMT+01:00 Robert Xu <robxu9 at gmail.com>:
>>> > Careful - we don't want anyone accessing the manager; only those who are
>>> > proxied into Jasper or Ruby.
>>> >
>>> > On 22 Jan 2016 07:23, "Raphaël Jadot" <rj at hodo.fr> wrote:
>>> >>
>>> >> Gandi (cloudflare in fact) is badly configured then :)
>>> >>
>>> >> --
>>> >> Sent from Yandex.Mail for mobile
>>> >>
>>> >> 22.01.2016, 12:58, "Jean-Claude Vanier" <jclvanier at gmail.com>:
>>> >>
>>> >>
>>> >> I'm not sure to understand everything:
>>> >> Gandi shows that auth points to 212.83.163.187 (jade) but if I ping to
>>> >> auth, the answer comes from 212.129.32.94 (jasper).
>>> >> If I make manager pointing to jasper, in my /etc/host, lemonldap
>>> >> displays correctly.
>>> >>
>>> >> 2016-01-22 12:38 GMT+01:00 Jean-Claude Vanier <jclvanier at gmail.com>:
>>> >>
>>> >> Ah, I forgot you told me that yesterday.
>>> >> Actually, manager points to jade ... at least this morning.
>>> >>
>>> >> 2016-01-22 12:21 GMT+01:00 Raphaël Jadot <rj at hodo.fr>:
>>> >>
>>> >> Yesterday it was ok but i had to make manager.op… point to jasper ip
>>> >>
>>> >> --
>>> >> Sent from Yandex.Mail for mobile
>>> >>
>>> >> 22.01.2016, 10:53, "Jean-Claude Vanier" <jclvanier at gmail.com>:
>>> >>
>>> >>
>>> >> Big thanks Raphaël.
>>> >> Anyone experiences this: manager gives a blank page ?
>>> >>
>>> >> 2016-01-21 21:59 GMT+01:00 Raphaël Jadot <rj at hodo.fr>:
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> https://secure.waynesallee.com/openmandriva/infrawiki/index.php?title=Ruby#Step_for_adding_password_encrypting_policy
>>> >>
>>> >> I had to create a password for cn=admin,cn=config
>>> >>
>>> >>
>>> >>
>>> >> https://secure.waynesallee.com/openmandriva/infrawiki/index.php?title=Ruby#Admin_users_and_password
>>> >>
>>> >> 20.01.2016, 19:53, "Robert Xu" <robxu9 at gmail.com>:
>>> >>
>>> >> Actually, I see it now - it's default. Great! All the passwords are
>>> >> being hashed.
>>> >>
>>> >> Raphael, you may want to change your password so that it gets hashed.
>>> >> Other than that, I believe we should start hooking up systems!
>>> >>
>>> >> On 20 January 2016 at 12:41, Robert Xu <robxu9 at gmail.com> wrote:
>>> >>
>>> >> Is it default? i.e. all password changes will be automatically
>>> >> hashed?
>>> >>
>>> >> On 20 Jan 2016 7:25 a.m., "Jean-Claude Vanier" <jclvanier at gmail.com>
>>> >> wrote:
>>> >>
>>> >> ppolicy is installed and active. It is possible to encypt the
>>> >> password
>>> >> using phpldap admin.
>>> >> See "uid=jvanier,ou=People,dc=openmandriva,dc=org" and export this
>>> >> entry.
>>> >>
>>> >> 2016-01-19 19:44 GMT+01:00 Robert Xu <robxu9 at gmail.com>:
>>> >> >
>>> >> > On 19 Jan 2016 13:19, "Anurag Bhandari" <ab at anuragbhandari.com>
>>> >> wrote:
>>> >> >>
>>> >> >>
>>> >> >> On 19-Jan-2016 1:26 pm, "Robert Xu" <robxu9 at gmail.com> wrote:
>>> >> >> >
>>> >> >> > Okay, so it's a good thing I caught this - LDAP is storing
>>> >> passwords
>>> >> >> > in clear text. That is unacceptable.
>>> >> >>
>>> >> >> Whoops! That's outrageous. Totally unacceptable.
>>> >> >>
>>> >> >> >
>>> >> >> > Can someone figure out a way to make LDAP store them hashed? We
>>> >> >> > cannot
>>> >> >> > proceed with passwords in clear text.
>>> >> >>
>>> >> >> I can check into this. Where's the data store for LDAP? Also, did
>>> >> you
>>> >> >> check if there's a setting in lemonldap to enable encrypted
>>> >> passwords.
>>> >> >> At
>>> >> >> any rate, such a setting should be default.
>>> >> >
>>> >> > In Ruby. There's no setting in LemonLDAP, so we probably forgot to
>>> >> > enable
>>> >> > some sort of setting in LDAP itself - ppolicy maybe?
>>> >> >
>>> >> >
>>> >> > _______________________________________________
>>> >> > OM-Infra mailing list
>>> >> > OM-Infra at ml.openmandriva.org
>>> >> >
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >> >
>>> >>
>>> >> _______________________________________________
>>> >> OM-Infra mailing list
>>> >> OM-Infra at ml.openmandriva.org
>>> >>
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >>
>>> >>
>>> >> --
>>> >> cheers, Robert :: github.com/robxu9
>>> >>
>>> >> _______________________________________________
>>> >> OM-Infra mailing list
>>> >> OM-Infra at ml.openmandriva.org
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >>
>>> >>
>>> >> Raphaël Jadot
>>> >>
>>> >> _______________________________________________
>>> >> OM-Infra mailing list
>>> >> OM-Infra at ml.openmandriva.org
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OM-Infra mailing list
>>> >> OM-Infra at ml.openmandriva.org
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OM-Infra mailing list
>>> >> OM-Infra at ml.openmandriva.org
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OM-Infra mailing list
>>> >> OM-Infra at ml.openmandriva.org
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OM-Infra mailing list
>>> >> OM-Infra at ml.openmandriva.org
>>> >>
>>> >> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >>
>>> >
>>> > _______________________________________________
>>> > OM-Infra mailing list
>>> > OM-Infra at ml.openmandriva.org
>>> > http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>> >
>>>
>>> _______________________________________________
>>> OM-Infra mailing list
>>> OM-Infra at ml.openmandriva.org
>>> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>
>>
>> _______________________________________________
>> OM-Infra mailing list
>> OM-Infra at ml.openmandriva.org
>> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
>>
>
> _______________________________________________
> OM-Infra mailing list
> OM-Infra at ml.openmandriva.org
> http://ml.openmandriva.org/mailman/listinfo/om-infra_ml.openmandriva.org
--
cheers, Robert :: github.com/robxu9
More information about the OM-Infra
mailing list