Mailinglist Archive: opensuse-buildservice (137 mails)

< Previous Next >
[opensuse-buildservice] [api] add LDAP_OBSDB_FILTER feature??
https://github.com/openSUSE/open-build-service/pull/9


The default LDAP authentication lets users to access OBS as long as the user
has LDAP username/password.
Most of enterprises don't want this.
We want only part of users from LDAP to access OBS.

In "src/api/config/environments/production.rb",
it suggests to use "LDAP_USER_FILTER" to achieve this goal (let part of users
from LDAP to access OBS only).
However,
in a large enterprise,
LDAP server is normally maintained by IT people,
but OBS server is normally maintained by CM group.
It's always inconvenient to ask IT to add/remove people from LDAP membership to
control access write.
As an OBS admin,
therefore we don't want to use "LDAP_USER_FILTER".

Hence,
while we still want to use LDAP authentication,
we need to have a new mechanism to block users from accessing OBS even if he
has LDAP username/password,
and this new mechanism can be controlled by OBS admin.

Instead of taking "black list" approach (specifying who shouldn't access OBS),
we take "white list" approach (only user who has account in OBS database can
access),
which is similar to the authentication when LDAP_MODE is :off.

The difference would be when LDAP_MODE is :off,
end users need to keep 2 different set of password (one for OBS and one for
LDAP)
because IT normally requires end user to change LDAP password every 90 days.


Work flow:
Before query LDAP server for username/password,
the program would first search username in OBS database.
If the username doesn't exist in OBS database,
the program would block the user.
Only if the username exists in OBS database,
the program continues the authentication to query LDAP server for
username/password.



Rick



< Previous Next >
This Thread
  • No further messages