[SAC] LDAP in Drupal

Committees SAC mailing list
1

With our recent Drupal upgrade and it's related ldap integration module, I've done some more tests with increasing the integration between Drupal and LDAP. The earlier versions of the module were not ready for more than simple authentication.

By giving the module access to the LDAP manager role, it can now allows users to reset their passwords and edit their own attributes. There is always concern about using the manager role in the application, but largely because we didn't really understand how it gets used in Drupal. Now, the password itself does not appear in cleartext in any form in drupal, though it is stored in the database.

How can we build confidence in the use of this module and approach?

Is it possible to have LDAP users edit their own attributes? Previously this was not an option, but it would also help reduce the use of the manager role.

Tyler

2

On Wed, Dec 19, 2007 at 11:19:40AM -0800, Tyler Mitchell (OSGeo) wrote:

How can we build confidence in the use of this module and approach?

Is it possible to have LDAP users edit their own attributes?

Yes, LDAP server ACL's should allow setting the user PW without binding
as Manager.
Note, this ACL is currently not active on 'osgeo1', someone has
deactivated this rule because some 'buggy' LDAP client got confused.
Maybe Trac ?

See "Martin's suggestions" in /etc/openldap/slapd.conf

Cheerio,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

3

Tyler Mitchell (OSGeo) wrote:

With our recent Drupal upgrade and it's related ldap integration module, I've done some more tests with increasing the integration between Drupal and LDAP. The earlier versions of the module were not ready for more than simple authentication.

By giving the module access to the LDAP manager role, it can now allows users to reset their passwords and edit their own attributes. There is always concern about using the manager role in the application, but largely because we didn't really understand how it gets used in Drupal. Now, the password itself does not appear in cleartext in any form in drupal, though it is stored in the database.

Tyler,

I think this is great news (despite some early concern). As discussed
in IRC I think we need to be careful who has PHP editing permission in
Drupal since that is a backdoor to querying the database and/or doing
other unpriveledged operations on the server.

What is the url for a user to update their email, password and other
LDAP info? Can we point the appropriate portion of the page:

   http://www.osgeo.org/osgeo_userid

to that?

Likewise, is there a mechanism for searching for an ldap userid and
for creating new ones? If Drupal can handle these functions, lets
move to it instead of using the custom python scripts, and update
the osgeo_userid page accordingly. With luck, the "ldap group
management" will be the last of the custom python scripts we need to
use.

How can we build confidence in the use of this module and approach?

Is it possible to have LDAP users edit their own attributes? Previously this was not an option, but it would also help reduce the use of the manager role.

If Drupal already has the manager account, I'm not sure that it would
be any better to make some changes self-authenticating.

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGeo, http://osgeo.org

4

On 19.12.2007 21:59, Frank Warmerdam wrote:

I think this is great news (despite some early concern). As discussed
in IRC I think we need to be careful who has PHP editing permission in
Drupal since that is a backdoor to querying the database and/or doing
other unpriveledged operations on the server.

Agreed. Inline PHP scripting should be handled with care.

What is the url for a user to update their email, password and other
LDAP info? Can we point the appropriate portion of the page:

  http://www.osgeo.org/osgeo_userid

to that?

http://www.osgeo.org/user/<userid>/edit, or point to
http://www.osgeo.org/user and tell people to edit their profile.

There is a link in the main below the language content labeled 'My
account' which points to the account page, from where the user can
choose the edit link.

Likewise, is there a mechanism for searching for an ldap userid and
for creating new ones? If Drupal can handle these functions, lets
move to it instead of using the custom python scripts, and update
the osgeo_userid page accordingly. With luck, the "ldap group
management" will be the last of the custom python scripts we need to
use.

There is http://www.osgeo.org/search/user but that only searched by
userid :frowning: I'll have to check if I can find a module which could expand
on this or indeed use the ldap to search for a user... Tyler perhaps the
ldap_provisioning module can do this?

--Wolf

--

<:3 )---- Wolf Bergenheim ----( 8:>

5

On 19-Dec-07, at 12:20 PM, Wolf Bergenheim wrote:

On 19.12.2007 21:59, Frank Warmerdam wrote:

I think this is great news (despite some early concern). As discussed
in IRC I think we need to be careful who has PHP editing permission in
Drupal since that is a backdoor to querying the database and/or doing
other unpriveledged operations on the server.

Agreed. Inline PHP scripting should be handled with care.

I just changed it and made sure that only Drupal admins can use PHP code anywhere in page content. The service provider directory is the only place where it has been previously used, and that should all work fine now.

6

Frank wrote:
-----------------
I think this is great news (despite some early concern).
-----------------

I have to say, I still have some concerns. Is running the entire Drupal
auth under a manager role really worth allowing users to reset their own
passwords via Drupal (which is, as I understand it, the only additional
benefit?) Regardless, I think that whatever role Drupal is running
under should have the least possible priveleges required to perform the
necessary functions. Not being an LDAP guru, I don't know what that is,
but we should definitely avoid giving Drupal what amounts to Domain
Administrator role in AD. That's just asking for trouble when/if a
Drupal exploit emerges.

Apart from this concern, I have ongoing lack-of-sleep about
allowing/defaulting-to standard http for authentication of both Drupal
and Trac instances. If there are any mods available to ensure that
logins are only accessed under SSL, I would be feeling a little more
comfortable.

Jason

7

Hi SAC,

On Wed, Dec 19, 2007 at 11:19:40AM -0800, Tyler Mitchell (OSGeo) wrote:

By giving the module access to the LDAP manager role, it can now
allows users to reset their passwords and edit their own attributes.
There is always concern about using the manager role in the
application, but largely because we didn't really understand how it
gets used in Drupal. Now, the password itself does not appear in
cleartext in any form in drupal, though it is stored in the database.

I still have serious concerns about doing so, I consider this as a
design flaw that could be avoided (see below).

A complex content management system running in PHP translates into some
of the most prominent components which make an invitation to hacking
the site. This is considered to be well-known consensus, not only since
Stefan Esser started the "Month of PHP Bugs" initiative which made the
whole issue even more popular.
This means, that everyone who gains access to the OSGeo web service
(Apache) permissions via some PHP flaw or, not to forget, a possible
Drupal security bug and who has a certain knowledge about the LDAP
module which we are using here, has the ability to get unlimited
access to the _complete_ OSGeo user management.

This is really scaring !!!

I find this even more irritating because we're putting the whole LDAP
directory at risk for a reason that could be avoided because you
definitely do _not_ need LDAP Manager access to change the first name
or the password of your already existing entry in an LDAP directory.
You just need to set proper LDAP ACL's and bind to the directory as the
respective user.

In fact, the core problem is a totally different one. For some reason
that I mostly have forgotten, we still don't apply LDAP ACL's to our
directory. As far as my memory serves we had some Trac authentication
issues when ACL's were in place - Trac's LDAP authentication probably
was incapable of binding to the directry server as a regular user.

So, this is my simplified proposal about how to make the OSGeo LDAP
service a bit safer:

1.) Remove the LDAP Manager permissions from Drupal first;
2.) enable reasonable LDAP ACL's and, just in case this still proves to
    be necessary:
3.) fix broken LDAP clients;
4.) make the Drupal LDAP module bind to the directory as regular user
    only;
5.) while we are at it: completely disable unencrypted access to the
    LDAP directory;
6.) disable unencrypted HTTP logins on _all_ sites that authenticate
    against the OSGeo LDAP service;
7.) add an appropriate field in the LDAP user entry, request all Wiki
    users to create an OSGeo login and to enter their current Wiki user
    name .... this could relieve us from the need to manually
    correllate Wiki to OSGeo user accounts :slight_smile:

Well, 2.) and 3.) could be swapped ....

I know that this EMail might sound a bit harsh. Yet I think this is
unavoidable to make it clear to which risk our LDAP service is
currently exposed. As long as we consider this LDAP service at the core
OSGeo user authentication, this significantly diverges from the rather
conservative maintenance conventions that usually apply to OSGeo's
other core services.

Concerns, opinions ?

Best regards,
  Martin.
P.S.: Did you know that 'osgeo1' shares a DNS entry '66.223.95.245' with
      'webmail.danvillestation.com' ? :wink:
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

8

On 25-Dec-07, at 10:10 AM, Martin Spott wrote:

So, this is my simplified proposal about how to make the OSGeo LDAP
service a bit safer:

1.) Remove the LDAP Manager permissions from Drupal first;
2.) enable reasonable LDAP ACL's and, just in case this still proves to
    be necessary:
3.) fix broken LDAP clients;
4.) make the Drupal LDAP module bind to the directory as regular user
    only;
5.) while we are at it: completely disable unencrypted access to the
    LDAP directory;
6.) disable unencrypted HTTP logins on _all_ sites that authenticate
    against the OSGeo LDAP service;
7.) add an appropriate field in the LDAP user entry, request all Wiki
    users to create an OSGeo login and to enter their current Wiki user
    name .... this could relieve us from the need to manually
    correllate Wiki to OSGeo user accounts :slight_smile:

I have no concern about this approach, but don't know enough to help do more than just #1. If these items can be handled by SAC, then I think we will make some significant progress.

The only item that this does not address is that I would like to be able to use Drupal to create new accounts as well, that was the other reason for using Manager. This is so that we can register in a single spot (i.e. a drupal page) that also collects various attributes during registration (i.e. user country, "want to be osgeo member", etc). Is there is a way through LDAP to allow a special user to only create new accounts? If we can do this, I'd be really happy :slight_smile:

Tyler