On Wed, Sep 07, 2022 at 06:22:20PM -0400, Regina Obe wrote:
> > I don't find "msmitherdc" on that list (shell?group=sac) but I found
> > you on the other list, supposedly related to telascience which I
> > think we're not using anymore.
> > I've removed you from there.
> >
> > See https://trac.osgeo.org/osgeo/ticket/2804 for the confusion..
>
> You sure telascience is not used anymore.
No, I'm not sure.
Okay I might have only seen it on that page, and assumed that was what shell
is called.
So perhaps it's not used anymore.
We are talking about shell, so I wonder:
which host machines to we have ?
Supposedly this page should tell us:
https://wiki.osgeo.org/wiki/SAC_Service_Status
And it tells us Telascience machines are not used:
https://wiki.osgeo.org/wiki/SAC_Service_Status#Historical_servers_.28not_m
ore_in_use.29
How do current machines decide whether or not to allow shell access ? Was
there a wiki page describing that ?
The Sac_Service_Status mentions in a couple of places:
"You need to be in the shell group"
"You must be a member of the OSGeo shell group"
But there's no such thing as a "shell group", rather we have a "sac" group
and
a "telascience" group, both being "common names" (cn) in the "shell"
organizational unit. I don't know how to extract other common names in
that
organizational unit (if it makes any sense).
The Sac_Service_Status page also links to https://id.osgeo.org/ldap/shell
when referring to "the shell group" and that's the "telascience" group.
How are machines allowing shell access via LDAP configured ?
This is what I have as the setup for the instance images I've been using to
build out the new instances. This is in the /etc/nslcd.conf, which I had
originally copied I think from the old download server.
base passwd ou=People,dc=osgeo,dc=org
base shadow ou=People,dc=osgeo,dc=org
base group ou=Group,dc=osgeo,dc=org
filter group
(&(objectClass=posixGroup)(cn=sac,ou=Shell,dc=osgeo,dc=org))
This page seems to mention something and also reveal there's another group
"qgis" in the "shell" organizational unit:
https://wiki.osgeo.org/wiki/SAC:Standard_System_Setup#Enable_LDAP
That "cn" (qgis) is indeed existing and described as:
Shell Access for QGIS VM
QGIS project manages their own servers on hetzer and we have whitelist rules
in place to allow their servers to authenticate with LDAP. So that all
makes sense.
I found these other wiki pages which may (or may not) be relevant:
https://wiki.osgeo.org/wiki/SAC:Security_Groups_Policy
We need to bring all these pages up to date with the new infrastructure, I
suppose.
--strk;
Agree needs to be cleaned up.
-- Regina Obe