Page MenuHomePhabricator

Disable LDAP and enable admin puppet module on labstore100[12]
Closed, DuplicatePublic

Details

Related Gerrit Patches:

Event Timeline

coren created this task.Apr 9 2015, 3:11 PM
coren claimed this task.
coren raised the priority of this task from to High.
coren updated the task description. (Show Details)
coren added subscribers: Andrew, yuvipanda, coren.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 9 2015, 3:11 PM
yuvipanda set Security to None.
coren added a comment.Apr 16 2015, 9:00 PM

This will have to be done otherwise as many users are members of more than eight groups and NFS needs to be able to check group membership for permissions. Investigating alternatives.

Change 207514 had a related patch set uploaded (by coren):
Labs: reconfigure LDAP to be sane on labstores

https://gerrit.wikimedia.org/r/207514

coren added a comment.Apr 30 2015, 1:42 PM

A good summary of the issue:

NFS's protocol places a hard limit on the number of supplemental groups that can be sent along a transaction for permission checks (8, 12 or 16 depending on a number of negociated things at mount such as version of server and client, packet size, etc). As we use group membership for membership to projects, service groups, and a number of other things, pretty much all users have more than 8 groups and most have more than 12 or 16.

This breaks NFS permission checks.

The NFS server provides another mechanism to check for group permissions to entirely circumvent that protocol limitation: check for what groups a user is a member of on the server side. That does, however, require that the server has access to the group list and the users that are member of those groups.

Short story: the NFS server must "see" the groups and users from LDAP.

The attached patch includes the absolute minimum nslcd config to have both ldap users and groups visible via get*ent() without (a) interfering with puppet managing named accounts, and (b) without having an impact on server security and authorization.

(a) is done by renaming the accounts to their numeric ids. So that the account 'marc' coming from ldap is named '2138' on labstore*, for instance (likewise with the groups). Because nsswitch.conf is configured to use files before ldap, puppet is free to manage an account named 'marc' in /etc/passwd without interference.

(b) is done by:

  • not getting the shadow table from ldap at all;
  • forcibly setting the shell of ldap accounts to /dev/null; and
  • not enabing PAM logins for LDAP accounts
faidon added a subscriber: faidon.May 5 2015, 3:45 PM

I don't have any comments on the issue at hand yet, but a couple of meta-issues:

  • This description should be in the commit message (and should have been in the first place, as the commit was very confusing by itself)
  • I don't understand why this is a separate task from T87870. Given that this wasn't created as a subtask either and I wasn't manually added to Cc, I totally missed the summary until now where I accidentally bumped into this :(
coren moved this task from To Do to Doing on the Labs-Sprint-100 board.Jun 5 2015, 12:39 AM
Restricted Application removed a subscriber: Liuxinyu970226. · View Herald TranscriptJul 22 2015, 8:11 AM
coren removed a project: Labs-Sprint-109.

Change 207514 abandoned by coren:
Labs: Reduce labstore* LDAP config to the minimum

Reason:
A better way to do this was concocted by Faidon.

https://gerrit.wikimedia.org/r/207514