[SAC] [MOTION] refresh SAC LDAP group: vote to remain !

Regina Obe lr at pcorp.us
Wed Sep 7 16:23:17 PDT 2022 

> On Wed, Sep 07, 2022 at 06:22:20PM -0400, Regina Obe wrote:
> > > I don't find "msmitherdc" on that list (shell?group=sac) but I found
> > > you on the other list, supposedly related to telascience which I
> > > think we're not using anymore.
> > > I've removed you from there.
> > >
> > > See https://trac.osgeo.org/osgeo/ticket/2804 for the confusion..
> >
> > You sure telascience is not used anymore.
> 
> No, I'm not sure.
> 
Okay I might have only seen it on that page, and assumed that was what shell
is called.
So perhaps it's not used anymore.

> We are talking about shell, so I wonder:
> which host machines to we have ?
> 
> Supposedly this page should tell us:
> https://wiki.osgeo.org/wiki/SAC_Service_Status
> And it tells us Telascience machines are not used:
> https://wiki.osgeo.org/wiki/SAC_Service_Status#Historical_servers_.28not_m
> ore_in_use.29
> 
> How do current machines decide whether or not to allow shell access ? Was
> there a wiki page describing that ?
> The Sac_Service_Status mentions in a couple of places:
> 
>   "You need to be in the shell group"
>   "You must be a member of the OSGeo shell group"
> 
> But there's no such thing as a "shell group", rather we have a "sac" group
and
> a "telascience" group, both being "common names" (cn) in the "shell"
> organizational unit. I don't know how to extract other common names in
that
> organizational unit (if it makes any sense).
> 
> The Sac_Service_Status page also links to https://id.osgeo.org/ldap/shell
> when referring to "the shell group" and that's the "telascience" group.
> 
> How are machines allowing shell access via LDAP configured ?

This is what I have as the setup for the instance images I've been using to
build out the new instances. This is in the /etc/nslcd.conf, which I had
originally copied I think from the old download server. 

      base passwd ou=People,dc=osgeo,dc=org
      base shadow ou=People,dc=osgeo,dc=org
      base group  ou=Group,dc=osgeo,dc=org
      filter group
(&(objectClass=posixGroup)(cn=sac,ou=Shell,dc=osgeo,dc=org))

> This page seems to mention something and also reveal there's another group
> "qgis" in the "shell" organizational unit:
> 
>   https://wiki.osgeo.org/wiki/SAC:Standard_System_Setup#Enable_LDAP
> 
> That "cn" (qgis) is indeed existing and described as:
> 
>   Shell Access for QGIS VM
> 

QGIS project manages their own servers on hetzer and we have whitelist rules
in place to allow their servers to authenticate with LDAP.  So that all
makes sense.

> I found these other wiki pages which may (or may not) be relevant:
> 
>   https://wiki.osgeo.org/wiki/SAC:Security_Groups_Policy
> 
> We need to bring all these pages up to date with the new infrastructure, I
> suppose.
> 
> --strk;

Agree needs to be cleaned up.  
-- Regina Obe

More information about the Sac mailing list