Closed Bug 902553 Opened 11 years ago Closed 11 years ago

restrict access to tinderbox.m.o to members of the bzr_bugzilla ldap group (AGAIN)

Categories

(Infrastructure & Operations Graveyard :: WebOps: Product Delivery, task)

Product:
Infrastructure & Operations Graveyard
Component:
WebOps: Product Delivery
Type:
task
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: Callek, Assigned: cturra)

References

Details

+++ This bug was initially created as a clone of Bug #862665 +++ So Bug 862665 (esp c#24) seems to indicate that tinderbox.m.o should be locked down. It doesn't seem to be. Data Points: Me (Callek@gmail.com community ldap) - LDAP prompted - was logged in and see results :mcsmurf (mcsmurf@mcsmurf.de I think) - LDAP prompted, able to login and see results :mshal (mshal@mozilla.com) - Not ldap prompted, able to see results [he claims he may have been logged in elsewhere, but I don't know how he would have legitimately gotten a Tinderbox login session] Either way this should ONLY be to a small set of people!
Assignee: server-ops-devservices → server-ops-webops
Component: Server Operations: Developer Services → Server Operations: Web Operations
the ldap-group settings were in place, but there was an additional user check for the nagios monitors, which looks to have been the cause of this being a little more wide open that intended. i have restricted the nagios user account further, which appears to have resolved this for our initial tests. :Callek, as discussed on irc, can you please have other folks test this to confirm your findings are the same across the board? additionally, tho you mentioned you didn't need to, testing should be done on a fresh browser session since basic auth credentials are cached in the browser for the life it's open.
Assignee: server-ops-webops → cturra
Status: NEW → RESOLVED
Closed: 11 years ago
Component: Server Operations: Web Operations → WebOps: Product Delivery
Product: mozilla.org → Infrastructure & Operations
Resolution: --- → FIXED
i'm not able to access tinderbox anymore.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I couldn't access Tinderbox a few tens of seconds ago, and now I can access it without any credentials.
(In reply to Frédéric Buclin from comment #4) > I couldn't access Tinderbox a few tens of seconds ago, and now I can access > it without any credentials. I also was able to access tinderbox.m.o from not-my-usual-browser, with no profile... and was not prompted for LDAP. Looks like the LDAP restriction on this server got dropped somehow...
alright. i totally re-hashed the way we were handling ldap+file based auth. some of the solution was an order of operations thing with apache directives, while the other was a difference in how the two groups indicated group membership (member=dn vs. memberuid=mail). this should all be sorted now and user authentication strictly enforced. since we have the ability to allow users access via file based auth in addition to ldap, anything that requires access (like nagios) can be added to an htpasswd file. should all be sorted now. pls hit me up on irc if i have missed anything.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Sorry, but my credentials are rejected. Still doesn't work.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Frédéric Buclin from comment #7) > Sorry, but my credentials are rejected. Still doesn't work. i have strictly enforced access to ONLY the bzr_bugzilla ldap group. are you a member of the bzr_bugzilla ldap group? if so, what's the userid you're using to login? feel free to hit me up in #it to chat about this further if you have additional questions or need clarification.
(In reply to Frédéric Buclin from comment #7) > Sorry, but my credentials are rejected. Still doesn't work. go ahead and ignore my last comment. i just tested a theory with :glob and i believe i know why you're unable to authenticate. apache basic auth+mod_ldap_auth* is case sensitive and in ldap your user id is: lpsolit@gmail.com whereas your login attempts were with: LpSolit@gmail.com. this resulted in the following errors: [Wed Aug 07 13:30:30 2013] [error] access to /showbuilds.cgi failed, reason: user 'LpSolit@gmail.com' does not meet 'require'ments for user/valid-user to be allowed access could you please give it another test with all lower case? i am investigating if there is a way to enforce NoCase, similar to RewriteRules, but haven't found anything obvious quite yet.
Flags: needinfo?(LpSolit)
I don't see why I should test with my login lowercase when it always worked as LpSolit.
Flags: needinfo?(LpSolit)
it worked before because of a valid-user directive that allowed all users in -- even ones that were not supposed to have access. once we removed that, the result was a lower case requirement (from what i can tell anyway). i haven't found away around it -- tho, if you want to ping me on irc, i would be happy to share the mod_auth_ldap directives with you.
good news everyone! i believe i have sorted out the issue - i was actually missing an order deny,allow and subsequently a properly functioning satisfy any directive. this is all in place now and /should/ allow case insensitivity. please let me know if it's still not working - i would be truly confused if that was the case ;)
Flags: needinfo?(LpSolit)
Still doesn't work.
Flags: needinfo?(LpSolit)
i'd like to close this bug off. Frédéric, using an all lower case username, are you able to login successfully?
Flags: needinfo?(LpSolit)
(In reply to Chris Turra [:cturra] from comment #14) > i'd like to close this bug off. Frédéric, using an all lower case username, > are you able to login successfully? Yes
Flags: needinfo?(LpSolit)
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.