We have a PR https://github.com/apache/incubator-trafficcontrol/pull/627 to change Traffic Ops to only allow LDAP users _not_ in the Traffic Ops database to view non-sensitive information, like graphs and total CDN bandwidth.
To be clear, users will still be able to authenticate with LDAP, as long as their user name is in the database. This only prevents access for LDAP users whose name is not in the database. If you have LDAP-only users who need access, you can simply add their user name to the Traffic Ops database to allow continued access. They don't even need a password, simply inserting the username is sufficient. LDAP is a security risk, especially for large organizations. Allowing all non-CDN personnel in the organization full information access, even read-only, means an attacker has only to compromise a single account in the organization, and they can see the full list of CDN server IPs and FDQNs, as well as the specific ATS and CentOS versions, in order to take advantage of known exploits against those versions. Does anyone have any issues with that? Is anyone using LDAP without usernames in the database, who needs continued access? We just want to make sure we're not breaking anyone before we merge this, and figure out a solution if we are. Thanks,
