Is there an option to entirely block someone from even basic TO access despite authenticating with LDAP?
> On May 31, 2017, at 11:24 AM, Robert Butts <[email protected]> wrote: > > We have a PR https://github.com/apache/incubator-trafficcontrol/pull/627 to > change Traffic Ops to only allow LDAP users _not_ in the Traffic Ops > database to view non-sensitive information, like graphs and total CDN > bandwidth. > > To be clear, users will still be able to authenticate with LDAP, as long as > their user name is in the database. This only prevents access for LDAP > users whose name is not in the database. > > If you have LDAP-only users who need access, you can simply add their user > name to the Traffic Ops database to allow continued access. They don't even > need a password, simply inserting the username is sufficient. > > LDAP is a security risk, especially for large organizations. Allowing all > non-CDN personnel in the organization full information access, even > read-only, means an attacker has only to compromise a single account in the > organization, and they can see the full list of CDN server IPs and FDQNs, > as well as the specific ATS and CentOS versions, in order to take advantage > of known exploits against those versions. > > Does anyone have any issues with that? Is anyone using LDAP without > usernames in the database, who needs continued access? We just want to make > sure we're not breaking anyone before we merge this, and figure out a > solution if we are. Thanks,
