I have a question in a similar vein, how often do we really use LDAP? My understanding is we created LDAP access to allow external users in to see our TO Graphs. Now that graphs are in Graphana is the need for LDAP still needed? If we require anyone using TO or the TO API to be in the database it would alleviate this LDAP security issue entirely.
I also wonder if we shouldn't try to leverage transitioning our user management to Postgres. Postgres has many options for authentication (as I mentioned at the Summit), which would allow for more flexibility at TO installations. -Dewayne On Wed, May 31, 2017 at 9:24 AM, Robert Butts <[email protected]> wrote: > We have a PR https://github.com/apache/incubator-trafficcontrol/pull/627 > to > change Traffic Ops to only allow LDAP users _not_ in the Traffic Ops > database to view non-sensitive information, like graphs and total CDN > bandwidth. > > To be clear, users will still be able to authenticate with LDAP, as long as > their user name is in the database. This only prevents access for LDAP > users whose name is not in the database. > > If you have LDAP-only users who need access, you can simply add their user > name to the Traffic Ops database to allow continued access. They don't even > need a password, simply inserting the username is sufficient. > > LDAP is a security risk, especially for large organizations. Allowing all > non-CDN personnel in the organization full information access, even > read-only, means an attacker has only to compromise a single account in the > organization, and they can see the full list of CDN server IPs and FDQNs, > as well as the specific ATS and CentOS versions, in order to take advantage > of known exploits against those versions. > > Does anyone have any issues with that? Is anyone using LDAP without > usernames in the database, who needs continued access? We just want to make > sure we're not breaking anyone before we merge this, and figure out a > solution if we are. Thanks, >
