Using ldapsetpasswd when changing a password may
fail due to required password security standards.
The current error message is vague and provides
no information about the error causing password
change to fail. This fix provides a more clear
error message which informs the user about the
security requirements for a new password.
Test Plan:
PASS: In a simplex system, create a ldap user named
test and then run "sudo ldapsetpasswd test" and
provide a password that fails the security
requirements, such as "linux99", retype the
provided password and the system should present
an error message comprising the system's security
requirements for user passwords.
PASS: Using the same user created in the previous test
plan, run the command "sudo ldapsetpasswd test
<pwd>", changing <pwd> for a bad password, and
the system should present an error message
comprising the system's security requirements
for user passwords.
Closes-Bug: 2008838
Change-Id: Ibe942d87bee402e43c42f33e26276f0e078213cb
Signed-off-by: Alan Bandeira <Alan.PortelaBandeira@windriver.com>
The Debian packaging has been changed to reflect all the
latest git commits under the directory, pointed as usable, and to
improve pkg-versioning addressing the first commit as start point to
debian build packages.
This commit add GITREVCOUNT and remove PKG_GITREVCOUNT of the packages
to calculate git revisions relative to package's source git repository,
instead of count git revisions relative only to package's debian
folder. This ensures that any new code submissions under those
directories will increment the versions.
The commit SHA 9b545c5e19 was chosen to be the BASE_SRCREV of the
base-passwd's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained base-passwd version .stx.8)
The commit SHA 698c14ccef was chosen to be the BASE_SRCREV of the
puppet-ldap's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained puppet-ldap version .stx.2)
The commit SHA 39bc6c35f1 was chosen to be the BASE_SRCREV of the
ldapscripts's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained ldapscripts version .stx.4)
The commit SHA 2821680c8b was chosen to be the BASE_SRCREV of the
openldap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openldap version .stx.9)
The commit SHA f043585c65 was chosen to be the BASE_SRCREV of the
openscap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openscap version .stx.3)
The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
keyrings.alt's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained keyring.alt version .stx.4)
The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
python-keyring's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained python-keyring version .stx.4)
Test Plan:
PASS: Verify package versions are updated as expected.
PASS: build-pkgs -c -p base-passwd
PASS: build-pkgs -c -p puppet-ldap
PASS: build-pkgs -c -p ldapscripts
PASS: build-pkgs -c -p openldap
PASS: build-pkgs -c -p openscap
PASS: build-pkgs -c -p keyrings.alt
PASS: build-pkgs -c -p python-keyrings
Story: 2010550
Task: 47496
Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Change-Id: I32b47348ece39ea88b3c5aeb0d1e64c6d3e7a6b5
This is part of the change to replace nslcd with sssd to
support multiple secure ldap backends.
This change removed nss-pam-ldapd (nslcd, libpam-slapd,
libnss-slapd) on Debian based stx system.
nscd is removed in
https://review.opendev.org/c/starlingx/tools/+/854217
Test Plan on Debian:
PASS: Package build, image build
PASS: System deployment
PASS: Verify nslcd, libpam-slapd, libnss-slapd are not installed.
PASS: ldap functions work properly (ldap user creation, user login
on console and by ssh etc).
Story: 2009834
Task: 46069
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I87de211876a00c0b0a0d629dde70e13c0feb3df0
This is part of the change to replace nslcd with sssd to
support multiple secure ldap backends.
This change patched ldapscripts (ldapadduser) to reset password
right after the ldap user is created on Debian. With its password
reset, the ldap user will be forced to change its password at
first login, the similar behavior as on CentOS.
Test Plan on Debian (SX and DX):
PASS: Package build, image build.
PASS: System deployment.
PASS: ldap user added by ldapadduser or ldapusersetup will be asked
to change password at first login (either on console or by
ssh)
PASS: Change checked by shellcheck, warnings investigated.
Story: 2009834
Task: 46068
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I13f098c6053816bb3b0450c039caccf94c04d55d
Checksums are currently not being checked upon download. This commit
corrects them with the intent for us to turn on checking soon.
Not sure what reason causes the checksum incorrect. I am aware someone
complain on github that checksum of some tarballs are changed without
any updating. We also can't guarantee developers always fill correct
checksum. Once we turn on checksum upon download, we can catch in up in
time.
Test Plan:
Pass: downloader -s
Story: 2009303
Task: 46029
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I89f0db6086641062048b52270ffc585887cb8acf
It was detected the networking.service is marked as failing after reboot.
It happpens because "ifup -a" is executed by the service.
It starts to run the scripts in /etc/network/interfaces.d/.
But several scripts in ifupdown-extra are not prepared to handle "-all".
In the case of nss-pam-ldapd the script /etc/network/if-up.d/nslcd
is failing when there are loopback interfaces with label (lo:X) as the
script only tests the interface "lo".
Test Plan (Debian only - AIO-SX and AIO-DX)):
PASS Check systemctl status networking.service after unlock
Closes-Bug: #1983503
Change-Id: I1fd9e2ea75233d987d6f1f2aa5a3395ab2885e2b
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
The debian packaging for openldap by default initializes the ldap DB
unless debconf tells otherwise. This patch will set the default value of
the debconf so the installation doesn't trigger this initialization and
generate garbage on the database (entries related to an admin user on
dc=nodomain).
TEST PLAN
PASS Build new ISO and install, verify slapcat for entries on DB
PASS Bootstrap with no errors
PASS Restore backup
Story: 2009303
Task: 45752
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I60786a6b9f46619b328cf00d6bdbdf0cc95c9c35
Upgrade the openldap version to 2.4.57+dfsg-3+deb11u1 to fix the
CVE-2022-29155 issue.
References:
https://security-tracker.debian.org/tracker/CVE-2022-29155
TestPlan:
PASS: build-pkgs -c -p openldap
PASS: build-image --std
Closes-Bug: 1982723
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I1ac30da3e4597035ef4f816ca7ab95aa9adcaa7c
OSTree structure requires /usr to be readonly as OSTree's dracut
hook creates a read-only bind mount over /usr.
1. deploy validate_postgresql_connection.sh directly to
/usr/local/bin. It was copied to the location after
installation.
2. move /usr/local/etc/ldapscripts to /etc/ldapscripts, files
need writable.
3. move /usr/libexec/cni to /opt/cni/bin. Plugins are installed
at runtime.
TCs:
provision aio-dx centos with /usr mount to readonly fs.
unlocked host
provision aio-sx debian and unlocked host.
upgrade AIO-DX from 21.12
upgrade AIO-SX from 21.12
successfully apply cert-manager and nginx-ingress-controller
Story: 2009101
Task: 44314
Change-Id: I99231f3f7db3d2d8eaceba137e13dea650370f71
Signed-off-by: Bin Qian <bin.qian@windriver.com>
This change added ppolicy-check-password package from
https://github.com/cedric-dufour/ppolicy-check-password
This package contains check_password.so that is used by ldap
to enforce password complexity for ldap users.
Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, controller unlock
PASS: after controller unlock, login by "admin" user on
console, and su to "admin" on ssh session.
PASS: failure path with incompliant passwords for ldap user
password change (eg, change password when first login)
Story: 2009101
Task: 44864
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: If5a1e5c6784c7354c0a4903e1d1c4abb21d8a01f
Change openldap pid and args file location from /var/run/slapd
to /run so it's aligned with CentOS. This will enable openldap
to be managed by SM.
Test Plan for Debian:
PASS: package build, image build
PASS: system boostrap
PASS: controller unlock, open-ldap service state in SM is
enabled-active enabled-active
Story: 2009101
Task: 44664
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I108a63d5b829b66ef24516f9e2c33fde0288f9a8
Porting all CentOS patches, and also align the file permission
with CentOS.
Test Plan: Verify the building, installing and booting test
PASS: Verify package build
PASS: Verify system install
PASS: Verify system boot
Story: 2009221
Task: 43415
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I7766d4aa26420c6f701a0dffaa7e9bf6b77e0c75
Ported all patches from CentOS.
Ported patch rootdn-should-not-bypass-ppolicy.patch + deleted unit test for it.
meta_data patches were not needed as they were only modifying the rpm spec.
Disabled unit tests part of debian build.
Ran the unit tests once before disabling and they pass.
Story: 2009221
Task: 43407
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Ia0b640c5cd2594daae5722b1c9743a3a800485ab
This update makes use of the PKG_GITREVCOUNT variable
to auto-version the packages in this repo.
Story: 2007750
Task: 39951
Change-Id: I854419c922b9db4edbbf6f1e987a982ec2ec7b59
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.
Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea
Story: 2004716
Task: 28748
Signed-off-by: Saul Wold <sgw@linux.intel.com>
The openldap-spec-file.patch contains some modifications to the
default configure command line.
After evaluated by Saul in task 27731, we should be able to remove
the part of configure options change in this patch.
However, it seems still some other changes in this patch could not be
removed, so the patch could not be reverted so far.
Deployment test pass and slapd service works.
Story: 2004216
Task: 28015
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Change-Id: I55e4961bf2ceb69bb0592f3fb34b4fded3a2e8fd
The change of 3 meta patches refers to %post section in spec file.
The comment in the patch mentions that we don't want change our custom
binddn and bindpw in nslcd.conf.
However, in spec file, "source" variabe could not be assigned to a valid
file name, as we could not find these *.conf files in /etc/ folder.
if test -s /etc/nss-ldapd.conf ; then
source=/etc/nss-ldapd.conf
elif test -s /etc/nss_ldap.conf ; then
source=/etc/nss_ldap.conf
elif test -s /etc/pam_ldap.conf ; then
source=/etc/pam_ldap.conf
else
source=/etc/ldap.conf
So it will not change nslcd.conf even if we do not remove
below code.
if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then
# Comment out the packaged default base and replace it.
sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target
grep -E '^base[[:blank:]]' $source >> $target
fi
grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]'
$source 2> /dev/null >> $target
We can use RPM instead of SRPM for nss-pam-ldapd package,
since related patches are not used anymore.
Deployment test pass.
Story: 2003768
Task: 28045
Depends-on: https://review.openstack.org/#/c/619976/
Change-Id: Ia4fa723d1a6ff9a7a8059fc2db1afec640ea41b1
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Package openldap-config is added to config customized config file
of openldap.
Here is the customized change in slapd.service:
"
-After=syslog.target network-online.target
+Before=rsyncd.service
+After=network.target syslog-ng.target
-PIDFile=/var/run/openldap/slapd.pid
+PIDFile=/var/run/slapd.pid
-ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+ExecStart=/etc/init.d/openldap start
+ExecStop=/etc/init.d/openldap stop
+ExecReload=/etc/init.d/openldap restart
+RemainAfterExit=yes
"
Here is the customized change in slapd.sysconfig:
"
-#SLAPD_OPTIONS=""
+SLAPD_OPTIONS=""
"
Test:
Pass build and multi node deploy test. Confirmed related config
file is the same as before in deploy node.
Story: 2003768
Task: 26462
Depends-On: https://review.openstack.org/618440
Change-Id: I2559a8e43619449d6179ed913181052d653fa91d
Signed-off-by: slin14 <shuicheng.lin@intel.com>
There is security related issue with lshell, and it is not
maintained now. So remove it from our system to avoid
security issue.
To remove lshell:
1. Package sudo-config is created for wrs.sudo configure file
following the refactor process.
2. ldapusersetup in ldapscripts is modified to use bash only.
lshell support is removed.
ldapusersetup related patches are merged into 1 for easy
maintenance.
Test has been done:
Build and deploy test is done, also unit tests for ldap are
executed with pass, except lshell related test.
Closes-Bug: 1795451
Change-Id: Ia5de1bc94d22eb6c9bea6d9a96e92564ad848b19
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Problem:
- Centos 7.5 upgraded nss-pam-ldapds.
- Porting of nss-pam-ldapds patches did not resolve and 'fuzz' in the line
numbers of the patches.
- If nss-pam-ldapd is built by rpm 4.11, or default version of rpm
until 4.14 is compiled, a fuzzy patch results in the creating
of an .orig file.
- Packaging of nss-pam-ldapds failes due to the unexpected, and
unpackaged .orig file
Solution:
Safest solution is to de-fuzz our nss-pam-ldapds patches.
Story: 2003389
Task: 26755
Change-Id: I82092c3ff4d7cf711d0e1542e61bccb491bd8388
Signed-off-by: Sun Austin <austin.sun@intel.com>
Decouple NSLCD from the open-ldap SM service and manage it by PMOND
instead. This is needed because in the Shared LDAP case, we deprovision
the open-ldap service on the Secondary Region which renders NSLCD
unmanaged.
Additionally, we allow the Secondary Region or Sub Clouds to bind
anonymously, but still need to support LDAP read operations in these
regions such as ldapfinger or lsldap. For this purpose, the ldapscripts
runtime library has been modified to allow anonymous binds during LDAP
search operations.
Change-Id: I3d4a709d058963be61a0311a539cd020f54118d6
Signed-off-by: Jack Ding <jack.ding@windriver.com>
Signed-off-by: Scott Little <scott.little@windriver.com>