[tor-bugs] #32519 [Internal Services/Tor Sysadmin Team]: improve user onboard/offboarding procedures
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 16 20:53:47 UTC 2020
#32519: improve user onboard/offboarding procedures
-------------------------------------------------+---------------------
Reporter: anarcat | Owner: tpa
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+---------------------
Comment (by anarcat):
i started working on a fabric script to audit LDAP. i needed to implement
something to talk with LDAP anyways so it made sense to start there.
this, for example, will check the `EXAMPLE` user:
{{{
fab -H db.torproject.org user.audit-ldap --user=EXAMPLE
}}}
a real-world example:
{{{
$ fab -H db.torproject.org user.audit-ldap --user=anarcat
ldaps://db.torproject.org LDAP password for
uid=anarcat,ou=users,dc=torproject,dc=org:
uid flags groups
anarcat ldap-admin,login-everywhere adm,torproject
WARNING:root:ldap-admin: has root and LDAP admin (adm group)
WARNING:root:login-everywhere: has SSH access everywhere (torproject
group)
}}}
Those two `WARNING` lines are "flags" that are hardcoded in the code,
which currently warns about about certain special groups or abnormal
conditions. the idea is to have various audit tools that would raise
certain "flags" like this. those, in turn, could become "actions" (like
remove someone from a group or reset a password), specific to those flags.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32519#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list