Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possibility to block an account (different that locking) #125

Closed
coudot opened this issue Jun 28, 2024 · 12 comments · Fixed by #169
Closed

Possibility to block an account (different that locking) #125

coudot opened this issue Jun 28, 2024 · 12 comments · Fixed by #169
Assignees
@coudot @davidcoutadeur
Labels
enhancement New feature or request sponsor Developpement sponsorized by customers
Milestone
0.6

Comments

@coudot
Copy link
Member

coudot commented Jun 28, 2024

We would like to manage two different status for an account:

  • Lock: the password is locked, but a user can still reset its password (for OpenLDAP, it is linked to pwdAccountLockedTime)
  • Block: the account is no more useable, even if the password is still valid (for OpenLDAP, it is linked to pwdEndTime)
@coudot coudot added enhancement New feature or request sponsor Developpement sponsorized by customers labels Jun 28, 2024
@coudot coudot added this to the 0.6 milestone Jun 28, 2024
@coudot coudot mentioned this issue Jun 28, 2024
Open
@davidcoutadeur
Copy link

+1

I think we should also find a way to implement pwdStartTime / pwdEndTime fields in addition to this button.

@coudot coudot mentioned this issue Jul 2, 2024
Closed
@coudot coudot self-assigned this Jul 2, 2024
@coudot
Copy link
Member Author

coudot commented Jul 2, 2024

I will do a first proposal of UI and we will discuss in the PR.

@coudot
Copy link
Member Author

coudot commented Jul 26, 2024

Implementing pwdStartDate / pwdEndDate will solve a part of #57

With AD support (#156) I implemented the enable/disable account feature, which is specific to AD. AD also have an account expiration date (accountExpires) which is close to what is pwdEndTime.

So to be accurate, we could "expire" an account by updating pwdEndTime/accountExpires, and we can disable an account in AD (a specific bit in userAccountControl).

We need to agree on what blocking means, is it an account expiration (different from password expiration), or an account which is disabled (but we don't have a standard way to do this in OpenLDAP).

@davidcoutadeur
Copy link

AFAIK:

  • a blocked account is just a generic term meaning that an account can't bind any more. The bind must return an error.
  • an expired account is a special case of blocked account where the account has been locked by a period of validity of the account (pwdStartTime / pwdEndTime for OpenLDAP)
  • an expired password is a special case of blocked account where the account has been locked by an expired password. (pwdAccountLockedTime for OpenLDAP)

OpenLDAP is defining a special value for pwdAccountLockedTime to implement the generic block account feature.

If we need a completely independent blocking account feature (other than expired account or expired password), today we don't have it and we would have to implement it by ourselves. For example:

  • by moving the user entry into a trash branch
  • by assigning the user to a password policy that immediately expires the password
  • by adding a new "blockedaccount" feature in openldap

The 2 first points would add constraints on the LDAP directory, which we shouldn't impose for a software like service-desk. The last one would require some work. So IMO we should try without this independent blocking feature.

@coudot
Copy link
Member Author

coudot commented Aug 19, 2024

Some organizations use a specific attribute in OpenLDAP, like accountDisable, which is used in ACL to block the authentication (and sometimes to hide this account from searches).

As we don't have in OpenLDAP the same feature that in AD, I propose for now to not implement it for OpenLDAP.

But we could add a feature for AD/OpenLDAP that will modify the account end time (accountExpires/pwdEndTime) to current date.

@coudot
Copy link
Member Author

coudot commented Sep 26, 2024

@davidcoutadeur try to find an attribute in OpenLDAP that can be used for this

@davidcoutadeur
Copy link

I have proposed an evolution of the ppolicy draft here: https://bugs.openldap.org/show_bug.cgi?id=10261

@davidcoutadeur
Copy link

davidcoutadeur commented Oct 16, 2024
edited
Loading

Until the evolution is accepted, the feature could be implemented by:

  • adding the custom attribute into the schema:
      ( 1.3.6.1.4.1.42.2.27.8.1.34
      NAME 'pwdAccountDisabled'
      DESC 'The time an user account was disabled'
      EQUALITY generalizedTimeMatch
      ORDERING generalizedTimeOrderingMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
      SINGLE-VALUE )

and adding this attribute to the desired object classes

  • adding a custom ACL in front of all ACLs in main database section:
olcAccess: to attrs=userPassword  by set="this/pwdAccountDisabled" none  by * break

davidcoutadeur pushed a commit that referenced this issue Oct 16, 2024
fix account locking name and bug (#125)
b2b8a9b
davidcoutadeur pushed a commit that referenced this issue Oct 16, 2024
fix missing comment in auditlog() (#125)
96cf107
@davidcoutadeur
Copy link

To discuss: add also the possibility the add a comment while enabling / disabling account

@davidcoutadeur davidcoutadeur mentioned this issue Oct 16, 2024
Merged
@davidcoutadeur
Copy link

We also need to add a new menu for displaying blocked accounts

davidcoutadeur pushed a commit that referenced this issue Oct 25, 2024
fix account locking name and bug (#125)
8418b52
davidcoutadeur pushed a commit that referenced this issue Oct 25, 2024
fix missing comment in auditlog() (#125)
d125a93
davidcoutadeur pushed a commit that referenced this issue Oct 25, 2024
use block account feature from ltb-common main branch(#125)
c44b3b8
davidcoutadeur pushed a commit that referenced this issue Oct 25, 2024
add a dedicated menu to list disabled accounts (#125)
68d639f
@coudot coudot mentioned this issue Oct 25, 2024
Closed
davidcoutadeur pushed a commit that referenced this issue Oct 25, 2024
add a comment while enabling / disabling accounts (#125)
8905bfa
@davidcoutadeur
Copy link

davidcoutadeur commented Oct 25, 2024
edited
Loading

The two previous tasks are finished:

  • add also the possibility to fill a comment while enabling / disabling account
  • add a new menu for displaying disabled accounts

TODO:

  • add doc for new comment parameters

Note: adding the comment modal everywhere would be done in #127

davidcoutadeur pushed a commit that referenced this issue Oct 31, 2024
add doc for enabling/disabling comments (#125)
952a92b
@davidcoutadeur
Copy link

This feature seems ready now. merging

davidcoutadeur pushed a commit that referenced this issue Oct 31, 2024
@davidcoutadeur
fix account locking name and bug (#125)
f3b6f21
davidcoutadeur pushed a commit that referenced this issue Oct 31, 2024
@davidcoutadeur
fix missing comment in auditlog() (#125)
132b2d5
davidcoutadeur pushed a commit that referenced this issue Oct 31, 2024
@davidcoutadeur
use block account feature from ltb-common main branch(#125)
9fc769e
davidcoutadeur pushed a commit that referenced this issue Oct 31, 2024
@davidcoutadeur
add a dedicated menu to list disabled accounts (#125)
43b49d3
davidcoutadeur pushed a commit that referenced this issue Oct 31, 2024
@davidcoutadeur
add a comment while enabling / disabling accounts (#125)
cd30a1d
davidcoutadeur pushed a commit that referenced this issue Oct 31, 2024
@davidcoutadeur
add doc for enabling/disabling comments (#125)
8d136e6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@coudot coudot

@davidcoutadeur davidcoutadeur

Labels
enhancement New feature or request sponsor Developpement sponsorized by customers
Projects
None yet
Milestone
0.6
Development

Successfully merging a pull request may close this issue.

Block account ltb-project/service-desk
2 participants
@coudot @davidcoutadeur