| << Back to previous view |
|
[QB-2749] allow embedding scripts on LDAP user filter
|
|
| Status: | Resolved |
| Project: | QuickBuild |
| Component/s: | None |
| Affects Version/s: | 6.1.12 |
| Fix Version/s: | 7.0.0 |
| Type: | Improvement | Priority: | Minor |
| Reporter: | Tim Earle | Assigned To: | Unassigned |
| Resolution: | Fixed | Votes: | 0 |
| Remaining Estimate: | Unknown | Time Spent: | Unknown |
| Original Estimate: | Unknown | ||
| Description |
|
Most LDAP services provide the option to set an attribute for the password/account expiration date. Being able to embed a script into the User Search Filter field would allow the administrator to deny access to QB based on this field. An example using freeIPA for DS:
This: (&(uid={0})(objectclass=inetorgperson)) Could Be: (&(uid={0})(objectclass=inetorgperson)(krbPasswordExpiration>${util.formatDate(new Date(),"%Y%m%d%H%M%SZ")})) An alternative approach would be to set the account or password expiration date via a helper field, similar to "User full name attribute" and "User email attribute." Add a new field called "Password Expiration Date Attribute" that would receive "krbPasswordExpiration" in this case or a boolean attribute indicating if the account is locked or not. |
| Comments |
| Comment by Robin Shen [ 28/Jun/16 02:24 AM ] |
| I guess your concern is not to allow QB user to login when the password is expired at LDAP side? If so, LDAP will prevent this as QB will forward the login request to LDAP. |
| Comment by Tim Earle [ 28/Jun/16 12:12 PM ] |
| Primarily, yes. Some LDAP providers (OpenLDAP, 389 Directory Services) do not always enforce a password expiration for binding purposes, this is particularly the case when facilitating self-service password reset/update functionality. Most secure implementation will not bind as an admin user, instead allow the user to modify specific attributes on their own DN. |
| Comment by Tim Earle [ 14/Jul/16 06:44 PM ] |
| RedHat's enterprise LDAP/directory services solutions discussion around the issue. Upstream advises using LDAP filters to limit logins with expired passwords: https://fedorahosted.org/freeipa/ticket/1539 |