[BlueOnyx:20437] Re: External Authentication

[Michael Stauber]

Hi Chris,

> This is my favorite of the methods you suggested.  The idea is that at
> the GUI, our tech is able to enter his username or username at domain.local
> along with his Active Directory password and he gets access into
> BlueOnyx as "admin".   If we activate or de-activate a user in AD or
> change that user's password, the BlueOnyx or Aventurin{e} GUI login will
> reflect that.

I see. Part of the problem with this is the way CCEd uses PAM and
depends on an existing User object. To get a valid SessionId we need the
password of the account we're using. So logging in as tech at virtbiz.com
and authenticating against LDAP cannot yield a successful login as
"admin" without changing admin's password in the process of it. And
eventually changing it back to what it was before once the tech is done.
While that is doable it would be undesirable as it has the implication
that it locks the box owner out while your tech is in. Which can have
benefits as both you and I know. Yet he might not appreciate it as much
as you and I would. ;-)

But this gives me another good idea: If the LDAP auth against the GUI
succeeds, we can create a temporary admin-account with equal privileges
as "admin" and your tech is logged in automatically into that account.
Which would serve the same purpose. So yeah, this is doable.

I'll have to look into how we allow the tech to use SSH. I know SSH can
do LDAP-auth, but the last time I messed with that was ages ago. I
recall it required messing with PAM, /etc/passwd, /etc/groups and what
not. It might be easier to let him login to the GUI first with his LDAP
credentials and then present him a page that tells him which
username/password/port to use for SSH. If password auth is off for SSH,
it could also provide him with the PEM cert or public key he needs for
SSH. To make things easier there could also be a simple link (or a
button) like ...

<a href="ssh://user@example.com">Shell</a>

... to spare him the copy and paste for all but the password. But like
said: I'll check again which provisions SSH has these days for LDAP.

>> WHMCS:
>
> In practice, as I understand it, this would require the tech to get
> into WHMCS, activate a function there via the API, receive an email with
> credentials & SSH keys, then go to log into the server.  Oh, and that
> info would be emailed to... an individual?  A roll account?

Role account or ticket system maybe? But I agree that this is more
cumbersome and might not be practical or fit into your usual work flow.

> It's entirely possible that AD or LDAP integration onto Aventurin{e} and
> BlueOnyx isn't worth the hassle.   Maybe what we have now is good enough.

I think it has some potential and will give it a look. I'm still busy
with our other side project, but once I have that wrapped up I'll set up
a LDAP server and will do some prototyping to see how that goes.

It's not such a big chunk of work once I have recalled about half of the
things I already forgot about LDAP for not using it for more than a decade.

-- 
With best regards

Michael Stauber