... | ... | @@ -1252,46 +1252,56 @@ TODO: next steps for LDAP: |
|
|
* Are there any in-progress projects? Technical debt cleanup? Migrations? What state are they in? What's the urgency? What's the next steps?
|
|
|
* What urgent things need to be done on this project?
|
|
|
|
|
|
### Possible issues with userdir-ldap
|
|
|
### Major issues with userdir-ldap
|
|
|
|
|
|
* old cryptographic primitives: SHA-1 is used to hash `sudo`
|
|
|
ud-ldap is old, hard to maintain, and possibly has serious security
|
|
|
issues. it is a liability, in the long term, in particular for those
|
|
|
reasons:
|
|
|
|
|
|
* **old cryptographic primitives**: SHA-1 is used to hash `sudo`
|
|
|
passwords, MD5 is used to hash user passwords, those hashes are
|
|
|
communicated over OpenPGP_encrypted email but stored in LDAP in
|
|
|
cleartext. There is a "hack" present in the web interface to
|
|
|
enforce MD5 passwords on logins, and the mail interface also has
|
|
|
MD5 hardcoded for password resets.
|
|
|
|
|
|
* rolls its own crypto: ud-ldap ships its own wrapper around GnuPG,
|
|
|
* **rolls its own crypto**: ud-ldap ships its own wrapper around GnuPG,
|
|
|
implementing the (somewhat arcane) commandline dialect. it has not
|
|
|
been determined if that implementation is either accurate or safe.
|
|
|
|
|
|
* the email interface is notoriously picky: it has trouble with
|
|
|
standard OpenPGP/MIME messages and is hard to use for users
|
|
|
* **email interface hard to use**: it has trouble with standard
|
|
|
OpenPGP/MIME messages and is hard to use for users
|
|
|
|
|
|
* the web interface is showing its age: it's made of old Perl CGI
|
|
|
scripts that uses a custom template format built on top of [WML][]
|
|
|
with custom pattern replacement, without any other framework than
|
|
|
Perl's builtin `CGI` module. it uses in-URL tokens which could be
|
|
|
* **old web interface**: it's made of old Perl CGI scripts that uses
|
|
|
a custom template format built on top of [WML][] with custom
|
|
|
pattern replacement, without any other framework than Perl's
|
|
|
builtin `CGI` module. it uses in-URL tokens which could be
|
|
|
vulnerable to XSS attacks.
|
|
|
|
|
|
[WML]: https://en.wikipedia.org/wiki/Website_Meta_Language
|
|
|
|
|
|
* large technical debt: ud-ldap is written in (old) Python 2, Perl
|
|
|
and shell, which makes it hard to maintain. it will at least need
|
|
|
to be ported to Python 3 in the short term. ud-ldap has no test
|
|
|
suite, linting or CI of any form. opening some files
|
|
|
(e.g. `ud-generate`) yield so many style warnings that my editor
|
|
|
(Emacs with Elpy) disables checks. it is believed to be impossible
|
|
|
or at least impractical to setup a new ud-ldap setup from scratch.
|
|
|
|
|
|
* authentication is overly complex: as detailed in the
|
|
|
* **large technical debt**
|
|
|
|
|
|
* ud-ldap is written in (old) Python 2, Perl and shell. it will at
|
|
|
least need to be ported to Python 3 in the short term.
|
|
|
* code reuse is minimal across the project.
|
|
|
* ud-ldap has no test suite, linting or CI of any form.
|
|
|
* opening some files (e.g. `ud-generate`) yield so many style
|
|
|
warnings that my editor (Emacs with Elpy) disables checks.
|
|
|
* it is believed to be impossible or at least impractical to setup
|
|
|
a new ud-ldap setup from scratch.
|
|
|
|
|
|
* **authentication is overly complex**: as detailed in the
|
|
|
[authentication section](#authentication-mechanisms), with 6 different authentication
|
|
|
methods with the LDAP server.
|
|
|
|
|
|
* rolls its own configuration management: ud-ldap does configuration
|
|
|
* **replicates configuration management**: ud-ldap does configuration
|
|
|
management and file distribution, as root
|
|
|
(`ud-generate`/`ud-replicate`), something which should be reserved
|
|
|
to Puppet
|
|
|
to Puppet. this might have been justified when ud-ldap was written,
|
|
|
in 1999, since configuration management wasn't very popular back
|
|
|
then ([Puppet](https://en.wikipedia.org/wiki/Puppet_(software)) was created in 2005, only [cfengine](https://en.wikipedia.org/wiki/CFEngine) existed
|
|
|
back then, which was created in 1993)
|
|
|
|
|
|
## Goals
|
|
|
<!-- include bugs to be fixed -->
|
... | ... | |