Closed jkubNTIA closed 9 years ago
ranganathanm
commented
9 years ago I suggest we proceed as follows:
The "primary" administrator account should still be in Config. Other users may be granted administrative privliege by the primary administrator.
ranganathanm
commented
9 years ago Julie, please comment on this proposal.
jkubNTIA
commented
9 years ago I just sent an email to our team to discuss during our Thursday meeting. Our ITS IT security want all of our administrator accounts in LDAP and will not go for a "primary" administrator account in Config. We will need all admin users to be in LDAP.
Here is the email to the team: ITS needs to store all ‘user’ and ‘admin’ level users in an LDAP database and adhere to security rules (such as needing to change passwords every 60 days, account is locked with 3 unsuccessful login attempts, etc.). NIST does not need to do this and can store the admin user in the configuration mongoDB database. How does ITS handle the first admin account creation? Do we use a temporary default admin password for the first admin login like NIST does? Or do we go to the LDAP GUI and manually create the first admin account so that ITS never has to use a temporary admin login account? Should we just use an if/else in the code to allow NIST to get their admin account from the configuration database and ITS get their admin accounts from LDAP?
ranganathanm
commented
9 years ago You can store it in LDAP if you want. You can Mirror LDAP information in mongodb. i.e. I do not want any hard dependencies on the existence of LDAP. We will not be running LDAP. What you can do is as follows:
ranganathanm
commented
9 years ago Also placing the information in Config does not imply it does not go to ldap In fact, the config page just places the admin account into the accounts collection. Please comment on this proposal. thanks.
ranganathanm
commented
9 years ago Continuing on from our phone discussion, if you want to keep the code integrated, import your ldap dependencies uisng a global flag. i.e.
if LDAP_Configured: import ldap
(note that in python, imports are executable statements).
Then whenever you need to do update or refer to the accounts collection, proceed as follows
if LDAP_Configured: do_ldap .... else: look in mongodb
So this way, the code can stay integrated (no forking required) without my having to import LDAP and use any LDAP features.
Please comment on this proposal.
jkubNTIA
commented
9 years ago Great idea. This way we can use LDAP at ITS and NIST does not need to import LDAP into the code. Also we do not need to mirror the login information between LDAP/MongoDB and we do not need to fork the code. I will change the code.
We need to remove the following admin logon information from Config.py: adminFirstName = configuration["ADMIN_USER_FIRST_NAME"] adminLastName = configuration["ADMIN_USER_LAST_NAME"] adminPassword = configuration["ADMIN_PASSWORD"] adminEmailAddress = configuration["ADMIN_EMAIL_ADDRESS"]
Julie is creating a ability to add admin accounts on the Account Management page. ITS needs the ability to have each admin user have their own account since our IT security does not want us to share one admin password. For NIST, they can either have one admin account or more, if desired, but they could still create the admin account from Julie's Account Management page.