Greg greg

1 Followers · 0 Following

• Joined on 2018-11-05
• • 

Repositories Projects Packages Public Activity Starred Repositories

1

greg commented on issue kosmos/chef#140 2020-02-21 12:42:52 +00:00

Every LDAP account should have access to XMPP

I found a good solution. LDAP accounts used to filter users will be moved be under cn=applications,dc=kosmos,dc=org, for example cn=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org. Then everything under cn=users,dc=kosmos,dc=org are actual users

# applications, kosmos.org
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

# kosmos.org, applications, kosmos.org
dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org

# 5apps.com, applications, kosmos.org
dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com

# xmpp account, used by ejabberd to search for users and change passwords
dn: cn=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: xmpp
userPassword: {SSHA512}snip

# xmpp account, used by ejabberd to search for users and change passwords
dn: cn=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: xmpp
userPassword: {SSHA512}snip

ACIs need to be set on the Organizational Units to allow the applications accounts to perform the searches

# 5apps.com, users, kosmos.org
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn 

greg commented on issue kosmos/chef#140 2020-02-20 18:55:13 +00:00

Every LDAP account should have access to XMPP

This has revealed a flaw in the new directory structure. If we remove the filtering altogether, LDAP read-only accounts for the wiki and xmpp become valid XMPP accounts.

Right now my solution is to turn these accounts from a person to a organizationalPerson. Then the filter would look like this (a person, but not an organizationalPerson). In LDAP an organizationalPerson is also a person since it's "subclassing" it.

(&(objectClass=person)(!(objectClass=organizationalPerson)))

The ACIs will also need to be updated to add the objectClass attribute to the list of allowed attributes for the read-only account, because they are not part of the list for now

# kosmos.org, users, kosmos.org
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn 

greg opened issue kosmos/chef#140 2020-02-20 16:17:58 +00:00

Every LDAP account should have access to XMPP

greg opened issue kosmos/chef#139 2020-02-20 16:02:52 +00:00

Enable LDAP support on Gitea

greg closed issue kosmos/chef#107 2020-02-20 13:39:20 +00:00

Set up LDAP server for central account management

greg commented on issue kosmos/chef#107 2020-02-20 13:39:19 +00:00

Set up LDAP server for central account management

Docs are on the wiki for the new directory structure: https://wiki.kosmos.org/Infrastructure:LDAP

greg commented on issue kosmos/chef#123 2020-02-20 13:38:27 +00:00

Enable LDAP support on ejabberd

Paired with @galfert to perform the migration, closing this one

greg closed issue kosmos/chef#123 2020-02-20 13:38:27 +00:00

Enable LDAP support on ejabberd

greg closed issue kosmos/chef#127 2020-02-20 13:37:32 +00:00

Change LDAP directory structure to accommodate multiple domains

greg commented on issue kosmos/chef#127 2020-02-20 13:37:31 +00:00

Change LDAP directory structure to accommodate multiple domains

Closing this one since we've migrated ejabberd

Docs are on the wiki page: https://wiki.kosmos.org/Infrastructure:LDAP

greg merged pull request kosmos/chef#138 2020-02-20 13:34:18 +00:00

Remove the CleanTalk Antispam extension

greg merged pull request kosmos/chef#138 2020-02-20 13:34:17 +00:00

Remove the CleanTalk Antispam extension

greg pushed to master at kosmos/chef 2020-02-20 13:34:17 +00:00

f34513220e Merge branch 'feature/130-remove_antispam' of kosmos/chef into master

c4fdf1779f Remove the CleanTalk Antispam extension

Compare 2 commits »

greg closed issue kosmos/chef#130 2020-02-20 13:34:17 +00:00

Remove CleanTalk from wiki.kosmos.org

greg created pull request kosmos/chef#138 2020-02-20 13:33:57 +00:00

Remove the CleanTalk Antispam extension

greg pushed to feature/130-remove_antispam at kosmos/chef 2020-02-20 13:32:24 +00:00

c4fdf1779f Remove the CleanTalk Antispam extension

greg pushed to master at kosmos/chef 2020-02-20 13:30:44 +00:00

6f7474b4d1 Update the Mediawiki extensions

greg deleted branch feature/127-new_ldap_dir_structure from kosmos/chef 2020-02-20 13:29:20 +00:00

greg merged pull request kosmos/chef#137 2020-02-20 13:29:08 +00:00

Enable LDAP on the XMPP kosmos.org vhost and use the new dir structure in Mediawiki

greg pushed to master at kosmos/chef 2020-02-20 13:29:08 +00:00

c01f5c1038 Merge branch 'feature/127-new_ldap_dir_structure' of kosmos/chef into master

90a0e6be9f Enable LDAP on the kosmos.org vhost

276daf0ed7 Switch the Mediawiki config to the new LDAP dir structure

Compare 3 commits »