WIP Add service accounts and ACIs

Add missing env var to example config
Fix LDAP attribute name
2024-03-28 10:57:12 +04:00 · 2024-03-28 10:56:42 +04:00 · 2024-03-19 18:18:06 +01:00
5 changed files with 22 additions and 1 deletions
--- a/.env.example
+++ b/.env.example
@@ -58,6 +58,7 @@
 # LNDHUB_PG_PASSWORD=''
 # MASTODON_PUBLIC_URL='https://kosmos.social'
 # MASTODON_ADDRESS_DOMAIN='https://kosmos.org'
 # MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@@ -57,7 +57,7 @@ class LdapService < ApplicationService
    end
    attributes = %w[
-      dn cn uid mail displayName admin service
+      dn cn uid mail displayName admin serviceEnabled
      mailRoutingAddress mailpassword nostrKey
    ]
    filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
--- a/lib/tasks/ldap.rake
+++ b/lib/tasks/ldap.rake
@@ -19,6 +19,18 @@ namespace :ldap do
    }, true
  end
  # TODO
  desc "Add application account to directory"
  task add_application_account: :environment do |t, args|
    # Add uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org with userPassword
  end
  # TODO
  desc "Add application ACI/permissions for OU, i.e. read/search users"
  task add_application_account: :environment do |t, args|
    # (target="ldap:///cn=*,ou=#{ou},cn=users,#{ldap_suffix}")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-#{ou.gsub(".", "-")}-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=#{ou},cn=applications,#{ldap_suffix}";)
  end
  desc "Add custom attributes to schema"
  task add_custom_attributes: :environment do |t, args|
    %w[ admin service_enabled nostr_key ].each do |name|
--- a/schemas/ldap/aci.ldif
+++ b/schemas/ldap/aci.ldif
@@ -0,0 +1,4 @@
 dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
 changetype: modify
 add: aci
 aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || serviceEnabled || displayName || jpegPhoto || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
--- a/schemas/ldap/delete-aci.ldif
+++ b/schemas/ldap/delete-aci.ldif
@@ -0,0 +1,4 @@
 dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
 changetype: modify
 delete: aci
 aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
Author	SHA1	Message	Date
Râu Cao	0bd77bc37a	WIP Add service accounts and ACIs All checks were successful continuous-integration/drone/push Build is passing Details	2024-03-28 10:57:12 +04:00
Râu Cao	02af69b055	Add missing env var to example config All checks were successful continuous-integration/drone/push Build is passing Details	2024-03-28 10:56:42 +04:00
Râu Cao	5d459e7e7d	Fix LDAP attribute name All checks were successful continuous-integration/drone/push Build is passing Details	2024-03-19 18:18:06 +01:00