Switch the Mediawiki config to the new LDAP dir structure
* Use a new read-only account instead of the admin LDAP account * Disable the LDAPAuthorization plugin. The LDAPAuthentication2 plugin is still used to authenticate users, but every kosmos.org user has access to the wiki. See https://www.mediawiki.org/wiki/Extension:PluggableAuth for the distinction between authentication and authorization Refs #127
This commit is contained in:
parent
afaff86551
commit
276daf0ed7
@ -1,15 +1,31 @@
|
||||
{
|
||||
"id": "mediawiki",
|
||||
"antispam_key": {
|
||||
"encrypted_data": "0geoVeZ/umKaBCbhDfxkacWt4sWQBHrRxYGTSsaC5gw=\n",
|
||||
"iv": "YxwNvI3HXeMZRHFpv+QLcQ==\n",
|
||||
"version": 1,
|
||||
"cipher": "aes-256-cbc"
|
||||
"encrypted_data": "OD5RrVaQoUFbGV1Xs6i3hqZ024IJsbOC4CAWzrw5jQ==\n",
|
||||
"iv": "8sfvTg7uGe1ofS2C\n",
|
||||
"auth_tag": "hquilck+xxOQqHjE+szPgA==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"db_pass": {
|
||||
"encrypted_data": "aQ1soJeRPq9TQuDglkXrl10rIx5RpBNd5HltKVsYgLHedS5zXy8ylBhNdgBW\nb6slPhsbAB9d45aZAac7LUSbMIDIg8P+Zdx/0+IaEuwcpuQ=\n",
|
||||
"iv": "RDS39dqjBPO0CyyANsa+2g==\n",
|
||||
"version": 1,
|
||||
"cipher": "aes-256-cbc"
|
||||
"encrypted_data": "2IntmJdBmfGyHghAXDJnaew58u9dvjKCz/q1Uivs8Q+nH3wVqARkf52BIHhZ\nbIHY3cy50EwcKTxDcr1arQFmb88cKBxt\n",
|
||||
"iv": "pkCrp07s4LJfaPmq\n",
|
||||
"auth_tag": "yBsriBc/X2bP6v25NY3cSg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"ldap_user": {
|
||||
"encrypted_data": "l/Q63Mvm/tANfvZ+1ijjTB1lpirOhAjWDz4k+R1OkzYIXQNwo6VM2saTH2eu\nBNHFLTyUSMqzlAcq6OvH++En05wk\n",
|
||||
"iv": "y+n/Lo8t6O3Ab4/+\n",
|
||||
"auth_tag": "7eHYjF8A0T611Y+JT1GeJg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"ldap_password": {
|
||||
"encrypted_data": "+qYb9F/f9QRRCTsMoRIyWWVQyCSLcQRHSPWD2Nf7z7Kauywh1zIg\n",
|
||||
"iv": "sivNzq6G+mScbRnn\n",
|
||||
"auth_tag": "ybUpDlIOJm0bsqlY5qt1xA==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
}
|
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures kosmos-mediawiki'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '0.2.1'
|
||||
version '0.3.0'
|
||||
|
||||
depends "mediawiki"
|
||||
depends "ark"
|
||||
|
@ -39,8 +39,8 @@ node.override['mediawiki']['server_name'] = server_name
|
||||
node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
|
||||
protocol = node.chef_environment == "development" ? "http" : "https"
|
||||
node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
|
||||
mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
|
||||
mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
|
||||
mysql_credentials = data_bag_item('credentials', 'mysql')
|
||||
mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
|
||||
|
||||
node.override['mediawiki']['db']['root_password'] = mysql_credentials["root_password"]
|
||||
node.override['mediawiki']['db']['pass'] = mediawiki_credentials["db_pass"]
|
||||
@ -167,15 +167,6 @@ if node["mediawiki"]["ldap_enabled"]
|
||||
action :dump
|
||||
end
|
||||
|
||||
ark "LDAPAuthorization" do
|
||||
url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz"
|
||||
path "#{node['mediawiki']['webdir']}/extensions"
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode 0750
|
||||
action :dump
|
||||
end
|
||||
|
||||
ark "LDAPAuthentication2" do
|
||||
url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz"
|
||||
path "#{node['mediawiki']['webdir']}/extensions"
|
||||
@ -187,10 +178,9 @@ if node["mediawiki"]["ldap_enabled"]
|
||||
|
||||
package "php-ldap"
|
||||
|
||||
ldap_credentials = data_bag_item("credentials", "dirsrv")
|
||||
ldap_domain = node['kosmos-dirsrv']['master_hostname']
|
||||
ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
|
||||
ldap_base = "ou=users,dc=kosmos,dc=org"
|
||||
ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
|
||||
end
|
||||
|
||||
ruby_block "configuration" do
|
||||
@ -260,8 +250,8 @@ $LDAPProviderDomainConfigProvider = function()
|
||||
"connection" => [
|
||||
"server" => "#{ldap_domain}",
|
||||
"enctype" => "#{ldap_encryption_type}",
|
||||
"user" => "cn=Directory Manager",
|
||||
"pass" => "#{ldap_credentials['admin_password']}",
|
||||
"user" => "#{mediawiki_credentials['ldap_user']}",
|
||||
"pass" => "#{mediawiki_credentials['ldap_password']}",
|
||||
"basedn" => "#{ldap_base}",
|
||||
"groupbasedn" => "#{ldap_base}",
|
||||
"userbasedn" => "#{ldap_base}",
|
||||
@ -270,13 +260,6 @@ $LDAPProviderDomainConfigProvider = function()
|
||||
"usernameattribute" => "uid",
|
||||
"realnameattribute" => "cn",
|
||||
"emailattribute" => "mail"
|
||||
],
|
||||
"authorization" => [
|
||||
"rules" => [
|
||||
"attributes" => [
|
||||
"wiki" => "enabled"
|
||||
]
|
||||
]
|
||||
]
|
||||
]
|
||||
];
|
||||
@ -288,7 +271,6 @@ $LDAPProviderDomainConfigProvider = function()
|
||||
$wgPluggableAuth_ButtonLabel = 'Log in';
|
||||
wfLoadExtension( 'LDAPProvider' );
|
||||
wfLoadExtension( 'PluggableAuth' );
|
||||
wfLoadExtension( 'LDAPAuthorization' );
|
||||
wfLoadExtension( 'LDAPAuthentication2' );
|
||||
# Disable account creation page, since this is not possible to create an account
|
||||
# when only LDAP login is enabled
|
||||
|
Loading…
x
Reference in New Issue
Block a user