Switch the Mediawiki config to the new LDAP dir structure

* Use a new read-only account instead of the admin LDAP account
* Disable the LDAPAuthorization plugin. The LDAPAuthentication2 plugin
is still used to authenticate users, but every kosmos.org user has
access to the wiki. See
https://www.mediawiki.org/wiki/Extension:PluggableAuth for the
distinction between authentication and authorization

Refs #127

site-cookbooks/kosmos-mediawiki/metadata.rb

@@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.2.1'
+version          '0.3.0'
 
 depends "mediawiki"
 depends "ark"

site-cookbooks/kosmos-mediawiki/recipes/default.rb

@@ -39,8 +39,8 @@ node.override['mediawiki']['server_name']     = server_name
 node.override['mediawiki']['site_name']       = 'Kosmos Wiki'
 protocol = node.chef_environment == "development" ? "http" : "https"
 node.override['mediawiki']['server']          = "#{protocol}://#{server_name}"
-mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
-mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
+mysql_credentials = data_bag_item('credentials', 'mysql')
+mediawiki_credentials = data_bag_item('credentials', 'mediawiki')
 
 node.override['mediawiki']['db']['root_password'] = mysql_credentials["root_password"]
 node.override['mediawiki']['db']['pass'] = mediawiki_credentials["db_pass"]
@@ -167,15 +167,6 @@ if node["mediawiki"]["ldap_enabled"]
     action :dump
   end
 
-  ark "LDAPAuthorization" do
-    url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz"
-    path "#{node['mediawiki']['webdir']}/extensions"
-    owner node["nginx"]["user"]
-    group node["nginx"]["group"]
-    mode 0750
-    action :dump
-  end
-
   ark "LDAPAuthentication2" do
     url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz"
     path "#{node['mediawiki']['webdir']}/extensions"
@@ -187,10 +178,9 @@ if node["mediawiki"]["ldap_enabled"]
 
   package "php-ldap"
 
-  ldap_credentials = data_bag_item("credentials", "dirsrv")
   ldap_domain = node['kosmos-dirsrv']['master_hostname']
   ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
-  ldap_base = "ou=users,dc=kosmos,dc=org"
+  ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 end
 
 ruby_block "configuration" do
@@ -260,8 +250,8 @@ $LDAPProviderDomainConfigProvider = function()
             "connection" => [
                 "server" => "#{ldap_domain}",
                 "enctype" => "#{ldap_encryption_type}",
-                "user" => "cn=Directory Manager",
-                "pass" => "#{ldap_credentials['admin_password']}",
+                "user" => "#{mediawiki_credentials['ldap_user']}",
+                "pass" => "#{mediawiki_credentials['ldap_password']}",
                 "basedn" => "#{ldap_base}",
                 "groupbasedn" => "#{ldap_base}",
                 "userbasedn" => "#{ldap_base}",
@@ -270,13 +260,6 @@ $LDAPProviderDomainConfigProvider = function()
                 "usernameattribute" => "uid",
                 "realnameattribute" => "cn",
                 "emailattribute" => "mail"
-            ],
-            "authorization" => [
-                "rules" => [
-                        "attributes" => [
-                                        "wiki" => "enabled"
-                    ]
-                ]
             ]
         ]
     ];
@@ -288,7 +271,6 @@ $LDAPProviderDomainConfigProvider = function()
 $wgPluggableAuth_ButtonLabel = 'Log in';
 wfLoadExtension( 'LDAPProvider' );
 wfLoadExtension( 'PluggableAuth' );
-wfLoadExtension( 'LDAPAuthorization' );
 wfLoadExtension( 'LDAPAuthentication2' );
 # Disable account creation page, since this is not possible to create an account
 # when only LDAP login is enabled