Enable LDAP support on mediawiki
Users can log in using their LDAP account (in the ou=users,dc=kosmos,dc=org group and with the wiki attribute set to enabled) Add an attribute for the ldap master server, so it can be overridden in the development environment Refs #107
This commit is contained in:
parent
484f1306da
commit
a69192a863
|
@ -13,6 +13,9 @@
|
|||
"elasticsearch": {
|
||||
"allocated_memory": "128m"
|
||||
}
|
||||
},
|
||||
"kosmos-dirsrv": {
|
||||
"master_hostname": "localhost"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org'
|
|
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
|
|||
license 'MIT'
|
||||
description 'Installs/Configures 389 Directory Server'
|
||||
long_description 'Installs/Configures 389 Directory Server'
|
||||
version '0.1.0'
|
||||
version '0.1.1'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends "firewall"
|
||||
|
|
|
@ -27,7 +27,7 @@
|
|||
credentials = data_bag_item("credentials", "dirsrv")
|
||||
|
||||
dirsrv_instance "master" do
|
||||
hostname "ldap.kosmos.org"
|
||||
hostname node['kosmos-dirsrv']['master_hostname']
|
||||
admin_password credentials['admin_password']
|
||||
suffix "dc=kosmos,dc=org"
|
||||
end
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
node.default["mediawiki"]["url"] = "https://wiki.kosmos.org/"
|
||||
node.default["mediawiki"]["hubot_base_url"] = "http://barnard.kosmos.org:8080"
|
||||
node.default["mediawiki"]["hubot_room"] = "#kosmos"
|
||||
node.default["mediawiki"]["ldap_enabled"] = true
|
||||
|
|
|
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
|
|||
license 'MIT'
|
||||
description 'Installs/Configures kosmos-mediawiki'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '0.1.0'
|
||||
version '0.2.0'
|
||||
|
||||
depends "mediawiki"
|
||||
depends "ark"
|
||||
|
@ -12,3 +12,4 @@ depends "backup"
|
|||
depends "composer"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos-base"
|
||||
depends "kosmos-dirsrv"
|
||||
|
|
|
@ -30,9 +30,6 @@ include_recipe 'composer'
|
|||
|
||||
server_name = 'wiki.kosmos.org'
|
||||
|
||||
# FIXME: For now run the update script manually after updating:
|
||||
#
|
||||
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
|
||||
node.override['mediawiki']['version'] = "1.32.0"
|
||||
node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
|
||||
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
|
||||
|
@ -150,6 +147,52 @@ template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig
|
|||
wiki_url: node['mediawiki']['url']
|
||||
end
|
||||
|
||||
if node["mediawiki"]["ldap_enabled"]
|
||||
# LDAP
|
||||
ark "PluggableAuth" do
|
||||
url "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_33-a69f626.tar.gz"
|
||||
path "#{node['mediawiki']['webdir']}/extensions"
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode 0750
|
||||
action :dump
|
||||
end
|
||||
|
||||
ark "LDAPProvider" do
|
||||
url "https://extdist.wmflabs.org/dist/extensions/LDAPProvider-REL1_31-07ab292.tar.gz"
|
||||
path "#{node['mediawiki']['webdir']}/extensions"
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode 0750
|
||||
action :dump
|
||||
end
|
||||
|
||||
ark "LDAPAuthorization" do
|
||||
url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz"
|
||||
path "#{node['mediawiki']['webdir']}/extensions"
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode 0750
|
||||
action :dump
|
||||
end
|
||||
|
||||
ark "LDAPAuthentication2" do
|
||||
url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz"
|
||||
path "#{node['mediawiki']['webdir']}/extensions"
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode 0750
|
||||
action :dump
|
||||
end
|
||||
|
||||
package "php-ldap"
|
||||
|
||||
ldap_credentials = data_bag_item("credentials", "dirsrv")
|
||||
ldap_domain = node['kosmos-dirsrv']['master_hostname']
|
||||
ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
|
||||
ldap_base = "ou=users,dc=kosmos,dc=org"
|
||||
end
|
||||
|
||||
ruby_block "configuration" do
|
||||
block do
|
||||
file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
|
||||
|
@ -204,7 +247,55 @@ $wgArticlePath = "/$1";
|
|||
file.insert_line_if_no_match(/WikiEditor/,
|
||||
"wfLoadExtension( 'WikiEditor' );")
|
||||
|
||||
file.write_file
|
||||
if node["mediawiki"]["ldap_enabled"]
|
||||
file.insert_line_if_no_match(/# LDAP config/,
|
||||
<<-EOF
|
||||
# LDAP config
|
||||
$LDAPProviderDomainConfigProvider = function()
|
||||
{
|
||||
$config = [
|
||||
"#{server_name}" => [
|
||||
"connection" => [
|
||||
"server" => "#{ldap_domain}",
|
||||
"enctype" => "#{ldap_encryption_type}",
|
||||
"user" => "cn=Directory Manager",
|
||||
"pass" => "#{ldap_credentials['admin_password']}",
|
||||
"basedn" => "#{ldap_base}",
|
||||
"groupbasedn" => "#{ldap_base}",
|
||||
"userbasedn" => "#{ldap_base}",
|
||||
"searchattribute" => "uid",
|
||||
"searchstring" => "cn=USER-NAME,#{ldap_base}",
|
||||
"usernameattribute" => "uid",
|
||||
"realnameattribute" => "cn",
|
||||
"emailattribute" => "mail"
|
||||
],
|
||||
"authorization" => [
|
||||
"rules" => [
|
||||
"attributes" => [
|
||||
"wiki" => "enabled"
|
||||
]
|
||||
]
|
||||
]
|
||||
]
|
||||
];
|
||||
|
||||
return new \\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\InlinePHPArray( $config );
|
||||
};
|
||||
# $wgPluggableAuth_EnableLocalLogin = true; # allow local logins
|
||||
# Override the text for the login button. The default is "Log In With PluggableAuth"
|
||||
$wgPluggableAuth_ButtonLabel = 'Log in';
|
||||
wfLoadExtension( 'LDAPProvider' );
|
||||
wfLoadExtension( 'PluggableAuth' );
|
||||
wfLoadExtension( 'LDAPAuthorization' );
|
||||
wfLoadExtension( 'LDAPAuthentication2' );
|
||||
# Disable account creation page, since this is not possible to create an account
|
||||
# when only LDAP login is enabled
|
||||
$wgGroupPermissions['*']['createaccount'] = false;
|
||||
EOF
|
||||
)
|
||||
|
||||
file.write_file
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -230,6 +321,13 @@ composer_project node['mediawiki']['webdir'] do
|
|||
action :install
|
||||
end
|
||||
|
||||
# This does not perform changes when it has already been executed. Needed when
|
||||
# adding a new extension, for example for LDAP support
|
||||
execute "Run the database updater" do
|
||||
cwd node['mediawiki']['webdir']
|
||||
command "./maintenance/update.php --quick"
|
||||
end
|
||||
|
||||
#
|
||||
# Backup
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue