Enable LDAP support on mediawiki

Users can log in using their LDAP account (in the ou=users,dc=kosmos,dc=org group and with the wiki attribute set to enabled) Add an attribute for the ldap master server, so it can be overridden in the development environment Refs #107
2019-11-04 19:03:45 +01:00 · 2019-11-04 19:03:45 +01:00 · a69192a863
parent 484f1306da
commit a69192a863
7 changed files with 111 additions and 7 deletions
--- a/environments/development.json
+++ b/environments/development.json
@ -13,6 +13,9 @@
      "elasticsearch": {
        "allocated_memory": "128m"
      }
+    },
+    "kosmos-dirsrv": {
+      "master_hostname": "localhost"
    }
  }
 }
--- a/site-cookbooks/kosmos-dirsrv/attributes/default.rb
+++ b/site-cookbooks/kosmos-dirsrv/attributes/default.rb
@ -0,0 +1 @@
+node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org'
--- a/site-cookbooks/kosmos-dirsrv/metadata.rb
+++ b/site-cookbooks/kosmos-dirsrv/metadata.rb
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
 license 'MIT'
 description 'Installs/Configures 389 Directory Server'
 long_description 'Installs/Configures 389 Directory Server'
-version '0.1.0'
+version '0.1.1'
 chef_version '>= 14.0'

 depends "firewall"
--- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb
+++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb
@ -27,7 +27,7 @@
 credentials = data_bag_item("credentials", "dirsrv")

 dirsrv_instance "master" do
-  hostname "ldap.kosmos.org"
+  hostname node['kosmos-dirsrv']['master_hostname']
  admin_password credentials['admin_password']
  suffix "dc=kosmos,dc=org"
 end
--- a/site-cookbooks/kosmos-mediawiki/attributes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/attributes/default.rb
@ -1,3 +1,4 @@
 node.default["mediawiki"]["url"] = "https://wiki.kosmos.org/"
 node.default["mediawiki"]["hubot_base_url"] = "http://barnard.kosmos.org:8080"
 node.default["mediawiki"]["hubot_room"] = "#kosmos"
+node.default["mediawiki"]["ldap_enabled"] = true
--- a/site-cookbooks/kosmos-mediawiki/metadata.rb
+++ b/site-cookbooks/kosmos-mediawiki/metadata.rb
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-mediawiki'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.0'
+version          '0.2.0'

 depends "mediawiki"
 depends "ark"
@ -12,3 +12,4 @@ depends "backup"
 depends "composer"
 depends "kosmos-nginx"
 depends "kosmos-base"
+depends "kosmos-dirsrv"
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@ -30,9 +30,6 @@ include_recipe 'composer'

 server_name = 'wiki.kosmos.org'

-# FIXME: For now run the update script manually after updating:
-#
-# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
 node.override['mediawiki']['version']         = "1.32.0"
 node.override['mediawiki']['webdir']          = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
 node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
@ -150,6 +147,52 @@ template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig
            wiki_url: node['mediawiki']['url']
 end

+if node["mediawiki"]["ldap_enabled"]
+  # LDAP
+  ark "PluggableAuth" do
+    url "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_33-a69f626.tar.gz"
+    path "#{node['mediawiki']['webdir']}/extensions"
+    owner node["nginx"]["user"]
+    group node["nginx"]["group"]
+    mode 0750
+    action :dump
+  end
+
+  ark "LDAPProvider" do
+    url "https://extdist.wmflabs.org/dist/extensions/LDAPProvider-REL1_31-07ab292.tar.gz"
+    path "#{node['mediawiki']['webdir']}/extensions"
+    owner node["nginx"]["user"]
+    group node["nginx"]["group"]
+    mode 0750
+    action :dump
+  end
+
+  ark "LDAPAuthorization" do
+    url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz"
+    path "#{node['mediawiki']['webdir']}/extensions"
+    owner node["nginx"]["user"]
+    group node["nginx"]["group"]
+    mode 0750
+    action :dump
+  end
+
+  ark "LDAPAuthentication2" do
+    url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz"
+    path "#{node['mediawiki']['webdir']}/extensions"
+    owner node["nginx"]["user"]
+    group node["nginx"]["group"]
+    mode 0750
+    action :dump
+  end
+
+  package "php-ldap"
+
+  ldap_credentials = data_bag_item("credentials", "dirsrv")
+  ldap_domain = node['kosmos-dirsrv']['master_hostname']
+  ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
+  ldap_base = "ou=users,dc=kosmos,dc=org"
+end
+
 ruby_block "configuration" do
  block do
    file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
@ -204,7 +247,55 @@ $wgArticlePath = "/$1";
    file.insert_line_if_no_match(/WikiEditor/,
                                 "wfLoadExtension( 'WikiEditor' );")

-    file.write_file
+    if node["mediawiki"]["ldap_enabled"]
+      file.insert_line_if_no_match(/# LDAP config/,
+                                 <<-EOF
+# LDAP config
+$LDAPProviderDomainConfigProvider = function()
+{
+    $config = [
+        "#{server_name}" => [
+            "connection" => [
+                "server" => "#{ldap_domain}",
+                "enctype" => "#{ldap_encryption_type}",
+                "user" => "cn=Directory Manager",
+                "pass" => "#{ldap_credentials['admin_password']}",
+                "basedn" => "#{ldap_base}",
+                "groupbasedn" => "#{ldap_base}",
+                "userbasedn" => "#{ldap_base}",
+                "searchattribute" => "uid",
+                "searchstring" => "cn=USER-NAME,#{ldap_base}",
+                "usernameattribute" => "uid",
+                "realnameattribute" => "cn",
+                "emailattribute" => "mail"
+            ],
+            "authorization" => [
+                "rules" => [
+                        "attributes" => [
+                                        "wiki" => "enabled"
+                    ]
+                ]
+            ]
+        ]
+    ];
+
+    return new \\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\InlinePHPArray( $config );
+};
+# $wgPluggableAuth_EnableLocalLogin = true; # allow local logins
+# Override the text for the login button. The default is "Log In With PluggableAuth"
+$wgPluggableAuth_ButtonLabel = 'Log in';
+wfLoadExtension( 'LDAPProvider' );
+wfLoadExtension( 'PluggableAuth' );
+wfLoadExtension( 'LDAPAuthorization' );
+wfLoadExtension( 'LDAPAuthentication2' );
+# Disable account creation page, since this is not possible to create an account
+# when only LDAP login is enabled
+$wgGroupPermissions['*']['createaccount'] = false;
+                                 EOF
+                                 )
+
+      file.write_file
+    end
  end
 end

@ -230,6 +321,13 @@ composer_project node['mediawiki']['webdir'] do
  action :install
 end

+# This does not perform changes when it has already been executed. Needed when
+# adding a new extension, for example for LDAP support
+execute "Run the database updater" do
+  cwd node['mediawiki']['webdir']
+  command "./maintenance/update.php --quick"
+end
+
 #
 # Backup
 #
				`@ -0,0 +1 @@`
				`node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org'`