From a69192a863b0c7e35afd2bf9d33906982d0f0060 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 4 Nov 2019 19:03:45 +0100 Subject: [PATCH] Enable LDAP support on mediawiki Users can log in using their LDAP account (in the ou=users,dc=kosmos,dc=org group and with the wiki attribute set to enabled) Add an attribute for the ldap master server, so it can be overridden in the development environment Refs #107 --- environments/development.json | 3 + .../kosmos-dirsrv/attributes/default.rb | 1 + site-cookbooks/kosmos-dirsrv/metadata.rb | 2 +- .../kosmos-dirsrv/recipes/default.rb | 2 +- .../kosmos-mediawiki/attributes/default.rb | 1 + site-cookbooks/kosmos-mediawiki/metadata.rb | 3 +- .../kosmos-mediawiki/recipes/default.rb | 106 +++++++++++++++++- 7 files changed, 111 insertions(+), 7 deletions(-) diff --git a/environments/development.json b/environments/development.json index f2ee94d..a6f79ca 100644 --- a/environments/development.json +++ b/environments/development.json @@ -13,6 +13,9 @@ "elasticsearch": { "allocated_memory": "128m" } + }, + "kosmos-dirsrv": { + "master_hostname": "localhost" } } } diff --git a/site-cookbooks/kosmos-dirsrv/attributes/default.rb b/site-cookbooks/kosmos-dirsrv/attributes/default.rb index e69de29..9da7f6f 100644 --- a/site-cookbooks/kosmos-dirsrv/attributes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/attributes/default.rb @@ -0,0 +1 @@ +node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org' diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb index 5e7a819..74140a1 100644 --- a/site-cookbooks/kosmos-dirsrv/metadata.rb +++ b/site-cookbooks/kosmos-dirsrv/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures 389 Directory Server' long_description 'Installs/Configures 389 Directory Server' -version '0.1.0' +version '0.1.1' chef_version '>= 14.0' depends "firewall" diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb index a11b0d6..2f189df 100644 --- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb @@ -27,7 +27,7 @@ credentials = data_bag_item("credentials", "dirsrv") dirsrv_instance "master" do - hostname "ldap.kosmos.org" + hostname node['kosmos-dirsrv']['master_hostname'] admin_password credentials['admin_password'] suffix "dc=kosmos,dc=org" end diff --git a/site-cookbooks/kosmos-mediawiki/attributes/default.rb b/site-cookbooks/kosmos-mediawiki/attributes/default.rb index eae4ea2..4f58ee5 100644 --- a/site-cookbooks/kosmos-mediawiki/attributes/default.rb +++ b/site-cookbooks/kosmos-mediawiki/attributes/default.rb @@ -1,3 +1,4 @@ node.default["mediawiki"]["url"] = "https://wiki.kosmos.org/" node.default["mediawiki"]["hubot_base_url"] = "http://barnard.kosmos.org:8080" node.default["mediawiki"]["hubot_room"] = "#kosmos" +node.default["mediawiki"]["ldap_enabled"] = true diff --git a/site-cookbooks/kosmos-mediawiki/metadata.rb b/site-cookbooks/kosmos-mediawiki/metadata.rb index 64835e6..8dddd1c 100644 --- a/site-cookbooks/kosmos-mediawiki/metadata.rb +++ b/site-cookbooks/kosmos-mediawiki/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures kosmos-mediawiki' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.0' +version '0.2.0' depends "mediawiki" depends "ark" @@ -12,3 +12,4 @@ depends "backup" depends "composer" depends "kosmos-nginx" depends "kosmos-base" +depends "kosmos-dirsrv" diff --git a/site-cookbooks/kosmos-mediawiki/recipes/default.rb b/site-cookbooks/kosmos-mediawiki/recipes/default.rb index 09331c6..6e7be0e 100644 --- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb +++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb @@ -30,9 +30,6 @@ include_recipe 'composer' server_name = 'wiki.kosmos.org' -# FIXME: For now run the update script manually after updating: -# -# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php node.override['mediawiki']['version'] = "1.32.0" node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}" node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz" @@ -150,6 +147,52 @@ template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig wiki_url: node['mediawiki']['url'] end +if node["mediawiki"]["ldap_enabled"] + # LDAP + ark "PluggableAuth" do + url "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_33-a69f626.tar.gz" + path "#{node['mediawiki']['webdir']}/extensions" + owner node["nginx"]["user"] + group node["nginx"]["group"] + mode 0750 + action :dump + end + + ark "LDAPProvider" do + url "https://extdist.wmflabs.org/dist/extensions/LDAPProvider-REL1_31-07ab292.tar.gz" + path "#{node['mediawiki']['webdir']}/extensions" + owner node["nginx"]["user"] + group node["nginx"]["group"] + mode 0750 + action :dump + end + + ark "LDAPAuthorization" do + url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz" + path "#{node['mediawiki']['webdir']}/extensions" + owner node["nginx"]["user"] + group node["nginx"]["group"] + mode 0750 + action :dump + end + + ark "LDAPAuthentication2" do + url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz" + path "#{node['mediawiki']['webdir']}/extensions" + owner node["nginx"]["user"] + group node["nginx"]["group"] + mode 0750 + action :dump + end + + package "php-ldap" + + ldap_credentials = data_bag_item("credentials", "dirsrv") + ldap_domain = node['kosmos-dirsrv']['master_hostname'] + ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls" + ldap_base = "ou=users,dc=kosmos,dc=org" +end + ruby_block "configuration" do block do file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php") @@ -204,7 +247,55 @@ $wgArticlePath = "/$1"; file.insert_line_if_no_match(/WikiEditor/, "wfLoadExtension( 'WikiEditor' );") - file.write_file + if node["mediawiki"]["ldap_enabled"] + file.insert_line_if_no_match(/# LDAP config/, + <<-EOF +# LDAP config +$LDAPProviderDomainConfigProvider = function() +{ + $config = [ + "#{server_name}" => [ + "connection" => [ + "server" => "#{ldap_domain}", + "enctype" => "#{ldap_encryption_type}", + "user" => "cn=Directory Manager", + "pass" => "#{ldap_credentials['admin_password']}", + "basedn" => "#{ldap_base}", + "groupbasedn" => "#{ldap_base}", + "userbasedn" => "#{ldap_base}", + "searchattribute" => "uid", + "searchstring" => "cn=USER-NAME,#{ldap_base}", + "usernameattribute" => "uid", + "realnameattribute" => "cn", + "emailattribute" => "mail" + ], + "authorization" => [ + "rules" => [ + "attributes" => [ + "wiki" => "enabled" + ] + ] + ] + ] + ]; + + return new \\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\InlinePHPArray( $config ); +}; +# $wgPluggableAuth_EnableLocalLogin = true; # allow local logins +# Override the text for the login button. The default is "Log In With PluggableAuth" +$wgPluggableAuth_ButtonLabel = 'Log in'; +wfLoadExtension( 'LDAPProvider' ); +wfLoadExtension( 'PluggableAuth' ); +wfLoadExtension( 'LDAPAuthorization' ); +wfLoadExtension( 'LDAPAuthentication2' ); +# Disable account creation page, since this is not possible to create an account +# when only LDAP login is enabled +$wgGroupPermissions['*']['createaccount'] = false; + EOF + ) + + file.write_file + end end end @@ -230,6 +321,13 @@ composer_project node['mediawiki']['webdir'] do action :install end +# This does not perform changes when it has already been executed. Needed when +# adding a new extension, for example for LDAP support +execute "Run the database updater" do + cwd node['mediawiki']['webdir'] + command "./maintenance/update.php --quick" +end + # # Backup #