kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Enable LDAP support on mediawiki

Browse Source 
Users can log in using their LDAP account (in the
ou=users,dc=kosmos,dc=org group and with the wiki attribute set to
enabled)

Add an attribute for the ldap master server, so it can be overridden in
the development environment

Refs #107
This commit is contained in:
Greg Karékinian 2019-11-04 19:03:45 +01:00
parent 484f1306da
commit a69192a863
7 changed files with 111 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
environments/development.json
View File

@ -13,6 +13,9 @@
"elasticsearch": { "elasticsearch": {
"allocated_memory": "128m" "allocated_memory": "128m"
} }
},
"kosmos-dirsrv": {
"master_hostname": "localhost"
} }
} }
} }

1
site-cookbooks/kosmos-dirsrv/attributes/default.rb
View File

@ -0,0 +1 @@
node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org'

2
site-cookbooks/kosmos-dirsrv/metadata.rb
View File

@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
license 'MIT' license 'MIT'
description 'Installs/Configures 389 Directory Server' description 'Installs/Configures 389 Directory Server'
long_description 'Installs/Configures 389 Directory Server' long_description 'Installs/Configures 389 Directory Server'
version '0.1.0' version '0.1.1'
chef_version '>= 14.0' chef_version '>= 14.0'
depends "firewall" depends "firewall"

2
site-cookbooks/kosmos-dirsrv/recipes/default.rb
View File

@ -27,7 +27,7 @@
credentials = data_bag_item("credentials", "dirsrv") credentials = data_bag_item("credentials", "dirsrv")
dirsrv_instance "master" do dirsrv_instance "master" do
hostname "ldap.kosmos.org" hostname node['kosmos-dirsrv']['master_hostname']
admin_password credentials['admin_password'] admin_password credentials['admin_password']
suffix "dc=kosmos,dc=org" suffix "dc=kosmos,dc=org"
end end

1
site-cookbooks/kosmos-mediawiki/attributes/default.rb
View File

@ -1,3 +1,4 @@
node.default["mediawiki"]["url"] = "https://wiki.kosmos.org/" node.default["mediawiki"]["url"] = "https://wiki.kosmos.org/"
node.default["mediawiki"]["hubot_base_url"] = "http://barnard.kosmos.org:8080" node.default["mediawiki"]["hubot_base_url"] = "http://barnard.kosmos.org:8080"
node.default["mediawiki"]["hubot_room"] = "#kosmos" node.default["mediawiki"]["hubot_room"] = "#kosmos"
node.default["mediawiki"]["ldap_enabled"] = true

3
site-cookbooks/kosmos-mediawiki/metadata.rb
View File

@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
license 'MIT' license 'MIT'
description 'Installs/Configures kosmos-mediawiki' description 'Installs/Configures kosmos-mediawiki'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0' version '0.2.0'
depends "mediawiki" depends "mediawiki"
depends "ark" depends "ark"
@ -12,3 +12,4 @@ depends "backup"
depends "composer" depends "composer"
depends "kosmos-nginx" depends "kosmos-nginx"
depends "kosmos-base" depends "kosmos-base"
depends "kosmos-dirsrv"

104
site-cookbooks/kosmos-mediawiki/recipes/default.rb
View File

@ -30,9 +30,6 @@ include_recipe 'composer'
server_name = 'wiki.kosmos.org' server_name = 'wiki.kosmos.org'
# FIXME: For now run the update script manually after updating:
#
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
node.override['mediawiki']['version'] = "1.32.0" node.override['mediawiki']['version'] = "1.32.0"
node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}" node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz" node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
@ -150,6 +147,52 @@ template "#{node['mediawiki']['webdir']}/extensions/MediawikiHubot/DefaultConfig
wiki_url: node['mediawiki']['url'] wiki_url: node['mediawiki']['url']
end end
if node["mediawiki"]["ldap_enabled"]
# LDAP
ark "PluggableAuth" do
url "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_33-a69f626.tar.gz"
path "#{node['mediawiki']['webdir']}/extensions"
owner node["nginx"]["user"]
group node["nginx"]["group"]
mode 0750
action :dump
end
ark "LDAPProvider" do
url "https://extdist.wmflabs.org/dist/extensions/LDAPProvider-REL1_31-07ab292.tar.gz"
path "#{node['mediawiki']['webdir']}/extensions"
owner node["nginx"]["user"]
group node["nginx"]["group"]
mode 0750
action :dump
end
ark "LDAPAuthorization" do
url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz"
path "#{node['mediawiki']['webdir']}/extensions"
owner node["nginx"]["user"]
group node["nginx"]["group"]
mode 0750
action :dump
end
ark "LDAPAuthentication2" do
url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz"
path "#{node['mediawiki']['webdir']}/extensions"
owner node["nginx"]["user"]
group node["nginx"]["group"]
mode 0750
action :dump
end
package "php-ldap"
ldap_credentials = data_bag_item("credentials", "dirsrv")
ldap_domain = node['kosmos-dirsrv']['master_hostname']
ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
ldap_base = "ou=users,dc=kosmos,dc=org"
end
ruby_block "configuration" do ruby_block "configuration" do
block do block do
file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php") file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
@ -204,8 +247,56 @@ $wgArticlePath = "/$1";
file.insert_line_if_no_match(/WikiEditor/, file.insert_line_if_no_match(/WikiEditor/,
"wfLoadExtension( 'WikiEditor' );") "wfLoadExtension( 'WikiEditor' );")
if node["mediawiki"]["ldap_enabled"]
file.insert_line_if_no_match(/# LDAP config/,
<<-EOF
# LDAP config
$LDAPProviderDomainConfigProvider = function()
{
$config = [
"#{server_name}" => [
"connection" => [
"server" => "#{ldap_domain}",
"enctype" => "#{ldap_encryption_type}",
"user" => "cn=Directory Manager",
"pass" => "#{ldap_credentials['admin_password']}",
"basedn" => "#{ldap_base}",
"groupbasedn" => "#{ldap_base}",
"userbasedn" => "#{ldap_base}",
"searchattribute" => "uid",
"searchstring" => "cn=USER-NAME,#{ldap_base}",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
],
"authorization" => [
"rules" => [
"attributes" => [
"wiki" => "enabled"
]
]
]
]
];
return new \\MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\InlinePHPArray( $config );
};
# $wgPluggableAuth_EnableLocalLogin = true; # allow local logins
# Override the text for the login button. The default is "Log In With PluggableAuth"
$wgPluggableAuth_ButtonLabel = 'Log in';
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPAuthentication2' );
# Disable account creation page, since this is not possible to create an account
# when only LDAP login is enabled
$wgGroupPermissions['*']['createaccount'] = false;
EOF
)
file.write_file file.write_file
end end
end
end end
# #
@ -230,6 +321,13 @@ composer_project node['mediawiki']['webdir'] do
action :install action :install
end end
# This does not perform changes when it has already been executed. Needed when
# adding a new extension, for example for LDAP support
execute "Run the database updater" do
cwd node['mediawiki']['webdir']
command "./maintenance/update.php --quick"
end
# #
# Backup # Backup
# #