From d7ad95fb3fa798146285b0169149be52a2cd8c95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 21 Feb 2020 18:01:19 +0100 Subject: [PATCH] Switch the mediawiki LDAP setup to a new application account Needs the new directory structure: ``` dn: cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalRole cn: users dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: kosmos.org dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit description: 5apps ou: 5apps.com dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: wiki userPassword: [snip] dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] ``` And the new ACIs: ``` dn: ou=5apps.com,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) ``` Refs #140 --- data_bags/credentials/mediawiki.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/data_bags/credentials/mediawiki.json b/data_bags/credentials/mediawiki.json index ab31ef3..24ba630 100644 --- a/data_bags/credentials/mediawiki.json +++ b/data_bags/credentials/mediawiki.json @@ -1,23 +1,23 @@ { "id": "mediawiki", "db_pass": { - "encrypted_data": "KfJnSZ5/8WBYXik5TE1SOZTZMhMObSzZpXX17Mygwx0eGqo29sBIQwbAI0+A\nKfe1N4DuyyQpBjNDpmi+yiIjBuG4RfUj\n", - "iv": "zGkF0xLeyjXA1aUc\n", - "auth_tag": "7U/g32H1SfJHdZSECmgU1A==\n", + "encrypted_data": "bkvlD9N8a2EAoBDRcJ5Yhio7vQPnc5qMxH3Of/A/epieJZXBudkYrDaQZmbu\nSwYseFveqEleys4IbI+zTOaBN5LejDpH\n", + "iv": "OPbDsQjNBP7Yabsx\n", + "auth_tag": "0cl2nkL0V07cWC5SZjNXBA==\n", "version": 3, "cipher": "aes-256-gcm" }, "ldap_user": { - "encrypted_data": "CerXTmZNO3mbzevNFn/qbtdeOWx37qFOyCuKznRw9I+nSl+hZ3dP6PUJ+iIg\nSAM2ebvwHyXC1Jz+Aah0AFjw+D+7\n", - "iv": "wi5xB/lUm3AQtkTZ\n", - "auth_tag": "WhdFRt/rlkfmBb9pb9tkvw==\n", + "encrypted_data": "+iKtv/pB8rU0kJYlhr/KNUM63uG5RpDUCduW9sakxwaMs7V5JetSdaUmabIk\np8EiF5FDvYLUWqq5SOblTfPELMY3C0j5XwgxDKo=\n", + "iv": "ynjajkZHawmcE81H\n", + "auth_tag": "cxcsojaQW8dFZHR50QnZjw==\n", "version": 3, "cipher": "aes-256-gcm" }, "ldap_password": { - "encrypted_data": "RZmfQbctKnPGJm97ZMMrtDFGYx8sPzlJIy3saeUXugEEL3HtE39s\n", - "iv": "taEQ/4xRIrQCIkR9\n", - "auth_tag": "2mdevdW0Oh/l/cKCyePW3Q==\n", + "encrypted_data": "Kb5/RiGyXEf0X4KAgprCrZU+lFaWYuu6gjSXanujWxXx5YUdQLzZ\n", + "iv": "U1JBexbrnmJ4HNSZ\n", + "auth_tag": "LDeG8mOM5iLxy/VslTakSg==\n", "version": 3, "cipher": "aes-256-gcm" }