Set up LDAP server for central account management #107
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/chef#107
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
In order to manage accounts for Kosmos services only once, and have all the services use the same account data/passwords/etc., we're considering to use LDAP, which is supported by all of Mastodon, ejabberd, and Gitea.
Greg and I looked at a bunch of options, and we're now testing 389 Directory Server.
Notes:
This contains interesting information, even when not using GitLab: https://docs.gitlab.com/ee/administration/auth/ldap.html
Docs about LDAP configuration in ejabberd
So a decent integration always supports a custom "filter" config, which can be filled with the desired attributes, in order to select users that are allowed to use that service. Saw that in the GitLab doc as well.
I got ejabberd working with LDAP auth in a VM. ejabberd itself, like GitLab, only has read-only support for LDAP, so you can't create users on LDAP through ejabberdctl. I created an ldif file and used ldapadd to add a group and a user:
My ldif file, imported using
ldapadd -x -W -D "cn=Directory Manager" -f users.ldif
:Interesting for the migration, ejabberd allows you to enable multiple authentication methods, so we can still keep sql for current users but add ldap:
So far I have not figured out how to filter out users belonging to a group, so for now in this config I'm considering every
account
has access to XMPP. I have found out that 389 does not have built-in support for memberOf, which is a way to filter users by groups, however there is a plugin for it (https://directory.fedoraproject.org/docs/389ds/design/memberof-plugin.html) and probably other ways to filter rather than groups, maybe attributes are better for thisOn the subject of groups: https://ldapwiki.com/wiki/Groups%20Are%20Bad
RBAC could be what we want
Not sure what you mean. We can just use attributes to know if a user has access to a certain service or not.
Got it, using
extensibleObject
asobjectClass
we can used arbitrary attributes:Then we can use the attribute as a filter in ejabberd.yml:
I was thinking more like
service=xmpp,service=mastodon
and so on. Later, it will also need extra attributes for which namespace of which service it is.Edit: so actually, it could already be
service=xmpp.kosmos.org
for example, unless dots aren't allowed in values.Good idea, that works.
I got Mastodon to work with LDAP in a VM.
Logging in through the Mastodon web interface with an LDAP user (using the username or email) creates an account in the database. Similar to ejabberd you can set the filter you want to select the accounts. Right now my config is set to:
With my current settings I can log in with a username and password, but not with an emailEdit: Updated the config, now logging in is possible with the username or email
I have added an email field to my test user in the ldif file because Mastodon needs an email.
Great!
Does that mean we can actually use the existing accounts? Or that we can at least migrate the existing accounts easily by adding those users to the LDAP directory?
Existing accounts will work after we enable LDAP in Mastodon. Accounts created by logging in with an LDAP user do not have an
encrypted_password
set in the Mastodon database, the password is checked on the LDAP account and they have theexternal
flag set. Existing accounts that have anencrypted_password
set will still work if they do not exist in LDAP.On log in with an account and password from LDAP it will find or create the user:
a1f04c1e34/app/models/concerns/ldap_authenticable.rb (L16)
The way it is done right now in Mastodon, logins will not work when LDAP is enabled and the LDAP server is down, even if your account has an
encrypted_password
set (exception even if the user is not from LDAP)I'm pretty sure we do not want to create users from Mastodon. It would mean that when you already have an LDAP user for e.g. XMPP or Gitea, you then have an additional one, no?
Yes, of course. Everything else would be weird in my opinion. That's why you can usually have multiple LDAP masters and clients can try an alternative one, if the first one is down (afaics).
I don't understand the question. Mastodon will always create a user in the database after a successful login via LDAP, if the user isn't in the database already. This user is set as external, and has no password, since the one from LDAP is used
If that's the case, then how are accounts the same between Mastodon and other services?
Think of it like a OAuth flow. On successful auth with LDAP from Mastodon, a User object is persisted in the Mastodon database if it does not already exist, and the user is logged in
I think you still don't understand my question. In any case, the point is that Mastodon should never create new accounts, because those accounts then have no information about our other services stored.
That's correct, I still don't understand your question.
Let's start from the beginning. Here is how things would work:
A user donates using akkounts to create an account. After we receive the transaction they get to pick a username and password, we create an LDAP account. Then they can use this username and password to log into Mastodon. Mastodon sees the LDAP account exists, creates an entry for the user in the Mastodon database, with an
external
flag set to true, and noencrypted_password
since the password lives in LDAP. With these same credentials you can log into our wiki and XMPP server tooWhat do you mean by Mastodon creating new accounts? Are you talking about LDAP accounts being created by Mastodon somehow? This is definitely not something that makes any sense
By the way I just got Mediawiki to work with LDAP login in my VM, using https://www.mediawiki.org/wiki/Extension:LDAPAuthentication2
This is exactly how I read what you wrote before. So we're on the same page about it now.
That's great! It'll be much less friction not having to sign up for a wiki account, and every user should have one by default in my opinion.
Making the TLS setup took me longer than I thought (it involved some funky format changes), but I got it to work. I'm going to push a PR later this evening or tomorrow
Here's a snippet to create a hashed + salted SHA512 password that can be used as a userPassword:
The encrypted passwords in the Mastodon database are using bcrypt, and 389-ds does not support it, only MD5, SHA and PBKDF2 (https://pagure.io/389-ds-base/issue/397). To migrate the existing kosmos.social user accounts I think we need to write a Mastodon extension:
We would create a user document in LDAP for every Mastodon user with their username and email, setting their password to a long random string. They can still log in using their existing password. The extension would ask them for a new password, that would be on their LDAP user document, and their
User
in the Mastodon database would have theencrypted_password
attribute set to""
, and they can now log into their Mastodon account using LDAP with the new password they have set, as well as Mediawiki and XMPPWithout making it a Mastodon extension I'm not sure how users could prove they own the username/email. An email would look super fishy/phishy. Does someone have a better idea?
greg referenced this issue2020-01-24 12:56:35 +00:00
greg referenced this issue2020-01-24 15:04:24 +00:00
greg referenced this issue2020-01-24 15:06:18 +00:00
greg referenced this issue2020-01-28 13:15:07 +00:00
raucao referenced this issue2020-01-28 17:27:00 +00:00
I think this one can be closed since we merged #115 and created a new issue for ejabberd support. I will create other issues when needed
Re-opening until the LDAP server is documented. As of now, nobody but us would be able to understand what happened.
We've been discussing ways to support multiple domains in the ops room on XMPP, to support other domains for Kosmos services.
raucao found this post that's interesting and proposes 3 ways of doing it: https://serverfault.com/questions/828490/setting-up-multiple-domain-in-ldap-server#828497
Variant 2 seems like a good way to go. I think we should be able to migrate our current users to this hierarchy before doing anything else
This is what it would look like:
raucao referenced this issue2020-01-30 16:10:36 +00:00
We also need to plan groups as part of the hierarchy, for example for Gitea orgs
greg referenced this issue2020-02-14 09:04:58 +00:00
greg referenced this issue2020-02-14 12:36:18 +00:00
greg referenced this issue2020-02-14 18:09:49 +00:00
greg referenced this issue2020-02-14 18:11:05 +00:00
greg referenced this issue2020-02-14 18:11:30 +00:00
greg referenced this issue2020-02-14 18:12:14 +00:00
Docs are on the wiki for the new directory structure: https://wiki.kosmos.org/Infrastructure:LDAP