WIP: LDAP server and support for Mastodon, ejabberd and MediaWiki #112

greg · 2019-11-04T18:17:19Z

greg commented

2019-11-04 18:17:19 +00:00

The kosmos-dirsrv::default recipe sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP). It also creates a group (ou=users,dc=kosmos,dc=org
) for the users. Mastodon, ejabberd and MediaWiki are configured so that the existing users in the databases still work. For MediaWiki the UI is a bit clunky, there is "Log in" button to log in using the database and "Log in with PluggableAuth" to log in using LDAP. Once we have migrated the existing users to LDAP we can set $wgPluggableAuth_EnableLocalLogin to false to remove the option to login using the database, leaving only the "Log in with PluggableAuth" button

Example user:

# greg.ldif
dn: cn=greg,ou=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
objectClass: extensibleObject
cn: greg
sn: greg
uid: greg
samaccountname: greg
mail: greg@karekinian.com
wiki: enabled
mastodon: enabled
xmpp: enabled
userPassword: {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk=

Hashed password generated with:

$ irb -r base64 -r digest/sha1
>> puts "{SSHA}"+Base64.encode64(Digest::SHA1.digest('lalalala')).chomp!
{SSHA}SltbSQ24QFWctfXlygkkXmlpWFk=

Imported into the server using:

$ ldapadd -x -w ADMINPASSWORD -D "cn=Directory Manager" -f greg.ldif

This is not running on a server yet, it has only been tested in a VM. Before running this we will need to set the DNS entry for ldap.kosmos.org to the IP of the chosen server

Closes #112

The kosmos-dirsrv::default recipe sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP). It also creates a group (ou=users,dc=kosmos,dc=org ) for the users. Mastodon, ejabberd and MediaWiki are configured so that the existing users in the databases still work. For MediaWiki the UI is a bit clunky, there is "Log in" button to log in using the database and "Log in with PluggableAuth" to log in using LDAP. Once we have migrated the existing users to LDAP we can set `$wgPluggableAuth_EnableLocalLogin` to false to remove the option to login using the database, leaving only the "Log in with PluggableAuth" button Example user: ```ldif # greg.ldif dn: cn=greg,ou=users,dc=kosmos,dc=org objectClass: top objectClass: account objectClass: person objectClass: extensibleObject cn: greg sn: greg uid: greg samaccountname: greg mail: greg@karekinian.com wiki: enabled mastodon: enabled xmpp: enabled userPassword: {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk= ``` Hashed password generated with: ``` $ irb -r base64 -r digest/sha1 >> puts "{SSHA}"+Base64.encode64(Digest::SHA1.digest('lalalala')).chomp! {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk= ``` Imported into the server using: ``` $ ldapadd -x -w ADMINPASSWORD -D "cn=Directory Manager" -f greg.ldif ``` This is not running on a server yet, it has only been tested in a VM. Before running this we will need to set the DNS entry for ldap.kosmos.org to the IP of the chosen server Closes #112

greg commented

2019-11-15 13:45:30 +00:00

I'm going to split this up into two PRs, one to create the LDAP server and another one for the config changes for the services

greg changed title from ~~LDAP server and support for Mastodon, ejabberd and MediaWiki~~ to WP: LDAP server and support for Mastodon, ejabberd and MediaWiki

2019-11-15 13:45:44 +00:00

greg changed title from ~~WP: LDAP server and support for Mastodon, ejabberd and MediaWiki~~ to WIP: LDAP server and support for Mastodon, ejabberd and MediaWiki

2019-11-15 13:45:49 +00:00

greg closed this pull request

2019-11-22 13:14:02 +00:00

~~greg referenced this pull request 2019-12-04 16:48:09 +00:00~~

Cookbook to deploy a LDAP server (389 Directory Server) #115

greg referenced this pull request

2019-12-05 14:48:08 +00:00

Cookbook to deploy a LDAP server (389 Directory Server) #115