WIP: LDAP server and support for Mastodon, ejabberd and MediaWiki #112

Closed
greg wants to merge 8 commits from feature/107-ldap into master
Owner

The kosmos-dirsrv::default recipe sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP). It also creates a group (ou=users,dc=kosmos,dc=org
) for the users. Mastodon, ejabberd and MediaWiki are configured so that the existing users in the databases still work. For MediaWiki the UI is a bit clunky, there is "Log in" button to log in using the database and "Log in with PluggableAuth" to log in using LDAP. Once we have migrated the existing users to LDAP we can set $wgPluggableAuth_EnableLocalLogin to false to remove the option to login using the database, leaving only the "Log in with PluggableAuth" button

Example user:

# greg.ldif
dn: cn=greg,ou=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
objectClass: extensibleObject
cn: greg
sn: greg
uid: greg
samaccountname: greg
mail: greg@karekinian.com
wiki: enabled
mastodon: enabled
xmpp: enabled
userPassword: {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk=

Hashed password generated with:

$ irb -r base64 -r digest/sha1
>> puts "{SSHA}"+Base64.encode64(Digest::SHA1.digest('lalalala')).chomp!
{SSHA}SltbSQ24QFWctfXlygkkXmlpWFk=

Imported into the server using:

$ ldapadd -x -w ADMINPASSWORD -D "cn=Directory Manager" -f greg.ldif

This is not running on a server yet, it has only been tested in a VM. Before running this we will need to set the DNS entry for ldap.kosmos.org to the IP of the chosen server

Closes #112

The kosmos-dirsrv::default recipe sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP). It also creates a group (ou=users,dc=kosmos,dc=org ) for the users. Mastodon, ejabberd and MediaWiki are configured so that the existing users in the databases still work. For MediaWiki the UI is a bit clunky, there is "Log in" button to log in using the database and "Log in with PluggableAuth" to log in using LDAP. Once we have migrated the existing users to LDAP we can set `$wgPluggableAuth_EnableLocalLogin` to false to remove the option to login using the database, leaving only the "Log in with PluggableAuth" button Example user: ```ldif # greg.ldif dn: cn=greg,ou=users,dc=kosmos,dc=org objectClass: top objectClass: account objectClass: person objectClass: extensibleObject cn: greg sn: greg uid: greg samaccountname: greg mail: greg@karekinian.com wiki: enabled mastodon: enabled xmpp: enabled userPassword: {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk= ``` Hashed password generated with: ``` $ irb -r base64 -r digest/sha1 >> puts "{SSHA}"+Base64.encode64(Digest::SHA1.digest('lalalala')).chomp! {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk= ``` Imported into the server using: ``` $ ldapadd -x -w ADMINPASSWORD -D "cn=Directory Manager" -f greg.ldif ``` This is not running on a server yet, it has only been tested in a VM. Before running this we will need to set the DNS entry for ldap.kosmos.org to the IP of the chosen server Closes #112
Author
Owner

I'm going to split this up into two PRs, one to create the LDAP server and another one for the config changes for the services

I'm going to split this up into two PRs, one to create the LDAP server and another one for the config changes for the services
greg changed title from LDAP server and support for Mastodon, ejabberd and MediaWiki to WP: LDAP server and support for Mastodon, ejabberd and MediaWiki 2019-11-15 13:45:44 +00:00
greg changed title from WP: LDAP server and support for Mastodon, ejabberd and MediaWiki to WIP: LDAP server and support for Mastodon, ejabberd and MediaWiki 2019-11-15 13:45:49 +00:00
greg closed this pull request 2019-11-22 13:14:02 +00:00

Pull request closed

Sign in to join this conversation.
No description provided.