kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity

Every LDAP account should have access to XMPP #140

New Issue
Closed
opened 2020-02-20 16:17:58 +00:00 by greg · 4 comments
greg commented 2020-02-20 16:17:58 +00:00
Owner
Copy Link

Remove the filtered role from the ejabberd config

Follow-up to #123

Remove the filtered role from the ejabberd config Follow-up to #123
greg commented 2020-02-20 18:55:12 +00:00
Author
Owner
Copy Link

This has revealed a flaw in the new directory structure. If we remove the filtering altogether, LDAP read-only accounts for the wiki and xmpp become valid XMPP accounts.

Right now my solution is to turn these accounts from a person to a organizationalPerson. Then the filter would look like this (a person, but not an organizationalPerson). In LDAP an organizationalPerson is also a person since it's "subclassing" it.

(&(objectClass=person)(!(objectClass=organizationalPerson)))

The ACIs will also need to be updated to add the objectClass attribute to the list of allowed attributes for the read-only account, because they are not part of the list for now

# kosmos.org, users, kosmos.org
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0;
acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)

# 5apps.com, users, kosmos.org
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
This has revealed a flaw in the new directory structure. If we remove the filtering altogether, LDAP read-only accounts for the wiki and xmpp become valid XMPP accounts. Right now my solution is to turn these accounts from a `person` to a `organizationalPerson`. Then the filter would look like this (a `person`, but not an `organizationalPerson`). In LDAP an `organizationalPerson` is also a `person` since it's "subclassing" it. ``` (&(objectClass=person)(!(objectClass=organizationalPerson))) ``` The ACIs will also need to be updated to add the `objectClass` attribute to the list of allowed attributes for the read-only account, because they are not part of the list for now ```ldif # kosmos.org, users, kosmos.org dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) # 5apps.com, users, kosmos.org dn: ou=5apps.com,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) ```
raucao commented 2020-02-20 19:07:06 +00:00
Owner
Copy Link

So why are they a "Person" in the first place? They're not people (also not "organizational people"), so shouldn't they be something else?

So why are they a "Person" in the first place? They're not people (also not "organizational people"), so shouldn't they be something else?
greg commented 2020-02-21 12:42:51 +00:00
Author
Owner
Copy Link

I found a good solution. LDAP accounts used to filter users will be moved be under cn=applications,dc=kosmos,dc=org, for example the uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org account. Then everything under cn=users,dc=kosmos,dc=org are actual users/people

# applications, kosmos.org
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

# kosmos.org, applications, kosmos.org
dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org

# 5apps.com, applications, kosmos.org
dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com

# xmpp account, used by ejabberd to search for users and change passwords
dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: {SSHA512}snip

# xmpp account, used by ejabberd to search for users and change passwords
dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: {SSHA512}snip

ACIs need to be set on the Organizational Units to allow the applications accounts to perform the searches

# 5apps.com, users, kosmos.org
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)

# kosmos.org, users, kosmos.org
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
I found a good solution. LDAP accounts used to filter users will be moved be under `cn=applications,dc=kosmos,dc=org`, for example the `uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org` `account`. Then everything under `cn=users,dc=kosmos,dc=org` are actual users/people ```ldif # applications, kosmos.org dn: cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalRole cn: users # kosmos.org, applications, kosmos.org dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: kosmos.org # 5apps.com, applications, kosmos.org dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit description: 5apps ou: 5apps.com # xmpp account, used by ejabberd to search for users and change passwords dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: {SSHA512}snip # xmpp account, used by ejabberd to search for users and change passwords dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: {SSHA512}snip ``` ACIs need to be set on the Organizational Units to allow the applications accounts to perform the searches ```ldif # 5apps.com, users, kosmos.org dn: ou=5apps.com,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) # kosmos.org, users, kosmos.org dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) ```
👍 1
greg referenced this issue from a commit 2020-02-21 17:05:23 +00:00
Switch the ejabberd LDAP setup to a new application account Needs the new directory structure: ``` dn: cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalRole cn: users dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: kosmos.org dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit description: 5apps ou: 5apps.com dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: wiki userPassword: [snip] dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] ``` And the new ACIs: ``` dn: ou=5apps.com,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) ``` Refs #140
greg referenced this issue from a commit 2020-02-21 17:05:23 +00:00
Switch the mediawiki LDAP setup to a new application account Needs the new directory structure: ``` dn: cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalRole cn: users dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: kosmos.org dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit description: 5apps ou: 5apps.com dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: wiki userPassword: [snip] dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] ``` And the new ACIs: ``` dn: ou=5apps.com,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) ``` Refs #140
greg commented 2020-03-05 11:23:37 +00:00
Author
Owner
Copy Link

Closing this one now that ejabberd has been upgraded and restarted yesterday. The config change in #141 had not been applied, this has been fixed in #142

Closing this one now that ejabberd has been upgraded and restarted yesterday. The config change in #141 had not been applied, this has been fixed in #142
greg closed this issue 2020-03-05 11:23:39 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
service
accounts
Kosmos Accounts
service
discourse
Kosmos Community Forums
service
drone-ci
Kosmos Drone CI
service
email
mail.kosmos.org
service
garage
S3-compatible object storage
service
gitea
Kosmos Gitea
service
ipfs
Kosmos IPFS
service
mastodon
kosmos.social
service
postgres
Database cluster
service
remotestorage
Portable data storage for the Web
service
wiki
Kosmos Wiki
service
xmpp
Kosmos Chat
bug
Something is not working
design
Graphic/visual design
dev environment
Config, builds, CI, deployment, etc.
docs
Documentation
duplicate
This issue or pull request already exists
enhancement
Improving existing functionality
feature
New functionality
good first issue
Dive in, and start contributing
idea
Something to consider
invalid
Not a bug
kredits-1
Small contribution
kredits-2
Medium contribution
kredits-3
Large contribution
on hold
Currently not actionable
ops
Manual IT ops activities
question
Looking for an answer
release
major
release
minor
release
patch
security
All your base are belong to us
ui/ux
User interface, process design, etc.
wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
bkero bumi fsmanuel galfert greg hueso raucao slvrbckt
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: kosmos/chef#140
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?