WIP: LDAP server and support for Mastodon, ejabberd and MediaWiki #112

greg · 2019-11-04T18:17:19Z

greg 评论于

2019-11-04 18:17:19 +00:00

管理员

The kosmos-dirsrv::default recipe sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP). It also creates a group (ou=users,dc=kosmos,dc=org
) for the users. Mastodon, ejabberd and MediaWiki are configured so that the existing users in the databases still work. For MediaWiki the UI is a bit clunky, there is "Log in" button to log in using the database and "Log in with PluggableAuth" to log in using LDAP. Once we have migrated the existing users to LDAP we can set $wgPluggableAuth_EnableLocalLogin to false to remove the option to login using the database, leaving only the "Log in with PluggableAuth" button

Example user:

# greg.ldif
dn: cn=greg,ou=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
objectClass: extensibleObject
cn: greg
sn: greg
uid: greg
samaccountname: greg
mail: greg@karekinian.com
wiki: enabled
mastodon: enabled
xmpp: enabled
userPassword: {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk=

Hashed password generated with:

$ irb -r base64 -r digest/sha1
>> puts "{SSHA}"+Base64.encode64(Digest::SHA1.digest('lalalala')).chomp!
{SSHA}SltbSQ24QFWctfXlygkkXmlpWFk=

Imported into the server using:

$ ldapadd -x -w ADMINPASSWORD -D "cn=Directory Manager" -f greg.ldif

This is not running on a server yet, it has only been tested in a VM. Before running this we will need to set the DNS entry for ldap.kosmos.org to the IP of the chosen server

Closes #112

The kosmos-dirsrv::default recipe sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP). It also creates a group (ou=users,dc=kosmos,dc=org ) for the users. Mastodon, ejabberd and MediaWiki are configured so that the existing users in the databases still work. For MediaWiki the UI is a bit clunky, there is "Log in" button to log in using the database and "Log in with PluggableAuth" to log in using LDAP. Once we have migrated the existing users to LDAP we can set `$wgPluggableAuth_EnableLocalLogin` to false to remove the option to login using the database, leaving only the "Log in with PluggableAuth" button Example user: ```ldif # greg.ldif dn: cn=greg,ou=users,dc=kosmos,dc=org objectClass: top objectClass: account objectClass: person objectClass: extensibleObject cn: greg sn: greg uid: greg samaccountname: greg mail: greg@karekinian.com wiki: enabled mastodon: enabled xmpp: enabled userPassword: {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk= ``` Hashed password generated with: ``` $ irb -r base64 -r digest/sha1 >> puts "{SSHA}"+Base64.encode64(Digest::SHA1.digest('lalalala')).chomp! {SSHA}SltbSQ24QFWctfXlygkkXmlpWFk= ``` Imported into the server using: ``` $ ldapadd -x -w ADMINPASSWORD -D "cn=Directory Manager" -f greg.ldif ``` This is not running on a server yet, it has only been tested in a VM. Before running this we will need to set the DNS entry for ldap.kosmos.org to the IP of the chosen server Closes #112

greg 评论于

2019-11-15 13:45:30 +00:00

作者

管理员

I'm going to split this up into two PRs, one to create the LDAP server and another one for the config changes for the services

greg 于 2019-11-15 13:45:44 +00:00 修改标题 ~~LDAP server and support for Mastodon, ejabberd and MediaWiki~~ 为 WP: LDAP server and support for Mastodon, ejabberd and MediaWiki

greg 于 2019-11-15 13:45:49 +00:00 修改标题 ~~WP: LDAP server and support for Mastodon, ejabberd and MediaWiki~~ 为 WIP: LDAP server and support for Mastodon, ejabberd and MediaWiki

greg 于

2019-11-22 13:14:02 +00:00

关闭此合并请求

~~greg 于 2019-12-04 16:48:09 +00:00 引用了合并请求~~

Cookbook to deploy a LDAP server (389 Directory Server) #115

greg 于

2019-12-05 14:48:08 +00:00

引用了合并请求

Cookbook to deploy a LDAP server (389 Directory Server) #115