Enable LDAP support on mediawiki #122

Manually merged
raucao merged 2 commits from feature/107-ldap_mediawiki into master 2020-01-28 17:02:45 +00:00
Owner

I am finishing the initial LDIF file that contains the user accounts for the wiki, including newly generated random passwords.

Users will be able to log in using their LDAP account (in the ou=users,dc=kosmos,dc=org group and with the wiki attribute set to enabled)

Users will be able change their password using ldappasswd

Ubuntu: sudo apt install ldap-utils

Fedora: sudo yum install openldap-clients

macOS: LDAP client tools are already installed

$ ldappasswd -x -D cn=YOURUSERNAME,ou=users,dc=kosmos,dc=org -W -S -H "ldaps://ldap.kosmos.org"

This is not running on andromeda and barnard yet. Once we enable LDAP wiki users that are already logged in will remain logged in, but using their old password will not work to log in once they are logged out.

Update: This is running on andromeda, the wiki is using LDAP auth now. I have sent emails with instructions to replace the temporary password that has been generated for each account.

Because Mediawiki uses PBKDF2-SHA512 we cannot reuse the existing passwords from the database, so I will have to generate random passwords and send one to each user using XMPP or email with the instructions to set their own password using ldappasswd

Refs #107

I am finishing the initial LDIF file that contains the user accounts for the wiki, including newly generated random passwords. Users will be able to log in using their LDAP account (in the ou=users,dc=kosmos,dc=org group and with the wiki attribute set to enabled) Users will be able change their password using ldappasswd Ubuntu: `sudo apt install ldap-utils` Fedora: `sudo yum install openldap-clients` macOS: LDAP client tools are already installed ``` $ ldappasswd -x -D cn=YOURUSERNAME,ou=users,dc=kosmos,dc=org -W -S -H "ldaps://ldap.kosmos.org" ``` <strike>This is **not** running on andromeda and barnard yet. Once we enable LDAP wiki users that are already logged in will remain logged in, but using their old password will not work to log in once they are logged out.</strike> Update: This is running on andromeda, the wiki is using LDAP auth now. I have sent emails with instructions to replace the temporary password that has been generated for each account. Because Mediawiki uses PBKDF2-SHA512 we cannot reuse the existing passwords from the database, so I will have to generate random passwords and send one to each user using XMPP or email with the instructions to set their own password using ldappasswd Refs #107
Author
Owner

What do you think about these instructions? I'm open to any improvement or suggestion

Hi,

We are sending you this email because you have an account on the Kosmos Wiki
(https://wiki.kosmos.org).

We are in the process of moving Kosmos services to unified credentials using LDAP.
We are starting with the Wiki. The migration required generating a temporary password
for existing user accounts, because the way Mediawiki stores passwords in the
database is not compatible with the formats supported by our LDAP server.

Here are the instructions to set your new password. You will need the ldappasswd
command-line tool.

Ubuntu: `sudo apt install ldap-utils`
Fedora: `sudo yum install openldap-clients`
macOS: ldap client tools are already installed

    ldappasswd -x -D cn=yourusername,ou=users,dc=kosmos,dc=org -W -S -H "ldaps://ldap.kosmos.org"

It will ask you the following passwords:

    New password:
    Re-enter new password:
    Enter LDAP Password:

"New password" is the password that will be set on your LDAP account, once set you
will be able to log into the wiki using it:
https://wiki.kosmos.org/index.php?title=Special:UserLogin&returnto=Main+Page
"LDAP password" is your temporary autogenerated password: XXXXXXXX
What do you think about these instructions? I'm open to any improvement or suggestion ```txt Hi, We are sending you this email because you have an account on the Kosmos Wiki (https://wiki.kosmos.org). We are in the process of moving Kosmos services to unified credentials using LDAP. We are starting with the Wiki. The migration required generating a temporary password for existing user accounts, because the way Mediawiki stores passwords in the database is not compatible with the formats supported by our LDAP server. Here are the instructions to set your new password. You will need the ldappasswd command-line tool. Ubuntu: `sudo apt install ldap-utils` Fedora: `sudo yum install openldap-clients` macOS: ldap client tools are already installed ldappasswd -x -D cn=yourusername,ou=users,dc=kosmos,dc=org -W -S -H "ldaps://ldap.kosmos.org" It will ask you the following passwords: New password: Re-enter new password: Enter LDAP Password: "New password" is the password that will be set on your LDAP account, once set you will be able to log into the wiki using it: https://wiki.kosmos.org/index.php?title=Special:UserLogin&returnto=Main+Page "LDAP password" is your temporary autogenerated password: XXXXXXXX ```
Owner

Please also keep in mind that we need to consolidate usernames across services, and as XMPP is already username@kosmos.org, those should be the canonical ones...

Any account that hasn't edited the wiki yet can be deleted outright IMO. Good chance for cleaning up spam accounts too. And maybe we can also set it to login-required-for-editing then, because there's no signup directly on the wiki anymore anyway. Another PITA eliminated.

Please also keep in mind that we need to consolidate usernames across services, and as XMPP is already username@kosmos.org, those should be the canonical ones... Any account that hasn't edited the wiki yet can be deleted outright IMO. Good chance for cleaning up spam accounts too. And maybe we can also set it to login-required-for-editing then, because there's no signup directly on the wiki anymore anyway. Another PITA eliminated.
Author
Owner

I have cleaned up the database from spam accounts, now it's only humans that we know: https://wiki.kosmos.org/Special:ListUsers

Only one spam account had managed to create a page, I have deleted it before deleting the account

I have cleaned up the database from spam accounts, now it's only humans that we know: https://wiki.kosmos.org/Special:ListUsers Only one spam account had managed to create a page, I have deleted it before deleting the account
Owner

There are still users who have never edited the wiki, which we should delete, as they don't have to deal with a migration right now.

There are still users who have never edited the wiki, which we should delete, as they don't have to deal with a migration right now.
Owner

How does the admin account work after switching to LDAP login? Do we need to be able to log in with it in the first place?

How does the admin account work after switching to LDAP login? Do we need to be able to log in with it in the first place?
Author
Owner

There are still users who have never edited the wiki, which we should delete, as they don’t have to deal with a migration right now.

Manuel is the only user that has never edited the wiki now that I have deleted the spam accounts, I will not include him in the migration, we can aways create an account for him when he needs one

How does the admin account work after switching to LDAP login? Do we need to be able to log in with it in the first place?

The Administrator account is created as part of the Mediawiki installation process, now that our own accounts are also admins we do not need to be able to log in with it. Creating an account for it in LDAP won't be necessary

> There are still users who have never edited the wiki, which we should delete, as they don’t have to deal with a migration right now. Manuel is the only user that has never edited the wiki now that I have deleted the spam accounts, I will not include him in the migration, we can aways create an account for him when he needs one > How does the admin account work after switching to LDAP login? Do we need to be able to log in with it in the first place? The Administrator account is created as part of the Mediawiki installation process, now that our own accounts are also admins we do not need to be able to log in with it. Creating an account for it in LDAP won't be necessary
Owner

BTW, this is the most important question, by a wide margin:

Please also keep in mind that we need to consolidate usernames across services, and as XMPP is already username@kosmos.org, those should be the canonical ones…

If you lock in usernames that somebody doesn't want, it'll be hard to change them later across services.

BTW, this is the most important question, by a wide margin: > Please also keep in mind that we need to consolidate usernames across services, and as XMPP is already username@kosmos.org, those should be the canonical ones… If you lock in usernames that somebody doesn't want, it'll be hard to change them later across services.
Owner

The Administrator account is created as part of the Mediawiki installation process, now that our own accounts are also admins we do not need to be able to log in with it. Creating an account for it in LDAP won’t be necessary

Good.

> The Administrator account is created as part of the Mediawiki installation process, now that our own accounts are also admins we do not need to be able to log in with it. Creating an account for it in LDAP won’t be necessary Good.
Author
Owner

re: usernames, there is a Renameuser extension that is shipped with MediaWiki and just needs to be enabled: https://www.mediawiki.org/wiki/Extension:Renameuser, in case someone wants to pick a different username than their Wiki username

@raucao you have two accounts on the wiki (Basti and Raucao). Which one do you want as your LDAP login? We can merge both into the same account using this extension and it will update page histories, etc

re: usernames, there is a Renameuser extension that is shipped with MediaWiki and just needs to be enabled: https://www.mediawiki.org/wiki/Extension:Renameuser, in case someone wants to pick a different username than their Wiki username @raucao you have two accounts on the wiki (Basti and Raucao). Which one do you want as your LDAP login? We can merge both into the same account using this extension and it will update page histories, etc
Author
Owner

I just saw Basti is the one in your IPFS profile for Kredits. Should I merge Raucao into it?

I just saw Basti is the one in your IPFS profile for Kredits. Should I merge Raucao into it?
Owner

@raucao you have two accounts on the wiki (Basti and Raucao). Which one do you want as your LDAP login? We can merge both into the same account using this extension and it will update page histories, etc

I want raucao to be the canonical name, but all my edits are done by basti at the moment.

> @raucao you have two accounts on the wiki (Basti and Raucao). Which one do you want as your LDAP login? We can merge both into the same account using this extension and it will update page histories, etc I want raucao to be the canonical name, but all my edits are done by basti at the moment.
Owner

re: usernames, there is a Renameuser extension that is shipped with MediaWiki and just needs to be enabled: https://www.mediawiki.org/wiki/Extension:Renameuser, in case someone wants to pick a different username than their Wiki username

Activating an extension doesn't tell someone about us switching to LDAP and them having to think about a canonical username and changing it somewhere beforehand. It's only a handful of users, so nobody should have to do anything themselves. At most, choose a new password, but everything else should be valet service.

> re: usernames, there is a Renameuser extension that is shipped with MediaWiki and just needs to be enabled: https://www.mediawiki.org/wiki/Extension:Renameuser, in case someone wants to pick a different username than their Wiki username Activating an extension doesn't tell someone about us switching to LDAP and them having to think about a canonical username and changing it somewhere beforehand. It's only a handful of users, so nobody should have to do anything themselves. At most, choose a new password, but everything else should be valet service.
Author
Owner

I checked and we already have anonymous edits disabled on the Kosmos wiki ($wgGroupPermissions['*']['edit'] = false;), so spam will not be a problem anymore with registration closed apart from creating a valid account in LDAP

I checked and we already have anonymous edits disabled on the Kosmos wiki (`$wgGroupPermissions['*']['edit'] = false;`), so spam will not be a problem anymore with registration closed apart from creating a valid account in LDAP
Author
Owner

I agree, XMPP accounts make a lot of sense as the canonical account. My wiki account is Gregkare right now, but I'd want it to be greg like my XMPP account.

So the next step would be to send an email to our users who have a wiki account that was used to make at least one edit. I'm going to write an email proposal and post it in this issue so you can edit it and then we can send it some other day

I agree, XMPP accounts make a lot of sense as the canonical account. My wiki account is Gregkare right now, but I'd want it to be greg like my XMPP account. So the next step would be to send an email to our users who have a wiki account that was used to make at least one edit. I'm going to write an email proposal and post it in this issue so you can edit it and then we can send it some other day
Author
Owner

What do you think of this?

Hi,

We are in the process of moving Kosmos services to unified credentials using LDAP.
We are starting with the Wiki. To achieve this we all need to pick one canonical
account name for Kosmos services. Once the Wiki is using LDAP we can plan the rest
of the migrations: XMPP, Mastodon, Gitea, etc. and they will all use the same account
and password, so it's important that you choose it now

[For everyone except for Jon, so the core team]
Are you fine with your current Kosmos XMPP account as the account name for Kosmos
services? That's [insert username here]. If it is different than your current Wiki
account we will perform a migration to rename your account to the new name. It will
keep the history of your edits.

[For wiki-only users]
Are you fine with your current Wiki account as the account name for Kosmos services?

Thanks in advance,
Greg
What do you think of this? ```txt Hi, We are in the process of moving Kosmos services to unified credentials using LDAP. We are starting with the Wiki. To achieve this we all need to pick one canonical account name for Kosmos services. Once the Wiki is using LDAP we can plan the rest of the migrations: XMPP, Mastodon, Gitea, etc. and they will all use the same account and password, so it's important that you choose it now [For everyone except for Jon, so the core team] Are you fine with your current Kosmos XMPP account as the account name for Kosmos services? That's [insert username here]. If it is different than your current Wiki account we will perform a migration to rename your account to the new name. It will keep the history of your edits. [For wiki-only users] Are you fine with your current Wiki account as the account name for Kosmos services? Thanks in advance, Greg ```
Owner

Sounds good.

Sounds good.
Author
Owner

This is running on andromeda, the wiki is using LDAP auth now. I have sent emails with instructions to replace the temporary password that has been generated for each account.

This is running on andromeda, the wiki is using LDAP auth now. I have sent emails with instructions to replace the temporary password that has been generated for each account.
Owner

I was able to change my password and log in, exactly like described in the email. 👍

I was able to change my password and log in, exactly like described in the email. :+1:
Author
Owner

This is ready to merge now. I have updated the PR to a large contribution to include all the things that weren't code (gathering the data, emails, etc)

This is ready to merge now. I have updated the PR to a large contribution to include all the things that weren't code (gathering the data, emails, etc)
Owner

Splendid! 🎉

Splendid! :tada:
raucao closed this pull request 2020-01-28 17:02:45 +00:00
raucao closed this pull request 2020-01-28 17:02:45 +00:00
raucao deleted branch feature/107-ldap_mediawiki 2020-01-28 17:02:53 +00:00
Sign in to join this conversation.
No reviewers
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: kosmos/chef#122
No description provided.