134 lines
		
	
	
		
			7.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
		
		
			
		
	
	
			134 lines
		
	
	
		
			7.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
|  | Sora is the [https://en.wikipedia.org/wiki/LDAP LDAP]-enabled central crendential store of the AniNIX -- end users will have accounts here. | ||
|  | 
 | ||
|  | # Etymology=Sora was the name of a pivotal character in the Kingdom of Hearts series. As Sora holds the "keys to the kingdom", the name fit.<!-- I've considered renaming this, but I'm kind of happy with it, even though I didn't follow the Kingdom of Hearts series. -->
 | ||
|  | 
 | ||
|  | # Relevant Files and Software
 | ||
|  | Most of the configuration initially is handled by the [https://aninix.net/foundation/ConfigPackages ConfigPackages'] Sora Makefile. | ||
|  | 
 | ||
|  | We use [file:///etc/openldap/users.d a users.d] folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber. | ||
|  | 
 | ||
|  | # Available Clients
 | ||
|  | See [[:Category:LDAP]] for more information on the services that are clients of Sora. | ||
|  | 
 | ||
|  | # Equivalents or Competition
 | ||
|  | Both [[:Category:Google|Google]] and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally. | ||
|  | 
 | ||
|  | The AniNIX is not presently set up or planning to do distributed authentication. | ||
|  | }} | ||
|  | # Authorizing Other Services by Sora
 | ||
|  | ## [[ShadowArch]] OS Authentication
 | ||
|  | You will need nss-pam-ldap as package installed. You will need to edit /etc/pam.d/su, /etc/pam.d/su-l, /etc/pam.d/system-auth, and /etc/nslcd.conf to match [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] and [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki]. | ||
|  | ## [[Windows]] OS Authentication
 | ||
|  | We recommend the [https://pgina.org/ pGina] package -- this is a very smooth client. | ||
|  | ## [[SSH]]
 | ||
|  | Edit /etc/ssh/sshd_config to allow PasswordAuthentication and PAM. This assumes the OS authentication is set up. | ||
|  | 
 | ||
|  | We recommend adding a passwdchange OS group on the external-facing SSH host and set up a ForceCommand around /usr/bin/passwd for users in that group. This allows you to enable centralized password changes from outside the command line for subscribing clients and then disable password changes in individual services. | ||
|  | ## [[IRC|IRCServices]]
 | ||
|  | You will need to enable m_ldap and m_ldap_authentication in [file:///etc/anope/modules.aninix.conf the modules conf file]. The modules conf has the necessary parameters waiting to be filled in. We recommend updating the search_filter to "(&(!(shadowLastChange=0))(&(uid=%account)(objectClass=%object_class)))". This will prevent users from using a password reset by an administrator. | ||
|  | 
 | ||
|  | When you enable LDAP for IRCServices, we would recommend disabling email changes in m_ldap_authentication and disabling account creation in the NickServ configuration. Do not disable registration in m_ldap_authentication. This ensures that account provisioning is done by LDAP and users can group as necessary. Moreover, disable password changes by removing the NickServ set/*pass directives. | ||
|  | ## [[Singularity]]
 | ||
|  | You'll need to update your plugins line in [file:///usr/share/webapps/tt-rss/config.php the config file] and add some parameters. Note: you'll be removing the auth_internal module, but you'll have to add it at least once to promote an LDAP user to admin. | ||
|  | 
 | ||
|  | <pre> | ||
|  | define('PLUGINS', 'auth_remote, note, updater, auth_ldap'); | ||
|  | define('LDAP_AUTH_SERVER_URI', 'ldap://localhost:389/'); | ||
|  | define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps:// | ||
|  | define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate | ||
|  | define('LDAP_AUTH_BINDDN', 'uid=binduser,ou=People,dc=aninix,dc=net'); | ||
|  | define('LDAP_AUTH_BINDPW', 'secret'); | ||
|  | define('LDAP_AUTH_BASEDN', 'ou=People,dc=aninix,dc=net'); | ||
|  | define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE); | ||
|  | define('LDAP_AUTH_SEARCHFILTER', 'uid=???'); | ||
|  | </pre> | ||
|  | ## [[Wiki]]
 | ||
|  | Wiki is the most complicated to add with its multiple domain support, but the following snippet can be modified for a single domain. You'll need to comment out the fourth line at least once after logging in an LDAP user to promote that user to administrator. | ||
|  | 
 | ||
|  | <pre> | ||
|  | 1.  LDAP Modules | ||
|  | require_once( "extensions/LdapAuthentication/LdapAuthentication.php" ); | ||
|  | require_once( "includes/AuthPlugin.php"); | ||
|  | $wgAuth = new LdapAuthenticationPlugin(); | ||
|  | 
 | ||
|  | 1. LDAP Debugging | ||
|  | $wgLDAPDebug = 0; | ||
|  | $wgDebugLogGroups["ldap"] = "$IP/debug.log" ; | ||
|  | 
 | ||
|  | 1.  LDAP Connection info | ||
|  | $wgLDAPUseLocal = false; | ||
|  | $wgLDAPDomainNames = array( 'aninix.net', ); | ||
|  | $wgLDAPServerNames = array( 'aninix.net' => 'localhost', ); | ||
|  | $wgLDAPEncryptionType = array( 'aninix.net' => 'clear', | ||
|  |                                #'aninix.net' => 'tls', | ||
|  | ); | ||
|  | 1. $wgLDAPOptions = array( 'aninix.net' => array( LDAP_OPT_DEREF, 0 ), ); | ||
|  | $wgLDAPPort = array( 'aninix.net' => 389, ); | ||
|  | $wgLDAPProxyAgent = array( 'aninix.net' => 'uid=binduser,ou=People,dc=aninix,dc=net', ); | ||
|  | $wgLDAPProxyAgentPassword = array( 'aninix.net' => 'secret', ); | ||
|  | $wgLDAPSearchAttributes = array( 'aninix.net' => 'uid', ); | ||
|  | $wgLDAPBaseDNs = array( 'aninix.net' => 'dc=aninix,dc=net', ); | ||
|  | $wgLDAPGroupBaseDNs = array( 'aninix.net' => 'ou=Group,dc=aninix,dc=net', ); | ||
|  | $wgLDAPUserBaseDNs = array( 'aninix.net' => 'ou=People,dc=aninix,dc=net', ); | ||
|  | $wgLDAPAddLDAPUsers = array( 'aninix.net' => false, ); | ||
|  | $wgLDAPUpdateLDAP = array( 'aninix.net' => false, ); | ||
|  | $wgLDAPPreferences = array( 'aninix.net' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'uid'), ); | ||
|  | 
 | ||
|  | 1.  LDAP Access Only by Group Membership -- requires the memberOf overlay in Sora | ||
|  | 1. $wgLDAPGroupUseFullDN = array( "aninix.net"=>false ); | ||
|  | 1. $wgLDAPGroupObjectclass = array( "aninix.net"=>"posixgroup" ); | ||
|  | 1. $wgLDAPGroupAttribute = array( "aninix.net"=>"memberuid" ); | ||
|  | 1. $wgLDAPGroupSearchNestedGroups = array( "aninix.net"=>false ); | ||
|  | 1. $wgLDAPGroupNameAttribute = array( "aninix.net"=>"cn" ); | ||
|  | 1. $wgLDAPRequiredGroups = array( "aninix.net"=>array("cn=wiki,ou=Group,dc=aninix,dc=net")); | ||
|  | 
 | ||
|  | 1. Disable password changes. | ||
|  | $wgHooks['UserLoginForm'][] = 'lfChangeLoginPage'; | ||
|  | function lfChangeLoginPage( &$template ) { | ||
|  |     $template->set('canreset',false); // removes default reset password link | ||
|  |     $template->set('resetlink',false); | ||
|  |     // Use the following line to show your own 'reset password' link above the login fields | ||
|  |     $template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>"); | ||
|  |     return true; | ||
|  |  } | ||
|  | // Disallow password reset on password reset page | ||
|  | $wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed'; | ||
|  | function MailPasswordIsAllowed ( $username, $error ) { | ||
|  |     $error = wfMsg( 'resetpass_forbidden' ); | ||
|  | 
 | ||
|  |     return false; | ||
|  | } | ||
|  | $wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed'; | ||
|  | function ChangePasswordIsAllowed ( $user ) { | ||
|  |     throw new PasswordError( wfMsg( 'resetpass_forbidden' )); | ||
|  |     return true; | ||
|  | } | ||
|  | $wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink'; | ||
|  | function RemovePasswordChangeLink ( $user, &$preferences ) { | ||
|  |     unset($preferences['password']); | ||
|  |     return true; | ||
|  | } | ||
|  | </pre> | ||
|  | # Making Changes
 | ||
|  | Ldapmodify will allow admins to change parts of Sora. Most user attributes can be updated like below. | ||
|  | <pre> | ||
|  | dn: uid=testuser,ou=People,dc=aninix,dc=net | ||
|  | changetype: modify | ||
|  | replace: mail | ||
|  | mail: blar@test.local | ||
|  | 
 | ||
|  | </pre> | ||
|  | 
 | ||
|  | Some properties are more intrinsic to the user object and require special handling. | ||
|  | <pre> | ||
|  | dn: uid=testuser1,ou=People,dc=aninix,dc=net | ||
|  | changetype: modrdn | ||
|  | newrdn: uid=testuser2 | ||
|  | deleteoldrdn: 1 | ||
|  | modifying rdn of entry "uid=testuser2,ou=People,dc=aninix,dc=net" | ||
|  | 
 | ||
|  | </pre> | ||
|  | 
 | ||
|  | 
 | ||
|  | [[Category:Security]] | ||
|  | [[Category:LDAP]] |