From 25c9872a0a1fea560c5bd3c1cae7cfe718390140 Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Mon, 29 Sep 2025 16:33:35 -0500 Subject: [PATCH] Updates for AniNIX/Password --- roles/Password/README.md | 131 ++---------------- roles/Password/files/pam.d/nslcd.conf | 1 - roles/Password/tasks/audit.yml | 8 ++ roles/Password/tasks/daemon.yml | 32 +++-- roles/Password/tasks/main.yml | 5 + roles/Password/tasks/web.yml | 3 +- .../templates/ltb-ssp.config.inc.php.j2 | 31 +++++ .../{nscld.conf.j2 => nslcd.conf.j2} | 12 +- 8 files changed, 77 insertions(+), 146 deletions(-) delete mode 100644 roles/Password/files/pam.d/nslcd.conf create mode 100644 roles/Password/tasks/audit.yml create mode 100644 roles/Password/templates/ltb-ssp.config.inc.php.j2 rename roles/Password/templates/{nscld.conf.j2 => nslcd.conf.j2} (86%) diff --git a/roles/Password/README.md b/roles/Password/README.md index 4d6458d..dd70d54 100644 --- a/roles/Password/README.md +++ b/roles/Password/README.md @@ -1,134 +1,19 @@ -Sora is the [https://en.wikipedia.org/wiki/LDAP LDAP]-enabled central crendential store of the AniNIX -- end users will have accounts here. +Sora is the [LDAP](https://en.wikipedia.org/wiki/LDAP)-enabled central credential store of the AniNIX -- end users will have accounts here. -# Etymology=Sora was the name of a pivotal character in the Kingdom of Hearts series. As Sora holds the "keys to the kingdom", the name fit. +# Etymology +A password is a ubiquitous method of asymmetric authentication. Militaries will use simple challenges & passwords to authenticate individuals b # Relevant Files and Software Most of the configuration initially is handled by the [https://aninix.net/foundation/ConfigPackages ConfigPackages'] Sora Makefile. -We use [file:///etc/openldap/users.d a users.d] folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber. +We use [file:///etc/openldap/users.d](a users.d) folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber. # Available Clients -See [[:Category:LDAP]] for more information on the services that are clients of Sora. +Most services on AniNIX, ranging from SSH & IRC to web services like AniNIX/Foundation and AniNIX/Singularity, are LDAP clients. Our exceptions are below: +* MediaWiki (LDAP dropped out of support) +* AniNIX/Superintendent (client path not yet identified) # Equivalents or Competition -Both [[:Category:Google|Google]] and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally. +Both Google and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally. The AniNIX is not presently set up or planning to do distributed authentication. -}} -# Authorizing Other Services by Sora -## [[ShadowArch]] OS Authentication -You will need nss-pam-ldap as package installed. You will need to edit /etc/pam.d/su, /etc/pam.d/su-l, /etc/pam.d/system-auth, and /etc/nslcd.conf to match [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] and [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki]. -## [[Windows]] OS Authentication -We recommend the [https://pgina.org/ pGina] package -- this is a very smooth client. -## [[SSH]] -Edit /etc/ssh/sshd_config to allow PasswordAuthentication and PAM. This assumes the OS authentication is set up. - -We recommend adding a passwdchange OS group on the external-facing SSH host and set up a ForceCommand around /usr/bin/passwd for users in that group. This allows you to enable centralized password changes from outside the command line for subscribing clients and then disable password changes in individual services. -## [[IRC|IRCServices]] -You will need to enable m_ldap and m_ldap_authentication in [file:///etc/anope/modules.aninix.conf the modules conf file]. The modules conf has the necessary parameters waiting to be filled in. We recommend updating the search_filter to "(&(!(shadowLastChange=0))(&(uid=%account)(objectClass=%object_class)))". This will prevent users from using a password reset by an administrator. - -When you enable LDAP for IRCServices, we would recommend disabling email changes in m_ldap_authentication and disabling account creation in the NickServ configuration. Do not disable registration in m_ldap_authentication. This ensures that account provisioning is done by LDAP and users can group as necessary. Moreover, disable password changes by removing the NickServ set/*pass directives. -## [[Singularity]] -You'll need to update your plugins line in [file:///usr/share/webapps/tt-rss/config.php the config file] and add some parameters. Note: you'll be removing the auth_internal module, but you'll have to add it at least once to promote an LDAP user to admin. - -
-define('PLUGINS', 'auth_remote, note, updater, auth_ldap');
-define('LDAP_AUTH_SERVER_URI', 'ldap://localhost:389/');
-define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
-define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
-define('LDAP_AUTH_BINDDN', 'uid=binduser,ou=People,dc=aninix,dc=net');
-define('LDAP_AUTH_BINDPW', 'secret');
-define('LDAP_AUTH_BASEDN', 'ou=People,dc=aninix,dc=net');
-define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
-define('LDAP_AUTH_SEARCHFILTER', 'uid=???');
-
-## [[Wiki]] -Wiki is the most complicated to add with its multiple domain support, but the following snippet can be modified for a single domain. You'll need to comment out the fourth line at least once after logging in an LDAP user to promote that user to administrator. - -
-1.  LDAP Modules
-require_once( "extensions/LdapAuthentication/LdapAuthentication.php" );
-require_once( "includes/AuthPlugin.php");
-$wgAuth = new LdapAuthenticationPlugin();
-
-1. LDAP Debugging
-$wgLDAPDebug = 0;
-$wgDebugLogGroups["ldap"] = "$IP/debug.log" ;
-
-1.  LDAP Connection info
-$wgLDAPUseLocal = false;
-$wgLDAPDomainNames = array( 'aninix.net', );
-$wgLDAPServerNames = array( 'aninix.net' => 'localhost', );
-$wgLDAPEncryptionType = array( 'aninix.net' => 'clear',
-                               #'aninix.net' => 'tls',
-);
-1. $wgLDAPOptions = array( 'aninix.net' => array( LDAP_OPT_DEREF, 0 ), );
-$wgLDAPPort = array( 'aninix.net' => 389, );
-$wgLDAPProxyAgent = array( 'aninix.net' => 'uid=binduser,ou=People,dc=aninix,dc=net', );
-$wgLDAPProxyAgentPassword = array( 'aninix.net' => 'secret', );
-$wgLDAPSearchAttributes = array( 'aninix.net' => 'uid', );
-$wgLDAPBaseDNs = array( 'aninix.net' => 'dc=aninix,dc=net', );
-$wgLDAPGroupBaseDNs = array( 'aninix.net' => 'ou=Group,dc=aninix,dc=net', );
-$wgLDAPUserBaseDNs = array( 'aninix.net' => 'ou=People,dc=aninix,dc=net', );
-$wgLDAPAddLDAPUsers = array( 'aninix.net' => false, );
-$wgLDAPUpdateLDAP = array( 'aninix.net' => false, );
-$wgLDAPPreferences = array( 'aninix.net' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'uid'), );
-
-1.  LDAP Access Only by Group Membership -- requires the memberOf overlay in Sora
-1. $wgLDAPGroupUseFullDN = array( "aninix.net"=>false );
-1. $wgLDAPGroupObjectclass = array( "aninix.net"=>"posixgroup" );
-1. $wgLDAPGroupAttribute = array( "aninix.net"=>"memberuid" );
-1. $wgLDAPGroupSearchNestedGroups = array( "aninix.net"=>false );
-1. $wgLDAPGroupNameAttribute = array( "aninix.net"=>"cn" );
-1. $wgLDAPRequiredGroups = array( "aninix.net"=>array("cn=wiki,ou=Group,dc=aninix,dc=net"));
-
-1. Disable password changes.
-$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
-function lfChangeLoginPage( &$template ) {
-    $template->set('canreset',false); // removes default reset password link
-    $template->set('resetlink',false);
-    // Use the following line to show your own 'reset password' link above the login fields
-    $template->set('link',"Forgot your password?");
-    return true;
- }
-// Disallow password reset on password reset page
-$wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
-function MailPasswordIsAllowed ( $username, $error ) {
-    $error = wfMsg( 'resetpass_forbidden' );
-
-    return false;
-}
-$wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
-function ChangePasswordIsAllowed ( $user ) {
-    throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
-    return true;
-}
-$wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
-function RemovePasswordChangeLink ( $user, &$preferences ) {
-    unset($preferences['password']);
-    return true;
-}
-
-# Making Changes -Ldapmodify will allow admins to change parts of Sora. Most user attributes can be updated like below. -
-dn: uid=testuser,ou=People,dc=aninix,dc=net
-changetype: modify
-replace: mail
-mail: blar@test.local
-
-
- -Some properties are more intrinsic to the user object and require special handling. -
-dn: uid=testuser1,ou=People,dc=aninix,dc=net
-changetype: modrdn
-newrdn: uid=testuser2
-deleteoldrdn: 1
-modifying rdn of entry "uid=testuser2,ou=People,dc=aninix,dc=net"
-
-
- - -[[Category:Security]] -[[Category:LDAP]] \ No newline at end of file diff --git a/roles/Password/files/pam.d/nslcd.conf b/roles/Password/files/pam.d/nslcd.conf deleted file mode 100644 index 1ce0280..0000000 --- a/roles/Password/files/pam.d/nslcd.conf +++ /dev/null @@ -1 +0,0 @@ -UiqiKXIU diff --git a/roles/Password/tasks/audit.yml b/roles/Password/tasks/audit.yml new file mode 100644 index 0000000..2d160e9 --- /dev/null +++ b/roles/Password/tasks/audit.yml @@ -0,0 +1,8 @@ +--- + + - name: Enable timer for auditing Password + become: yes + service: + name: ldap-userreport.timer + state: started + enabled: yes diff --git a/roles/Password/tasks/daemon.yml b/roles/Password/tasks/daemon.yml index 31e4d2c..b495dc9 100644 --- a/roles/Password/tasks/daemon.yml +++ b/roles/Password/tasks/daemon.yml @@ -1,14 +1,6 @@ --- - - name: Create the base config - become: yes - template: - src: slapd.ldif - dest: /etc/openldap/slapd.ldif - owner: ldap - group: ldap - mode: 0640 - - name: Create the directories + become: yes file: path: "{{ item }}" owner: ldap @@ -21,15 +13,25 @@ - /etc/openldap/groups.d - /etc/openldap/slapd.d - - name: Initialize the instance - become: yes - command: - cmd: slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap - creates: /etc/openldap/slapd.d/cn=config + # - name: Create the base config + # become: yes + # template: + # src: slapd.ldif + # dest: /etc/openldap/slapd.ldif + # owner: ldap + # group: ldap + # mode: 0640 + + # - name: Initialize the instance + # become: yes + # command: + # cmd: "slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap" + # creates: /etc/openldap/slapd.d/cn=config - name: Ensure the service become: yes + ignore_errors: true service: name: slapd - state: restarted + state: started enabled: yes diff --git a/roles/Password/tasks/main.yml b/roles/Password/tasks/main.yml index bbc0117..04f284e 100644 --- a/roles/Password/tasks/main.yml +++ b/roles/Password/tasks/main.yml @@ -4,6 +4,7 @@ package: name: - openldap + - freeradius - Password-Scripts - include_tasks: daemon.yml @@ -11,3 +12,7 @@ - include_tasks: login.yml - include_tasks: web.yml + + - include_tasks: audit.yml + + - include_tasks: freeradius.yml diff --git a/roles/Password/tasks/web.yml b/roles/Password/tasks/web.yml index e27714f..31b6fd3 100644 --- a/roles/Password/tasks/web.yml +++ b/roles/Password/tasks/web.yml @@ -5,6 +5,7 @@ git: repo: https://github.com/ltb-project/self-service-password dest: /usr/share/webapps/self-service-password + update: no - name: Ensure web portal ownership file: @@ -17,7 +18,7 @@ - name: Web portal config become: yes template: - src: config.inc.php.j2 + src: ltb-ssp.config.inc.php.j2 dest: /usr/share/webapps/self-service-password/conf/config.inc.php owner: http group: http diff --git a/roles/Password/templates/ltb-ssp.config.inc.php.j2 b/roles/Password/templates/ltb-ssp.config.inc.php.j2 new file mode 100644 index 0000000..aa783ed --- /dev/null +++ b/roles/Password/templates/ltb-ssp.config.inc.php.j2 @@ -0,0 +1,31 @@ + diff --git a/roles/Password/templates/nscld.conf.j2 b/roles/Password/templates/nslcd.conf.j2 similarity index 86% rename from roles/Password/templates/nscld.conf.j2 rename to roles/Password/templates/nslcd.conf.j2 index 88dcbef..f3ee03c 100644 --- a/roles/Password/templates/nscld.conf.j2 +++ b/roles/Password/templates/nslcd.conf.j2 @@ -15,7 +15,7 @@ gid nslcd #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator -uri ldap://{{ ldap['server'] }}/ +uri ldap://127.0.0.1/ # The LDAP version to use (defaults to 3 # if supported by client library) @@ -26,12 +26,12 @@ base {{ ldap['orgdn'] }} # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. -binddn {{ ldap['binduser'] }},{{ ldap['userou'] }},{{ ldap['orgdn'] }} +binddn uid=binduser,{{ ldap['userou'] }},{{ ldap['orgdn'] }} # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. -bindpw {{ secrets['Sora']['bindpassword'] }} +bindpw {{ secrets['Password']['bindpassword'] }} # The distinguished name to perform password modifications by root by. rootpwmoddn cn=root,{{ ldap['orgdn'] }} @@ -43,9 +43,9 @@ scope sub #scope base # Customize certain database lookups. -base group {{ ldap['groupou'] }},{{ ldap['orgdn'] }} -base passwd {{ ldap['userou'] }},{{ ldap['orgdn'] }} -base shadow {{ ldap['userou'] }},{{ ldap['orgdn'] }} +base group ou=Group,{{ ldap['orgdn'] }} +base passwd ou=People,{{ ldap['orgdn'] }} +base shadow ou=People,{{ ldap['orgdn'] }} #scope group onelevel scope hosts sub