Updates for AniNIX/Password

2025-09-29 16:33:35 -05:00
parent 78af592485
commit 25c9872a0a
8 changed files with 77 additions and 146 deletions
--- a/roles/Password/README.md
+++ b/roles/Password/README.md
@@ -1,134 +1,19 @@
-Sora is the [https://en.wikipedia.org/wiki/LDAP LDAP]-enabled central crendential store of the AniNIX -- end users will have accounts here.
+Sora is the [LDAP](https://en.wikipedia.org/wiki/LDAP)-enabled central credential store of the AniNIX -- end users will have accounts here.
-# Etymology=Sora was the name of a pivotal character in the Kingdom of Hearts series. As Sora holds the "keys to the kingdom", the name fit.<!-- I've considered renaming this, but I'm kind of happy with it, even though I didn't follow the Kingdom of Hearts series. -->
+# Etymology
 A password is a ubiquitous method of asymmetric authentication. Militaries will use simple challenges & passwords to authenticate individuals b
 # Relevant Files and Software
 Most of the configuration initially is handled by the [https://aninix.net/foundation/ConfigPackages ConfigPackages'] Sora Makefile.
-We use [file:///etc/openldap/users.d a users.d] folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber.
+We use [file:///etc/openldap/users.d](a users.d) folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber.
 # Available Clients
-See [[:Category:LDAP]] for more information on the services that are clients of Sora.
+Most services on AniNIX, ranging from SSH & IRC to web services like AniNIX/Foundation and AniNIX/Singularity, are LDAP clients. Our exceptions are below:
 * MediaWiki (LDAP dropped out of support)
 * AniNIX/Superintendent (client path not yet identified)
 # Equivalents or Competition
-Both [[:Category:Google|Google]] and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally.
+Both Google and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally.
 The AniNIX is not presently set up or planning to do distributed authentication.
 }}
 # Authorizing Other Services by Sora
 ## [[ShadowArch]] OS Authentication
 You will need nss-pam-ldap as package installed. You will need to edit /etc/pam.d/su, /etc/pam.d/su-l, /etc/pam.d/system-auth, and /etc/nslcd.conf to match [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] and [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki].
 ## [[Windows]] OS Authentication
 We recommend the [https://pgina.org/ pGina] package -- this is a very smooth client.
 ## [[SSH]]
 Edit /etc/ssh/sshd_config to allow PasswordAuthentication and PAM. This assumes the OS authentication is set up.
 We recommend adding a passwdchange OS group on the external-facing SSH host and set up a ForceCommand around /usr/bin/passwd for users in that group. This allows you to enable centralized password changes from outside the command line for subscribing clients and then disable password changes in individual services.
 ## [[IRC|IRCServices]]
 You will need to enable m_ldap and m_ldap_authentication in [file:///etc/anope/modules.aninix.conf the modules conf file]. The modules conf has the necessary parameters waiting to be filled in. We recommend updating the search_filter to "(&(!(shadowLastChange=0))(&(uid=%account)(objectClass=%object_class)))". This will prevent users from using a password reset by an administrator.
 When you enable LDAP for IRCServices, we would recommend disabling email changes in m_ldap_authentication and disabling account creation in the NickServ configuration. Do not disable registration in m_ldap_authentication. This ensures that account provisioning is done by LDAP and users can group as necessary. Moreover, disable password changes by removing the NickServ set/*pass directives.
 ## [[Singularity]]
 You'll need to update your plugins line in [file:///usr/share/webapps/tt-rss/config.php the config file] and add some parameters. Note: you'll be removing the auth_internal module, but you'll have to add it at least once to promote an LDAP user to admin.
 <pre>
 define('PLUGINS', 'auth_remote, note, updater, auth_ldap');
 define('LDAP_AUTH_SERVER_URI', 'ldap://localhost:389/');
 define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
 define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
 define('LDAP_AUTH_BINDDN', 'uid=binduser,ou=People,dc=aninix,dc=net');
 define('LDAP_AUTH_BINDPW', 'secret');
 define('LDAP_AUTH_BASEDN', 'ou=People,dc=aninix,dc=net');
 define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
 define('LDAP_AUTH_SEARCHFILTER', 'uid=???');
 </pre>
 ## [[Wiki]]
 Wiki is the most complicated to add with its multiple domain support, but the following snippet can be modified for a single domain. You'll need to comment out the fourth line at least once after logging in an LDAP user to promote that user to administrator.
 <pre>
 1.  LDAP Modules
 require_once( "extensions/LdapAuthentication/LdapAuthentication.php" );
 require_once( "includes/AuthPlugin.php");
 $wgAuth = new LdapAuthenticationPlugin();
 1. LDAP Debugging
 $wgLDAPDebug = 0;
 $wgDebugLogGroups["ldap"] = "$IP/debug.log" ;
 1.  LDAP Connection info
 $wgLDAPUseLocal = false;
 $wgLDAPDomainNames = array( 'aninix.net', );
 $wgLDAPServerNames = array( 'aninix.net' => 'localhost', );
 $wgLDAPEncryptionType = array( 'aninix.net' => 'clear',
                               #'aninix.net' => 'tls',
 );
 1. $wgLDAPOptions = array( 'aninix.net' => array( LDAP_OPT_DEREF, 0 ), );
 $wgLDAPPort = array( 'aninix.net' => 389, );
 $wgLDAPProxyAgent = array( 'aninix.net' => 'uid=binduser,ou=People,dc=aninix,dc=net', );
 $wgLDAPProxyAgentPassword = array( 'aninix.net' => 'secret', );
 $wgLDAPSearchAttributes = array( 'aninix.net' => 'uid', );
 $wgLDAPBaseDNs = array( 'aninix.net' => 'dc=aninix,dc=net', );
 $wgLDAPGroupBaseDNs = array( 'aninix.net' => 'ou=Group,dc=aninix,dc=net', );
 $wgLDAPUserBaseDNs = array( 'aninix.net' => 'ou=People,dc=aninix,dc=net', );
 $wgLDAPAddLDAPUsers = array( 'aninix.net' => false, );
 $wgLDAPUpdateLDAP = array( 'aninix.net' => false, );
 $wgLDAPPreferences = array( 'aninix.net' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'uid'), );
 1.  LDAP Access Only by Group Membership -- requires the memberOf overlay in Sora
 1. $wgLDAPGroupUseFullDN = array( "aninix.net"=>false );
 1. $wgLDAPGroupObjectclass = array( "aninix.net"=>"posixgroup" );
 1. $wgLDAPGroupAttribute = array( "aninix.net"=>"memberuid" );
 1. $wgLDAPGroupSearchNestedGroups = array( "aninix.net"=>false );
 1. $wgLDAPGroupNameAttribute = array( "aninix.net"=>"cn" );
 1. $wgLDAPRequiredGroups = array( "aninix.net"=>array("cn=wiki,ou=Group,dc=aninix,dc=net"));
 1. Disable password changes.
 $wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
 function lfChangeLoginPage( &$template ) {
    $template->set('canreset',false); // removes default reset password link
    $template->set('resetlink',false);
    // Use the following line to show your own 'reset password' link above the login fields
    $template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>");
    return true;
 }
 // Disallow password reset on password reset page
 $wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
 function MailPasswordIsAllowed ( $username, $error ) {
    $error = wfMsg( 'resetpass_forbidden' );
    return false;
 }
 $wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
 function ChangePasswordIsAllowed ( $user ) {
    throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
    return true;
 }
 $wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
 function RemovePasswordChangeLink ( $user, &$preferences ) {
    unset($preferences['password']);
    return true;
 }
 </pre>
 # Making Changes
 Ldapmodify will allow admins to change parts of Sora. Most user attributes can be updated like below.
 <pre>
 dn: uid=testuser,ou=People,dc=aninix,dc=net
 changetype: modify
 replace: mail
 mail: blar@test.local
 </pre>
 Some properties are more intrinsic to the user object and require special handling.
 <pre>
 dn: uid=testuser1,ou=People,dc=aninix,dc=net
 changetype: modrdn
 newrdn: uid=testuser2
 deleteoldrdn: 1
 modifying rdn of entry "uid=testuser2,ou=People,dc=aninix,dc=net"
 </pre>
 [[Category:Security]]
 [[Category:LDAP]]
--- a/roles/Password/files/pam.d/nslcd.conf
+++ b/roles/Password/files/pam.d/nslcd.conf
@@ -1 +0,0 @@
 UiqiKXIU
--- a/roles/Password/tasks/audit.yml
+++ b/roles/Password/tasks/audit.yml
@@ -0,0 +1,8 @@
 ---
 - name: Enable timer for auditing Password
   become: yes
   service:
     name: ldap-userreport.timer
     state: started
     enabled: yes
--- a/roles/Password/tasks/daemon.yml
+++ b/roles/Password/tasks/daemon.yml
@@ -1,14 +1,6 @@
 ---
 - name: Create the base config
   become: yes
   template:
     src: slapd.ldif
     dest: /etc/openldap/slapd.ldif
     owner: ldap
     group: ldap
     mode: 0640
 - name: Create the directories
   become: yes
   file:
     path: "{{ item }}"
     owner: ldap
@@ -21,15 +13,25 @@
     - /etc/openldap/groups.d
     - /etc/openldap/slapd.d
- - name: Initialize the instance
+ # - name: Create the base config
-   become: yes
+ #   become: yes
-   command:
+ #   template:
-     cmd: slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap
+ #     src: slapd.ldif
-     creates: /etc/openldap/slapd.d/cn=config
+ #     dest: /etc/openldap/slapd.ldif
 #     owner: ldap
 #     group: ldap
 #     mode: 0640
 # - name: Initialize the instance
 #   become: yes
 #   command:
 #     cmd: "slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap"
 #     creates: /etc/openldap/slapd.d/cn=config
 - name: Ensure the service
   become: yes
   ignore_errors: true
   service:
     name: slapd
-     state: restarted
+     state: started
     enabled: yes
--- a/roles/Password/tasks/main.yml
+++ b/roles/Password/tasks/main.yml
@@ -4,6 +4,7 @@
   package:
     name:
       - openldap
       - freeradius
       - Password-Scripts
 - include_tasks: daemon.yml
@@ -11,3 +12,7 @@
 - include_tasks: login.yml
 - include_tasks: web.yml
 - include_tasks: audit.yml
 - include_tasks: freeradius.yml
--- a/roles/Password/tasks/web.yml
+++ b/roles/Password/tasks/web.yml
@@ -5,6 +5,7 @@
   git:
     repo: https://github.com/ltb-project/self-service-password
     dest: /usr/share/webapps/self-service-password
     update: no
 - name: Ensure web portal ownership
   file:
@@ -17,7 +18,7 @@
 - name: Web portal config
   become: yes
   template:
-     src: config.inc.php.j2
+     src: ltb-ssp.config.inc.php.j2
     dest: /usr/share/webapps/self-service-password/conf/config.inc.php
     owner: http
     group: http
--- a/roles/Password/templates/ltb-ssp.config.inc.php.j2
+++ b/roles/Password/templates/ltb-ssp.config.inc.php.j2
@@ -0,0 +1,31 @@
 <?php
 $lang = "en";
 $show_menu = false;
 $show_help = false;
 $logo = "";
 //$logo = "images/AniNIX.png";
 $default_action = "change";
 $notify_on_change = false;
 $use_sms = false;
 $ldap_url = "ldap://localhost:389";
 $ldap_binddn = "{{ secrets['Password']['binduser'] }},{{ ldap['orgdn'] }}";
 $ldap_bindpw = "{{ secrets['Password']['bindpassword'] }}";
 $who_change_password = "user";
 $ldap_base = "{{ ldap['orgdn'] }}";
 $keyphrase = "";
 // Requirements
 $pwd_min_lower = 1;
 $pwd_min_upper = 1;
 $pwd_min_digit = 1;
 $pwd_min_special = 1;
 $pwd_complexity = 4;
 $pwd_min_length = 8;
 $hash = "ssha";
 // Recaptcha currently doesn't work for changes in SameSite cookie attribute.
 $use_recaptcha = false;
 $recaptcha_publickey = "{{ secrets['Password']['recaptcha_publickey'] }}";
 $recaptcha_privatekey = "{{ secrets['Password']['recaptcha_privatekey'] }}";
 $recaptcha_theme = "dark";
 $recaptcha_type = "image";
 $recaptcha_size = "normal";
 ?>
--- a/roles/Password/templates/nslcd.conf.j2
+++ b/roles/Password/templates/nslcd.conf.j2
@@ -15,7 +15,7 @@ gid nslcd
 #uri ldaps://127.0.0.1/
 #uri ldapi://%2fvar%2frun%2fldapi_sock/
 # Note: %2f encodes the '/' used as directory separator
-uri ldap://{{ ldap['server'] }}/
+uri ldap://127.0.0.1/
 # The LDAP version to use (defaults to 3
 # if supported by client library)
@@ -26,12 +26,12 @@ base {{ ldap['orgdn'] }}
 # The distinguished name to bind to the server with.
 # Optional: default is to bind anonymously.
-binddn {{ ldap['binduser'] }},{{ ldap['userou'] }},{{ ldap['orgdn'] }}
+binddn uid=binduser,{{ ldap['userou'] }},{{ ldap['orgdn'] }}
 # The credentials to bind with.
 # Optional: default is no credentials.
 # Note that if you set a bindpw you should check the permissions of this file.
-bindpw {{ secrets['Sora']['bindpassword'] }}
+bindpw {{ secrets['Password']['bindpassword'] }}
 # The distinguished name to perform password modifications by root by.
 rootpwmoddn cn=root,{{ ldap['orgdn'] }}
@@ -43,9 +43,9 @@ scope sub
 #scope base
 # Customize certain database lookups.
-base   group  {{ ldap['groupou'] }},{{ ldap['orgdn'] }}
+base   group  ou=Group,{{ ldap['orgdn'] }}
-base   passwd {{ ldap['userou'] }},{{ ldap['orgdn'] }}
+base   passwd ou=People,{{ ldap['orgdn'] }}
-base   shadow {{ ldap['userou'] }},{{ ldap['orgdn'] }}
+base   shadow ou=People,{{ ldap['orgdn'] }}
 #scope  group  onelevel
 scope  hosts  sub