134 lines
		
	
	
		
			7.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
			
		
		
	
	
			134 lines
		
	
	
		
			7.3 KiB
		
	
	
	
		
			Markdown
		
	
	
	
	
	
| Sora is the [https://en.wikipedia.org/wiki/LDAP LDAP]-enabled central crendential store of the AniNIX -- end users will have accounts here.
 | |
| 
 | |
| # Etymology=Sora was the name of a pivotal character in the Kingdom of Hearts series. As Sora holds the "keys to the kingdom", the name fit.<!-- I've considered renaming this, but I'm kind of happy with it, even though I didn't follow the Kingdom of Hearts series. -->
 | |
| 
 | |
| # Relevant Files and Software
 | |
| Most of the configuration initially is handled by the [https://aninix.net/foundation/ConfigPackages ConfigPackages'] Sora Makefile.
 | |
| 
 | |
| We use [file:///etc/openldap/users.d a users.d] folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber.
 | |
| 
 | |
| # Available Clients
 | |
| See [[:Category:LDAP]] for more information on the services that are clients of Sora.
 | |
| 
 | |
| # Equivalents or Competition
 | |
| Both [[:Category:Google|Google]] and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally.
 | |
| 
 | |
| The AniNIX is not presently set up or planning to do distributed authentication.
 | |
| }}
 | |
| # Authorizing Other Services by Sora
 | |
| ## [[ShadowArch]] OS Authentication
 | |
| You will need nss-pam-ldap as package installed. You will need to edit /etc/pam.d/su, /etc/pam.d/su-l, /etc/pam.d/system-auth, and /etc/nslcd.conf to match [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] and [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki].
 | |
| ## [[Windows]] OS Authentication
 | |
| We recommend the [https://pgina.org/ pGina] package -- this is a very smooth client.
 | |
| ## [[SSH]]
 | |
| Edit /etc/ssh/sshd_config to allow PasswordAuthentication and PAM. This assumes the OS authentication is set up.
 | |
| 
 | |
| We recommend adding a passwdchange OS group on the external-facing SSH host and set up a ForceCommand around /usr/bin/passwd for users in that group. This allows you to enable centralized password changes from outside the command line for subscribing clients and then disable password changes in individual services.
 | |
| ## [[IRC|IRCServices]]
 | |
| You will need to enable m_ldap and m_ldap_authentication in [file:///etc/anope/modules.aninix.conf the modules conf file]. The modules conf has the necessary parameters waiting to be filled in. We recommend updating the search_filter to "(&(!(shadowLastChange=0))(&(uid=%account)(objectClass=%object_class)))". This will prevent users from using a password reset by an administrator.
 | |
| 
 | |
| When you enable LDAP for IRCServices, we would recommend disabling email changes in m_ldap_authentication and disabling account creation in the NickServ configuration. Do not disable registration in m_ldap_authentication. This ensures that account provisioning is done by LDAP and users can group as necessary. Moreover, disable password changes by removing the NickServ set/*pass directives.
 | |
| ## [[Singularity]]
 | |
| You'll need to update your plugins line in [file:///usr/share/webapps/tt-rss/config.php the config file] and add some parameters. Note: you'll be removing the auth_internal module, but you'll have to add it at least once to promote an LDAP user to admin.
 | |
| 
 | |
| <pre>
 | |
| define('PLUGINS', 'auth_remote, note, updater, auth_ldap');
 | |
| define('LDAP_AUTH_SERVER_URI', 'ldap://localhost:389/');
 | |
| define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
 | |
| define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
 | |
| define('LDAP_AUTH_BINDDN', 'uid=binduser,ou=People,dc=aninix,dc=net');
 | |
| define('LDAP_AUTH_BINDPW', 'secret');
 | |
| define('LDAP_AUTH_BASEDN', 'ou=People,dc=aninix,dc=net');
 | |
| define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
 | |
| define('LDAP_AUTH_SEARCHFILTER', 'uid=???');
 | |
| </pre>
 | |
| ## [[Wiki]]
 | |
| Wiki is the most complicated to add with its multiple domain support, but the following snippet can be modified for a single domain. You'll need to comment out the fourth line at least once after logging in an LDAP user to promote that user to administrator.
 | |
| 
 | |
| <pre>
 | |
| 1.  LDAP Modules
 | |
| require_once( "extensions/LdapAuthentication/LdapAuthentication.php" );
 | |
| require_once( "includes/AuthPlugin.php");
 | |
| $wgAuth = new LdapAuthenticationPlugin();
 | |
| 
 | |
| 1. LDAP Debugging
 | |
| $wgLDAPDebug = 0;
 | |
| $wgDebugLogGroups["ldap"] = "$IP/debug.log" ;
 | |
| 
 | |
| 1.  LDAP Connection info
 | |
| $wgLDAPUseLocal = false;
 | |
| $wgLDAPDomainNames = array( 'aninix.net', );
 | |
| $wgLDAPServerNames = array( 'aninix.net' => 'localhost', );
 | |
| $wgLDAPEncryptionType = array( 'aninix.net' => 'clear',
 | |
|                                #'aninix.net' => 'tls',
 | |
| );
 | |
| 1. $wgLDAPOptions = array( 'aninix.net' => array( LDAP_OPT_DEREF, 0 ), );
 | |
| $wgLDAPPort = array( 'aninix.net' => 389, );
 | |
| $wgLDAPProxyAgent = array( 'aninix.net' => 'uid=binduser,ou=People,dc=aninix,dc=net', );
 | |
| $wgLDAPProxyAgentPassword = array( 'aninix.net' => 'secret', );
 | |
| $wgLDAPSearchAttributes = array( 'aninix.net' => 'uid', );
 | |
| $wgLDAPBaseDNs = array( 'aninix.net' => 'dc=aninix,dc=net', );
 | |
| $wgLDAPGroupBaseDNs = array( 'aninix.net' => 'ou=Group,dc=aninix,dc=net', );
 | |
| $wgLDAPUserBaseDNs = array( 'aninix.net' => 'ou=People,dc=aninix,dc=net', );
 | |
| $wgLDAPAddLDAPUsers = array( 'aninix.net' => false, );
 | |
| $wgLDAPUpdateLDAP = array( 'aninix.net' => false, );
 | |
| $wgLDAPPreferences = array( 'aninix.net' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'uid'), );
 | |
| 
 | |
| 1.  LDAP Access Only by Group Membership -- requires the memberOf overlay in Sora
 | |
| 1. $wgLDAPGroupUseFullDN = array( "aninix.net"=>false );
 | |
| 1. $wgLDAPGroupObjectclass = array( "aninix.net"=>"posixgroup" );
 | |
| 1. $wgLDAPGroupAttribute = array( "aninix.net"=>"memberuid" );
 | |
| 1. $wgLDAPGroupSearchNestedGroups = array( "aninix.net"=>false );
 | |
| 1. $wgLDAPGroupNameAttribute = array( "aninix.net"=>"cn" );
 | |
| 1. $wgLDAPRequiredGroups = array( "aninix.net"=>array("cn=wiki,ou=Group,dc=aninix,dc=net"));
 | |
| 
 | |
| 1. Disable password changes.
 | |
| $wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
 | |
| function lfChangeLoginPage( &$template ) {
 | |
|     $template->set('canreset',false); // removes default reset password link
 | |
|     $template->set('resetlink',false);
 | |
|     // Use the following line to show your own 'reset password' link above the login fields
 | |
|     $template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>");
 | |
|     return true;
 | |
|  }
 | |
| // Disallow password reset on password reset page
 | |
| $wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
 | |
| function MailPasswordIsAllowed ( $username, $error ) {
 | |
|     $error = wfMsg( 'resetpass_forbidden' );
 | |
| 
 | |
|     return false;
 | |
| }
 | |
| $wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
 | |
| function ChangePasswordIsAllowed ( $user ) {
 | |
|     throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
 | |
|     return true;
 | |
| }
 | |
| $wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
 | |
| function RemovePasswordChangeLink ( $user, &$preferences ) {
 | |
|     unset($preferences['password']);
 | |
|     return true;
 | |
| }
 | |
| </pre>
 | |
| # Making Changes
 | |
| Ldapmodify will allow admins to change parts of Sora. Most user attributes can be updated like below.
 | |
| <pre>
 | |
| dn: uid=testuser,ou=People,dc=aninix,dc=net
 | |
| changetype: modify
 | |
| replace: mail
 | |
| mail: blar@test.local
 | |
| 
 | |
| </pre>
 | |
| 
 | |
| Some properties are more intrinsic to the user object and require special handling.
 | |
| <pre>
 | |
| dn: uid=testuser1,ou=People,dc=aninix,dc=net
 | |
| changetype: modrdn
 | |
| newrdn: uid=testuser2
 | |
| deleteoldrdn: 1
 | |
| modifying rdn of entry "uid=testuser2,ou=People,dc=aninix,dc=net"
 | |
| 
 | |
| </pre>
 | |
| 
 | |
| 
 | |
| [[Category:Security]]
 | |
| [[Category:LDAP]] |