Kapisi/roles/Password/README.md

134 lines
7.3 KiB
Markdown

Sora is the [https://en.wikipedia.org/wiki/LDAP LDAP]-enabled central crendential store of the AniNIX -- end users will have accounts here.
# Etymology=Sora was the name of a pivotal character in the Kingdom of Hearts series. As Sora holds the "keys to the kingdom", the name fit.<!-- I've considered renaming this, but I'm kind of happy with it, even though I didn't follow the Kingdom of Hearts series. -->
# Relevant Files and Software
Most of the configuration initially is handled by the [https://aninix.net/foundation/ConfigPackages ConfigPackages'] Sora Makefile.
We use [file:///etc/openldap/users.d a users.d] folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber.
# Available Clients
See [[:Category:LDAP]] for more information on the services that are clients of Sora.
# Equivalents or Competition
Both [[:Category:Google|Google]] and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally.
The AniNIX is not presently set up or planning to do distributed authentication.
}}
# Authorizing Other Services by Sora
## [[ShadowArch]] OS Authentication
You will need nss-pam-ldap as package installed. You will need to edit /etc/pam.d/su, /etc/pam.d/su-l, /etc/pam.d/system-auth, and /etc/nslcd.conf to match [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] and [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki].
## [[Windows]] OS Authentication
We recommend the [https://pgina.org/ pGina] package -- this is a very smooth client.
## [[SSH]]
Edit /etc/ssh/sshd_config to allow PasswordAuthentication and PAM. This assumes the OS authentication is set up.
We recommend adding a passwdchange OS group on the external-facing SSH host and set up a ForceCommand around /usr/bin/passwd for users in that group. This allows you to enable centralized password changes from outside the command line for subscribing clients and then disable password changes in individual services.
## [[IRC|IRCServices]]
You will need to enable m_ldap and m_ldap_authentication in [file:///etc/anope/modules.aninix.conf the modules conf file]. The modules conf has the necessary parameters waiting to be filled in. We recommend updating the search_filter to "(&(!(shadowLastChange=0))(&(uid=%account)(objectClass=%object_class)))". This will prevent users from using a password reset by an administrator.
When you enable LDAP for IRCServices, we would recommend disabling email changes in m_ldap_authentication and disabling account creation in the NickServ configuration. Do not disable registration in m_ldap_authentication. This ensures that account provisioning is done by LDAP and users can group as necessary. Moreover, disable password changes by removing the NickServ set/*pass directives.
## [[Singularity]]
You'll need to update your plugins line in [file:///usr/share/webapps/tt-rss/config.php the config file] and add some parameters. Note: you'll be removing the auth_internal module, but you'll have to add it at least once to promote an LDAP user to admin.
<pre>
define('PLUGINS', 'auth_remote, note, updater, auth_ldap');
define('LDAP_AUTH_SERVER_URI', 'ldap://localhost:389/');
define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
define('LDAP_AUTH_BINDDN', 'uid=binduser,ou=People,dc=aninix,dc=net');
define('LDAP_AUTH_BINDPW', 'secret');
define('LDAP_AUTH_BASEDN', 'ou=People,dc=aninix,dc=net');
define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
define('LDAP_AUTH_SEARCHFILTER', 'uid=???');
</pre>
## [[Wiki]]
Wiki is the most complicated to add with its multiple domain support, but the following snippet can be modified for a single domain. You'll need to comment out the fourth line at least once after logging in an LDAP user to promote that user to administrator.
<pre>
1. LDAP Modules
require_once( "extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "includes/AuthPlugin.php");
$wgAuth = new LdapAuthenticationPlugin();
1. LDAP Debugging
$wgLDAPDebug = 0;
$wgDebugLogGroups["ldap"] = "$IP/debug.log" ;
1. LDAP Connection info
$wgLDAPUseLocal = false;
$wgLDAPDomainNames = array( 'aninix.net', );
$wgLDAPServerNames = array( 'aninix.net' => 'localhost', );
$wgLDAPEncryptionType = array( 'aninix.net' => 'clear',
#'aninix.net' => 'tls',
);
1. $wgLDAPOptions = array( 'aninix.net' => array( LDAP_OPT_DEREF, 0 ), );
$wgLDAPPort = array( 'aninix.net' => 389, );
$wgLDAPProxyAgent = array( 'aninix.net' => 'uid=binduser,ou=People,dc=aninix,dc=net', );
$wgLDAPProxyAgentPassword = array( 'aninix.net' => 'secret', );
$wgLDAPSearchAttributes = array( 'aninix.net' => 'uid', );
$wgLDAPBaseDNs = array( 'aninix.net' => 'dc=aninix,dc=net', );
$wgLDAPGroupBaseDNs = array( 'aninix.net' => 'ou=Group,dc=aninix,dc=net', );
$wgLDAPUserBaseDNs = array( 'aninix.net' => 'ou=People,dc=aninix,dc=net', );
$wgLDAPAddLDAPUsers = array( 'aninix.net' => false, );
$wgLDAPUpdateLDAP = array( 'aninix.net' => false, );
$wgLDAPPreferences = array( 'aninix.net' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'uid'), );
1. LDAP Access Only by Group Membership -- requires the memberOf overlay in Sora
1. $wgLDAPGroupUseFullDN = array( "aninix.net"=>false );
1. $wgLDAPGroupObjectclass = array( "aninix.net"=>"posixgroup" );
1. $wgLDAPGroupAttribute = array( "aninix.net"=>"memberuid" );
1. $wgLDAPGroupSearchNestedGroups = array( "aninix.net"=>false );
1. $wgLDAPGroupNameAttribute = array( "aninix.net"=>"cn" );
1. $wgLDAPRequiredGroups = array( "aninix.net"=>array("cn=wiki,ou=Group,dc=aninix,dc=net"));
1. Disable password changes.
$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
function lfChangeLoginPage( &$template ) {
$template->set('canreset',false); // removes default reset password link
$template->set('resetlink',false);
// Use the following line to show your own 'reset password' link above the login fields
$template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>");
return true;
}
// Disallow password reset on password reset page
$wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
function MailPasswordIsAllowed ( $username, $error ) {
$error = wfMsg( 'resetpass_forbidden' );
return false;
}
$wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
function ChangePasswordIsAllowed ( $user ) {
throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
return true;
}
$wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
function RemovePasswordChangeLink ( $user, &$preferences ) {
unset($preferences['password']);
return true;
}
</pre>
# Making Changes
Ldapmodify will allow admins to change parts of Sora. Most user attributes can be updated like below.
<pre>
dn: uid=testuser,ou=People,dc=aninix,dc=net
changetype: modify
replace: mail
mail: blar@test.local
</pre>
Some properties are more intrinsic to the user object and require special handling.
<pre>
dn: uid=testuser1,ou=People,dc=aninix,dc=net
changetype: modrdn
newrdn: uid=testuser2
deleteoldrdn: 1
modifying rdn of entry "uid=testuser2,ou=People,dc=aninix,dc=net"
</pre>
[[Category:Security]]
[[Category:LDAP]]