134 lines
7.3 KiB
Markdown
134 lines
7.3 KiB
Markdown
Sora is the [https://en.wikipedia.org/wiki/LDAP LDAP]-enabled central crendential store of the AniNIX -- end users will have accounts here.
|
|
|
|
# Etymology=Sora was the name of a pivotal character in the Kingdom of Hearts series. As Sora holds the "keys to the kingdom", the name fit.<!-- I've considered renaming this, but I'm kind of happy with it, even though I didn't follow the Kingdom of Hearts series. -->
|
|
|
|
# Relevant Files and Software
|
|
Most of the configuration initially is handled by the [https://aninix.net/foundation/ConfigPackages ConfigPackages'] Sora Makefile.
|
|
|
|
We use [file:///etc/openldap/users.d a users.d] folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber.
|
|
|
|
# Available Clients
|
|
See [[:Category:LDAP]] for more information on the services that are clients of Sora.
|
|
|
|
# Equivalents or Competition
|
|
Both [[:Category:Google|Google]] and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally.
|
|
|
|
The AniNIX is not presently set up or planning to do distributed authentication.
|
|
}}
|
|
# Authorizing Other Services by Sora
|
|
## [[ShadowArch]] OS Authentication
|
|
You will need nss-pam-ldap as package installed. You will need to edit /etc/pam.d/su, /etc/pam.d/su-l, /etc/pam.d/system-auth, and /etc/nslcd.conf to match [https://eng.ucmerced.edu/soe/computing/services/ssh-based-service/ldap-ssh-access this link] and [https://wiki.archlinux.org/index.php/LDAP_authentication the Arch Wiki].
|
|
## [[Windows]] OS Authentication
|
|
We recommend the [https://pgina.org/ pGina] package -- this is a very smooth client.
|
|
## [[SSH]]
|
|
Edit /etc/ssh/sshd_config to allow PasswordAuthentication and PAM. This assumes the OS authentication is set up.
|
|
|
|
We recommend adding a passwdchange OS group on the external-facing SSH host and set up a ForceCommand around /usr/bin/passwd for users in that group. This allows you to enable centralized password changes from outside the command line for subscribing clients and then disable password changes in individual services.
|
|
## [[IRC|IRCServices]]
|
|
You will need to enable m_ldap and m_ldap_authentication in [file:///etc/anope/modules.aninix.conf the modules conf file]. The modules conf has the necessary parameters waiting to be filled in. We recommend updating the search_filter to "(&(!(shadowLastChange=0))(&(uid=%account)(objectClass=%object_class)))". This will prevent users from using a password reset by an administrator.
|
|
|
|
When you enable LDAP for IRCServices, we would recommend disabling email changes in m_ldap_authentication and disabling account creation in the NickServ configuration. Do not disable registration in m_ldap_authentication. This ensures that account provisioning is done by LDAP and users can group as necessary. Moreover, disable password changes by removing the NickServ set/*pass directives.
|
|
## [[Singularity]]
|
|
You'll need to update your plugins line in [file:///usr/share/webapps/tt-rss/config.php the config file] and add some parameters. Note: you'll be removing the auth_internal module, but you'll have to add it at least once to promote an LDAP user to admin.
|
|
|
|
<pre>
|
|
define('PLUGINS', 'auth_remote, note, updater, auth_ldap');
|
|
define('LDAP_AUTH_SERVER_URI', 'ldap://localhost:389/');
|
|
define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
|
|
define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
|
|
define('LDAP_AUTH_BINDDN', 'uid=binduser,ou=People,dc=aninix,dc=net');
|
|
define('LDAP_AUTH_BINDPW', 'secret');
|
|
define('LDAP_AUTH_BASEDN', 'ou=People,dc=aninix,dc=net');
|
|
define('LDAP_AUTH_ANONYMOUSBEFOREBIND', FALSE);
|
|
define('LDAP_AUTH_SEARCHFILTER', 'uid=???');
|
|
</pre>
|
|
## [[Wiki]]
|
|
Wiki is the most complicated to add with its multiple domain support, but the following snippet can be modified for a single domain. You'll need to comment out the fourth line at least once after logging in an LDAP user to promote that user to administrator.
|
|
|
|
<pre>
|
|
1. LDAP Modules
|
|
require_once( "extensions/LdapAuthentication/LdapAuthentication.php" );
|
|
require_once( "includes/AuthPlugin.php");
|
|
$wgAuth = new LdapAuthenticationPlugin();
|
|
|
|
1. LDAP Debugging
|
|
$wgLDAPDebug = 0;
|
|
$wgDebugLogGroups["ldap"] = "$IP/debug.log" ;
|
|
|
|
1. LDAP Connection info
|
|
$wgLDAPUseLocal = false;
|
|
$wgLDAPDomainNames = array( 'aninix.net', );
|
|
$wgLDAPServerNames = array( 'aninix.net' => 'localhost', );
|
|
$wgLDAPEncryptionType = array( 'aninix.net' => 'clear',
|
|
#'aninix.net' => 'tls',
|
|
);
|
|
1. $wgLDAPOptions = array( 'aninix.net' => array( LDAP_OPT_DEREF, 0 ), );
|
|
$wgLDAPPort = array( 'aninix.net' => 389, );
|
|
$wgLDAPProxyAgent = array( 'aninix.net' => 'uid=binduser,ou=People,dc=aninix,dc=net', );
|
|
$wgLDAPProxyAgentPassword = array( 'aninix.net' => 'secret', );
|
|
$wgLDAPSearchAttributes = array( 'aninix.net' => 'uid', );
|
|
$wgLDAPBaseDNs = array( 'aninix.net' => 'dc=aninix,dc=net', );
|
|
$wgLDAPGroupBaseDNs = array( 'aninix.net' => 'ou=Group,dc=aninix,dc=net', );
|
|
$wgLDAPUserBaseDNs = array( 'aninix.net' => 'ou=People,dc=aninix,dc=net', );
|
|
$wgLDAPAddLDAPUsers = array( 'aninix.net' => false, );
|
|
$wgLDAPUpdateLDAP = array( 'aninix.net' => false, );
|
|
$wgLDAPPreferences = array( 'aninix.net' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'uid'), );
|
|
|
|
1. LDAP Access Only by Group Membership -- requires the memberOf overlay in Sora
|
|
1. $wgLDAPGroupUseFullDN = array( "aninix.net"=>false );
|
|
1. $wgLDAPGroupObjectclass = array( "aninix.net"=>"posixgroup" );
|
|
1. $wgLDAPGroupAttribute = array( "aninix.net"=>"memberuid" );
|
|
1. $wgLDAPGroupSearchNestedGroups = array( "aninix.net"=>false );
|
|
1. $wgLDAPGroupNameAttribute = array( "aninix.net"=>"cn" );
|
|
1. $wgLDAPRequiredGroups = array( "aninix.net"=>array("cn=wiki,ou=Group,dc=aninix,dc=net"));
|
|
|
|
1. Disable password changes.
|
|
$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
|
|
function lfChangeLoginPage( &$template ) {
|
|
$template->set('canreset',false); // removes default reset password link
|
|
$template->set('resetlink',false);
|
|
// Use the following line to show your own 'reset password' link above the login fields
|
|
$template->set('link',"<a href='http://www.somedomain.org/lostpassword'>Forgot your password?</a>");
|
|
return true;
|
|
}
|
|
// Disallow password reset on password reset page
|
|
$wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
|
|
function MailPasswordIsAllowed ( $username, $error ) {
|
|
$error = wfMsg( 'resetpass_forbidden' );
|
|
|
|
return false;
|
|
}
|
|
$wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
|
|
function ChangePasswordIsAllowed ( $user ) {
|
|
throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
|
|
return true;
|
|
}
|
|
$wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
|
|
function RemovePasswordChangeLink ( $user, &$preferences ) {
|
|
unset($preferences['password']);
|
|
return true;
|
|
}
|
|
</pre>
|
|
# Making Changes
|
|
Ldapmodify will allow admins to change parts of Sora. Most user attributes can be updated like below.
|
|
<pre>
|
|
dn: uid=testuser,ou=People,dc=aninix,dc=net
|
|
changetype: modify
|
|
replace: mail
|
|
mail: blar@test.local
|
|
|
|
</pre>
|
|
|
|
Some properties are more intrinsic to the user object and require special handling.
|
|
<pre>
|
|
dn: uid=testuser1,ou=People,dc=aninix,dc=net
|
|
changetype: modrdn
|
|
newrdn: uid=testuser2
|
|
deleteoldrdn: 1
|
|
modifying rdn of entry "uid=testuser2,ou=People,dc=aninix,dc=net"
|
|
|
|
</pre>
|
|
|
|
|
|
[[Category:Security]]
|
|
[[Category:LDAP]] |