Task/LDAP

Contents 1 Summary 2 Issue 3 LDAP Configuration 3.1 /etc/openldap/slapd.conf 3.2 Initial schema 3.3 import initial schema 4 Media Wiki Configuration 4.1 download and put the extension into MW plugin directory 4.2 settings for LDAP authentication 5 move account to LDAP from MediaWiki to LDAP 5.1 account migration 5.2 password hash method 6 Pootle Configuration 6.1 settings for LDAP authentication 7 Subversion 7.1 set up subversion repository 7.2 Apache configuration

Summary

Single Authentication source for zabbix.org using OpenLDAP.

Issue

• How do we move current user account to LDAP directory
• Pootle account create form should be disabled (Pootle account create form can not create account to LDAP)

LDAP Configuration

/etc/openldap/slapd.conf

suffix "dc=zabbix,dc=org"
rootdn "cn=root,dc=zabbix,dc=org"
rootpw secret

Initial schema

Create initial schema. The following should be save as an initial.ldif file.

dn: dc=zabbix,dc=org
objectClass: dcObject
objectClass: organization
dc: zabbix
o: zabbix

dn: cn=root,dc=zabbix,dc=org
objectclass: organizationalRole
cn: root

dn: ou=users,dc=zabbix,dc=org
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=zabbix,dc=org
objectClass: organizationalUnit
ou: groups

import initial schema

execute ldapadd command to import initial schema

ldapadd -x -D "cn=root,dc=zabbix,dc=org" -w secret -f initial.ldif

comfirm imported data

slapcat

or

ldapsearch -x -h localhost -b "dc=zabbix,dc=org"

Media Wiki Configuration

Using LdapAuthentication extension http://www.mediawiki.org/wiki/Extension:LDAP_Authentication

download and put the extension into MW plugin directory

wget http://svn.wikimedia.org/svnroot/mediawiki/trunk/extensions/LdapAuthentication/LdapAuthentication.php
cp LdapAuthentication.php /srv/www/htdocs/mw/extensions/

settings for LDAP authentication

change LocalSettings.php file which is in top directory of MediaWiki

require_once 'extensions/LdapAuthentication.php';
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(
 'zorg'
);
$wgLDAPServerNames = array(
  'zorg' => 'localhost'
);
$wgLDAPSearchStrings = array(
  'zorg' => 'uid=USER-NAME,ou=users,dc=zabbix,dc=org'
);
$wgLDAPEncryptionType = array(
  'zorg' => 'false'
);
$wgLDAPWriterDN = array(
  "zorg"=>"cn=root,dc=zabbix,dc=org"
);
$wgLDAPWriterPassword = array(
  "zorg"=>"secret"
);
$wgLDAPWriteLocation = array(
  "zorg"=>"ou=User,dc=zabbix,dc=org"
);
$wgLDAPAddLDAPUsers = array(
  "zorg"=>true
);
$wgLDAPUpdateLDAP = array(
  "zorg"=>true
);
$wgLDAPMailPassword = array(
  "zorg"=>true
);
$wgLDAPRetrievePrefs = array(
 "zorg"=>true
);
$wgLDAPPreferences = array(
  "zorg"=>array( "email"=>"mail","realname"=>"displayname","nickname"=>"cn","language"=>"preferredlanguage")
);
$wgMinimalPasswordLength = 1;

move account to LDAP from MediaWiki to LDAP

quick idea from BManojlovic :

• <BManojlovic> best aproach for migration if you do not have clear text password (as you sghould not have) is to create proxy login in mediawiki that will forward credentials to ldap
• <BManojlovic> <? if ($_REQUEST['password'] == $db->exec("select password from shadow where id=?", $_REQUEST['username']) { ldap_modify("dn=username, ou=xxx,cn=ppp" , password = md5($_REQUEST['password'])); }
• <BManojlovic> so after one month of that you simply replace it with real ldap login :)
• <BManojlovic> and same for creation of user
• <BManojlovic> Richlv: http://logout.sh/computers/ldap/

account migration

• migrate all account information from Mediawiki DB to LDAP without password
• edit include/specials/SpecialUserlogin.php (add only one line)

559                 } else {
560                         $wgAuth->updateUser( $u );
561                         $wgAuth->setPassword( $u, $this->mPassword );  <-- add this line
562                         $wgUser = $u;
563 
564                         // Please reset throttle for successful logins, thanks!
565                         if( $throttleCount ) {

• MW use local database password when user login if there is not password information on LDAP
• if login is successful, mw store password to LDAP

password hash method

LDAP password hash method can be changed on slapd.conf

password-hash {SSHA}, {SHA}, {SMD5}, {MD5}, {CRYPT}, {CLEARTEXT}

and, we also can use password-crypt-salt-format option.

MediaWiki internal account use original password hash

if( $wgPasswordSalt ) {
                       if ( $salt === false ) {
                               $salt = substr( wfGenerateToken(), 0, 8 );
                       }
                       return ':B:' . $salt . ':' . md5( $salt . '-' . md5( $password ) );
               } else {
                       return ':A:' . md5( $password );
               }

Pootle Configuration

Pootle can use LDAP authentication by default.

settings for LDAP authentication

change localsettings.py on pootle directory

AUTHENTICATION_BACKENDS = ('pootle.auth.ldap_backend.LdapBackend', 'django.contrib.auth.backends.ModelBackend',)
#AUTHENTICATION_BACKENDS = ('django.contrib.auth.backends.ModelBackend',)
AUTH_LDAP_SERVER = 'ldap://localhost'
AUTH_LDAP_BASE_DN = 'ou=users,dc=zabbix,dc=org'
AUTH_LDAP_FILTER = 'uid=%s'
AUTH_LDAP_FIELDS = {
       'dn': 'dn',
       #'first_name':,
       #'last_name':,
       'email':'mail'
       }

Subversion

• Use apache basic authentication
• subversion is set up with apache dav-svn module

set up subversion repository

mkdir /srv/repos/reponame
svnadmin create /srv/repos/reponame

Apache configuration

edit /etc/apache2/httpd.conf

<Location /repos>
  DAV svn
  SVNParentPath /srv/repos
  SVNListParentPath on 
  
  AuthBasicProvider ldap
  AuthType Basic
  AuthName "Zabbix community repository"
  AuthLDAPURL ldap://127.0.0.1:389/ou=users,dc=zabbix,dc=org
  Require valid-user
</Location>