Difference between revisions of "LDAP"
(Created page with "== Server data == * Hostname: ldap.techinc.nl (does not work yet) * Base DN: dc=techinc,dc=nl * Users DN: ou=people,dc=techinc,dc=nl * Groups DN: ou=groups,dc=techinc,dc=nl ...") |
|||
| Line 15: | Line 15: | ||
# Connect MediaWiki to LDAP | # Connect MediaWiki to LDAP | ||
# Start connecting the space-desktops to LDAP | # Start connecting the space-desktops to LDAP | ||
| + | |||
| + | == Synchronizing members automatically - Memberizer == | ||
| + | |||
| + | To add users to the LDAP "members" group there is an automated process that will receive the complete list of members and do the following: | ||
| + | # Any member not yet registered in the LDAP, will have a skeleton user created. | ||
| + | # All members will be added to the member list | ||
| + | # All other users will not be in the member list. | ||
| + | |||
| + | To use this process, the maintainer of the official list (Normally: The Treasurer) will have to do the following: | ||
| + | # Generate a JSON file with all of the space members (anyone not in the list, will not be a member in the LDAP anymore). Format example: https://github.com/chotee/memberizer/blob/master/memberizer/test/test_members.json | ||
| + | # Encrypt and sign the resgpg --sign --encrypt --recipient D2ABFD78 members.jsonulting file. It needs to be encrypted with the memberizer public key [0xF71A39FFD2ABFD78] | ||
| + | $ gpg --sign --encrypt --recipient 0xF71A39FFD2ABFD78 members.json | ||
| + | # Copy the encrypted file via scp to the /var/spool/members directory on armitage.techinc.nl . | ||
| + | $ scp members.json.gpg armitage.techinc.nl:/var/spool/members | ||
| + | # Memberizer will send an email to the emailadres of the member that signed the members file with a summary of the changes. | ||
| + | |||
| + | The code that runs this is available for review at https://github.com/chotee/memberizer | ||
| + | |||
| + | === Authorizing members to update the list === | ||
| + | (this needs to be done once for each person able to update the member list) | ||
| + | |||
| + | # Create a user for this authorized-member on armitage | ||
| + | # Add this user to the memberizer group on armitage | ||
| + | # As the memberizer user add the public key of the authorized-member to the GPG keyring and (after verifying the fingerprint) trust it in the keyring. | ||
| + | # Edit the /home/memberizer/memberizer/config.json file and add the fingerprint of this key to the signer_ids list. | ||
| + | # Restart memberizer with supervisorctl for the changes to take effect: | ||
| + | # supervisorctl restart memberizer | ||
Revision as of 20:35, 27 August 2013
Contents
Server data
- Hostname: ldap.techinc.nl (does not work yet)
- Base DN: dc=techinc,dc=nl
- Users DN: ou=people,dc=techinc,dc=nl
- Groups DN: ou=groups,dc=techinc,dc=nl
Implementation plan
- Load members into LDAP.
- Set passwords manually for selected users.
- Connect homepage/Drupal to the LDAP server.
- Create a password (re)set service.
- Load the users of the wiki into LDAP (we need to see if the MediaWiki password hashes has can be transported to LDAP)
- Connect MediaWiki to LDAP
- Start connecting the space-desktops to LDAP
Synchronizing members automatically - Memberizer
To add users to the LDAP "members" group there is an automated process that will receive the complete list of members and do the following:
- Any member not yet registered in the LDAP, will have a skeleton user created.
- All members will be added to the member list
- All other users will not be in the member list.
To use this process, the maintainer of the official list (Normally: The Treasurer) will have to do the following:
- Generate a JSON file with all of the space members (anyone not in the list, will not be a member in the LDAP anymore). Format example: https://github.com/chotee/memberizer/blob/master/memberizer/test/test_members.json
- Encrypt and sign the resgpg --sign --encrypt --recipient D2ABFD78 members.jsonulting file. It needs to be encrypted with the memberizer public key [0xF71A39FFD2ABFD78]
$ gpg --sign --encrypt --recipient 0xF71A39FFD2ABFD78 members.json
- Copy the encrypted file via scp to the /var/spool/members directory on armitage.techinc.nl .
$ scp members.json.gpg armitage.techinc.nl:/var/spool/members
- Memberizer will send an email to the emailadres of the member that signed the members file with a summary of the changes.
The code that runs this is available for review at https://github.com/chotee/memberizer
Authorizing members to update the list
(this needs to be done once for each person able to update the member list)
- Create a user for this authorized-member on armitage
- Add this user to the memberizer group on armitage
- As the memberizer user add the public key of the authorized-member to the GPG keyring and (after verifying the fingerprint) trust it in the keyring.
- Edit the /home/memberizer/memberizer/config.json file and add the fingerprint of this key to the signer_ids list.
- Restart memberizer with supervisorctl for the changes to take effect:
# supervisorctl restart memberizer
