Difference between revisions of "LDAP"
m (federate all the spaces! o/) |
|||
(One intermediate revision by one other user not shown) | |||
Line 8: | Line 8: | ||
== Implementation plan == | == Implementation plan == | ||
− | # Load members into LDAP. | + | # Load members into LDAP. - Done |
# Set passwords manually for selected users. | # Set passwords manually for selected users. | ||
+ | # Create systems user for each system that needs special access to LDAP. | ||
# Connect homepage/Drupal to the LDAP server. | # Connect homepage/Drupal to the LDAP server. | ||
# Create a password (re)set service. | # Create a password (re)set service. | ||
Line 42: | Line 43: | ||
# Restart memberizer with supervisorctl for the changes to take effect: | # Restart memberizer with supervisorctl for the changes to take effect: | ||
# supervisorctl restart memberizer | # supervisorctl restart memberizer | ||
+ | |||
+ | |||
+ | [[Category:SpaceFED]] |
Latest revision as of 00:13, 28 August 2013
Contents
Server data
- Hostname: ldap.techinc.nl (does not work yet)
- Base DN: dc=techinc,dc=nl
- Users DN: ou=people,dc=techinc,dc=nl
- Groups DN: ou=groups,dc=techinc,dc=nl
Implementation plan
- Load members into LDAP. - Done
- Set passwords manually for selected users.
- Create systems user for each system that needs special access to LDAP.
- Connect homepage/Drupal to the LDAP server.
- Create a password (re)set service.
- Load the users of the wiki into LDAP (we need to see if the MediaWiki password hashes has can be transported to LDAP)
- Connect MediaWiki to LDAP
- Start connecting the space-desktops to LDAP
Synchronizing members automatically - Memberizer
To add users to the LDAP "members" group there is an automated process that will receive the complete list of members and do the following:
- Any member not yet registered in the LDAP, will have a skeleton user created.
- All members will be added to the member list
- All other users will not be in the member list.
To use this process, the maintainer of the official list (Normally: The Treasurer) will have to do the following:
- Generate a JSON file with all of the space members (anyone not in the list, will not be a member in the LDAP anymore). Format example: https://github.com/chotee/memberizer/blob/master/memberizer/test/test_members.json
- Encrypt and sign the resgpg --sign --encrypt --recipient D2ABFD78 members.jsonulting file. It needs to be encrypted with the memberizer public key [0xF71A39FFD2ABFD78]
$ gpg --sign --encrypt --recipient 0xF71A39FFD2ABFD78 members.json
- Copy the encrypted file via scp to the /var/spool/members directory on armitage.techinc.nl .
$ scp members.json.gpg armitage.techinc.nl:/var/spool/members
- Memberizer will send an email to the emailadres of the member that signed the members file with a summary of the changes.
The code that runs this is available for review at https://github.com/chotee/memberizer
Authorizing members to update the list
(this needs to be done once for each person able to update the member list)
- Create a user for this authorized-member on armitage
- Add this user to the memberizer group on armitage
- As the memberizer user add the public key of the authorized-member to the GPG keyring and (after verifying the fingerprint) trust it in the keyring.
- Edit the /home/memberizer/memberizer/config.json file and add the fingerprint of this key to the signer_ids list.
- Restart memberizer with supervisorctl for the changes to take effect:
# supervisorctl restart memberizer