Difference between revisions of "LDAP"

From Technologia Incognita
Jump to: navigation, search
m (federate all the spaces! o/)
 
(One intermediate revision by one other user not shown)
Line 8: Line 8:
 
== Implementation plan ==
 
== Implementation plan ==
  
# Load members into LDAP.
+
# Load members into LDAP. - Done
 
# Set passwords manually for selected users.
 
# Set passwords manually for selected users.
 +
# Create systems user for each system that needs special access to LDAP.
 
# Connect homepage/Drupal to the LDAP server.  
 
# Connect homepage/Drupal to the LDAP server.  
 
# Create a password (re)set service.
 
# Create a password (re)set service.
Line 42: Line 43:
 
# Restart memberizer with supervisorctl for the changes to take effect:  
 
# Restart memberizer with supervisorctl for the changes to take effect:  
 
   # supervisorctl restart memberizer
 
   # supervisorctl restart memberizer
 +
 +
 +
[[Category:SpaceFED]]

Latest revision as of 00:13, 28 August 2013

Server data

  • Hostname: ldap.techinc.nl (does not work yet)
  • Base DN: dc=techinc,dc=nl
  • Users DN: ou=people,dc=techinc,dc=nl
  • Groups DN: ou=groups,dc=techinc,dc=nl

Implementation plan

  1. Load members into LDAP. - Done
  2. Set passwords manually for selected users.
  3. Create systems user for each system that needs special access to LDAP.
  4. Connect homepage/Drupal to the LDAP server.
  5. Create a password (re)set service.
  6. Load the users of the wiki into LDAP (we need to see if the MediaWiki password hashes has can be transported to LDAP)
  7. Connect MediaWiki to LDAP
  8. Start connecting the space-desktops to LDAP

Synchronizing members automatically - Memberizer

To add users to the LDAP "members" group there is an automated process that will receive the complete list of members and do the following:

  1. Any member not yet registered in the LDAP, will have a skeleton user created.
  2. All members will be added to the member list
  3. All other users will not be in the member list.

To use this process, the maintainer of the official list (Normally: The Treasurer) will have to do the following:

  1. Generate a JSON file with all of the space members (anyone not in the list, will not be a member in the LDAP anymore). Format example: https://github.com/chotee/memberizer/blob/master/memberizer/test/test_members.json
  2. Encrypt and sign the resgpg --sign --encrypt --recipient D2ABFD78 members.jsonulting file. It needs to be encrypted with the memberizer public key [0xF71A39FFD2ABFD78]
 $ gpg --sign --encrypt --recipient 0xF71A39FFD2ABFD78 members.json
  1. Copy the encrypted file via scp to the /var/spool/members directory on armitage.techinc.nl .
 $ scp members.json.gpg armitage.techinc.nl:/var/spool/members
  1. Memberizer will send an email to the emailadres of the member that signed the members file with a summary of the changes.

The code that runs this is available for review at https://github.com/chotee/memberizer

Authorizing members to update the list

(this needs to be done once for each person able to update the member list)

  1. Create a user for this authorized-member on armitage
  2. Add this user to the memberizer group on armitage
  3. As the memberizer user add the public key of the authorized-member to the GPG keyring and (after verifying the fingerprint) trust it in the keyring.
  4. Edit the /home/memberizer/memberizer/config.json file and add the fingerprint of this key to the signer_ids list.
  5. Restart memberizer with supervisorctl for the changes to take effect:
 # supervisorctl restart memberizer