Difference between revisions of "SAC:LDAP"

From OSGeo
Jump to navigation Jump to search
(→‎LDAP Tools: add notes about ldap_shell.py)
(→‎OpenLDAP: remove details about adding users and group members as these should normally be done via the special python scripts.)
Line 51: Line 51:
  
 
Access to this interface is restricted to the admin group
 
Access to this interface is restricted to the admin group
 
users can be added to the ou=people,dc=osgeo,dc=org
 
once users are added they can then be added to
 
cn=project,ou=svn,dc=osgeo,dc=org
 
 
login as cn=Manager,dc=osgeo,dc=org
 
 
*expand dc=osgeo,dc=org tree
 
*expand the ou=people tree
 
*click on 'create new entry here'
 
*choose 'custom' and then 'proceed'
 
**RDN is in the form of uid=username
 
**ObjectClass is InetOrgPerson
 
**click proceed
 
***cn is common name in form of firstname lastname
 
***sn is surname - lastname
 
***no optionals are required
 
**click 'create object'
 
***on this page click 'add new attribute'
 
****choose mail
 
*****enter email address
 
*****click add
 
****on this page click 'add new attribute'
 
*****choose userPassord
 
*****enter password as an md5
 
*****click add
 
 
this adds the new user to ou=people
 
 
to add users to the cn=project,ou=svn group
 
*expand the ou=svn tree
 
*click on cn=project
 
**under member click 'add value'
 
**add user to this in same form as you and howard are listed
 
**or can click on the 'folder with magnifying glasss' to select a user
 
 
that's it.
 
  
 
== ldap structure ==
 
== ldap structure ==

Revision as of 22:40, 30 March 2009

LDAP

OSGeo endevours to offer a "single signon" for OSGeo services. The userid database is kept in LDAP on ldap.osgeo.org (osgeo1). It is currently used for Subversion, Trac, and Drupal. It is hoped to also use it for mediawiki and possibly some other services in the future. LDAP management is the responsibility of SAC (the System Administration Committee).

NOTE: There is also an LDAP server running at telascience which is distinct from what is described here. That server is used to manage shell access to various telascience blades and is operated by Howard Butler. But it is now generally considered secondary.

LDAP Tools

Some public notes on OSGeo userids available at:

 http://www.osgeo.org/osgeo_userid

Administrators can login to this special ldap search tool, and will see email address, and will have a link to edit the LDAP entries. You need to be in the cn=admin,ou=projects listing.

 https://www.osgeo.org/cgi-bin/auth/ldap_web_search.py

SVN and other groups can be administered with the group editor. You need to either be in the group being viewed/modified or in the cn=admin,ou=projects group in order to edit a group.

Edit GDAL commit list:

 https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=gdal

Edit Admins list:

 https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=admin&ou=projects

To edit an individual userid use ldap_user_edit.py. If you add ?userid=osgeo_userid you can edit someone elses ldap entry as long as you are in the admins group.

 https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py
 https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py?userid=osgeotest123

To edit the list of people who have shell access to the telascience blades use the following url. You have to be in the group already, or in the Admins group in order to add and remove people. Adding someone will add the required posixAccount and related attributes to the users LDAP entry.

 https://www.osgeo.org/cgi-bin/auth/ldap_shell.py

OpenLDAP

OpenLDAP Admin Guide

The ldap daemon can manipulated with,

$ sudo /sbin/service ldap start|stop|restart|

The main ldap config file is,

/etc/openldap/slapd.conf

Currently ldap structure is pretty basic. The purpose for keeping this structure simple is to allow for a more complex structure to be evolved as ldap becomes increasingly integrated into the full osgeo systems structure.

Loading an ldif file into an ldap directory

  $ ldapadd -a -W -x -D "cn=Manager,dc=osgeo,dc=org" -f fileName.ldif

Accessing the ldap directory through phpldapadmin

access an ldapadmin interface at https://www.osgeo.org/ldapadmin

Access to this interface is restricted to the admin group

ldap structure

  • dc=osgeo,dc=org
    • cn=Manager
    • ou=people
      • Separate entity for each user
  • uid=login,ou=people,dc=osgeo,dc=org
    objectClass=inetOrgPerson
    cn=firstName lastName
    sn=lastName
    uid=login
    mail=email@address
    userPassword={md5}YPTyViiMKhiuWKEmFUOKLA==
    • ou=projects,dc=osgeo,dc=org
    objectClass=organizationalUnit
    ou=project
    description=separate entity for each osgeo project with list of members
      • Separate entity for each project group
    cn=admin,ou=projects,dc=osgeo,dc=org
    objectClass=groupOfNames
    cn=admin
    description=osgeo sysadmin group
    • ou=svn
    objectClass=organizationalUnit
    ou=svn
    description=separate entity for each repository with list of members with commit rights
      • separate entity for each svn group
    cn=fdo,ou=svn,dc=osgeo,dc=org
    objectClass=groupOfNames
    cn=fdo
    member= dn of member
  • cn=gdal,ou=svn,dc=osgeo,dc=org
    objectClass=groupOfNames
    cn=gdal
    member= dn of member
  • cn=mapguide,ou=svn,dc=osgeo,dc=org
    objectClass=groupOfNames
    cn=mapguide
    member= dn of member
  • cn=mapbender,ou=svn,dc=osgeo,dc=org
    objectClass=groupOfNames
    cn=mapbender
    member= dn of member


Example ldif file

<code>
   version: 1

   dn: dc=osgeo,dc=org
   objectClass: dcObject
   objectClass: organization
   description: OSGeo ldap dit
   o: OSGeo
   dc: osgeo

   dn: cn=Manager,dc=osgeo,dc=org
   objectClass: organizationalRole
   cn: Manager

   dn: ou=people,dc=osgeo,dc=org
   ou: people
   description: all users of osgeo
   objectClass: organizationalUnit

   dn: uid=jsmith,ou=people,dc=osgeo,dc=org
   objectClass: inetOrgPerson
   uid: jsmith
   cn: Jon Smith
   sn: Smith 
   givenName: Jon
   mail: jsmith@somewhere.com
   userPassword: {md5}5Or4zfzGqo3jh/6iIUgKcA==

   dn: uid=jbrown,ou=people,dc=osgeo,dc=org
   objectClass: inetOrgPerson
   uid: jbrown
   cn: Jane Brown
   sn: Brown
   givenName: Jane 
   mail: jbrown@someotherplace.com
   userPassword: {md5}1iWhTyvkK2m4Uuar+Dp/IA==

   dn: ou=projects,dc=osgeo,dc=org
   ou: projects
   description: separate entity for each osgeo project with list of members
   objectClass: organizationalUnit

   dn: cn=admin,ou=projects,dc=osgeo,dc=org
   cn: admin
   description: osgeo sysadmin group
   objectClass: groupOfNames
   member: uid=jbrown,ou=people,dc=osgeo,dc=org
   member: uid=jsmith,ou=people,dc=osgeo,dc=org

   dn: ou=svn,dc=osgeo,dc=org
   ou: svn
   description: separate entity for for each repository.list of members with commit rights
   objectClass: organizationalUnit

   dn: cn=fdo,ou=svn,dc=osgeo,dc=org
   objectClass: groupOfNames
   cn: fdo
   member: uid=jsmith,ou=people,dc=osgeo,dc=org
   member: uid=jbrown,ou=people,dc=osgeo,dc=org

   dn: cn=gdal,ou=svn,dc=osgeo,dc=org
   cn: gdal
   objectClass: groupOfNames
   objectClass: top
   member: uid=jbrown,ou=people,dc=osgeo,dc=org
   member: uid=jsmith,ou=people,dc=osgeo,dc=org

   dn: cn=mapbender,ou=svn,dc=osgeo,dc=org
   objectClass: groupOfNames
   cn: mapbender
   member: uid=jsmith,ou=people,dc=osgeo,dc=org

   dn: cn=mapguide,ou=svn,dc=osgeo,dc=org
   objectClass: groupOfNames
   cn: mapguide
   member: uid=jbrown,ou=people,dc=osgeo,dc=org
</code>