SAC:LDAP
LDAP
OSGeo endevours to offer a "single signon" for OSGeo services. The userid database is kept in LDAP on ldap.osgeo.org (osgeo1). It is currently used for Subversion, Trac, and Drupal. It is hoped to also use it for mediawiki and possibly some other services in the future. LDAP management is the responsibility of SAC (the System Administration Committee).
NOTE: There is also an LDAP server running at telascience which is distinct from what is described here. That server is used to manage shell access to various telascience blades and is operated by Howard Butler. But it is now generally considered secondary.
LDAP Tools
Some public notes on OSGeo userids available at:
http://www.osgeo.org/osgeo_userid
Administrators can login to this special ldap search tool, and will see email address, and will have a link to edit the LDAP entries. You need to be in the cn=admin,ou=projects listing.
https://www.osgeo.org/cgi-bin/auth/ldap_web_search.py
SVN and other groups can be administered with the group editor. You need to either be in the group being viewed/modified or in the cn=admin,ou=projects group in order to edit a group.
Edit GDAL commit list:
https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=gdal
Edit Admins list:
https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=admin&ou=projects
To edit an individual userid use ldap_user_edit.py. If you add ?userid=osgeo_userid you can edit someone elses ldap entry as long as you are in the admins group.
https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py?userid=osgeotest123
To edit the list of people who have shell access to the telascience blades use the following url. You have to be in the group already, or in the Admins group in order to add and remove people. Adding someone will add the required posixAccount and related attributes to the users LDAP entry.
https://www.osgeo.org/cgi-bin/auth/ldap_shell.py
OpenLDAP
The ldap daemon can manipulated with,
$ sudo /sbin/service ldap start|stop|restart|
The main ldap config file is,
/etc/openldap/slapd.conf
Currently ldap structure is pretty basic. The purpose for keeping this structure simple is to allow for a more complex structure to be evolved as ldap becomes increasingly integrated into the full osgeo systems structure.
Loading an ldif file into an ldap directory
$ ldapadd -a -W -x -D "cn=Manager,dc=osgeo,dc=org" -f fileName.ldif
Accessing the ldap directory through phpldapadmin
access an ldapadmin interface at https://www.osgeo.org/ldapadmin
Access to this interface is restricted to the admin group
ldap structure
- dc=osgeo,dc=org
- cn=Manager
- ou=people
- Separate entity for each user
- uid=login,ou=people,dc=osgeo,dc=org
- objectClass=inetOrgPerson
- cn=firstName lastName
- sn=lastName
- uid=login
- mail=email@address
- userPassword={md5}YPTyViiMKhiuWKEmFUOKLA==
- Also contains posixAccount and shadowAccount fields if this account is login enabled.
- ou=projects,dc=osgeo,dc=org
- objectClass=organizationalUnit
- ou=project
- description=separate entity for each osgeo project with list of members
- Separate entity for each project group
- cn=admin,ou=projects,dc=osgeo,dc=org
- objectClass=groupOfNames
- cn=admin
- description=osgeo sysadmin group
- ou=svn
- objectClass=organizationalUnit
- ou=svn
- description=separate entity for each repository with list of members with commit rights
- separate entity for each svn group (for example FDO)
- cn=fdo,ou=svn,dc=osgeo,dc=org
- objectClass=groupOfNames
- cn=fdo
- member= dn of member
- ou=Shell (parent for "login" groups)
- description=NextUID:nnnnn (the next unix uidNumber value to assign)
- cn=telascience,ou=Shell,dc=osgeo,dc=org (list of all userids with telascience login access)
- uniqueMember=dn of member
Example ldif file
version: 1 dn: dc=osgeo,dc=org objectClass: dcObject objectClass: organization description: OSGeo ldap dit o: OSGeo dc: osgeo dn: cn=Manager,dc=osgeo,dc=org objectClass: organizationalRole cn: Manager dn: ou=people,dc=osgeo,dc=org ou: people description: all users of osgeo objectClass: organizationalUnit dn: uid=jsmith,ou=people,dc=osgeo,dc=org objectClass: inetOrgPerson uid: jsmith cn: Jon Smith sn: Smith givenName: Jon mail: jsmith@somewhere.com userPassword: {md5}5Or4zfzGqo3jh/6iIUgKcA== dn: uid=jbrown,ou=people,dc=osgeo,dc=org objectClass: inetOrgPerson uid: jbrown cn: Jane Brown sn: Brown givenName: Jane mail: jbrown@someotherplace.com userPassword: {md5}1iWhTyvkK2m4Uuar+Dp/IA== dn: ou=projects,dc=osgeo,dc=org ou: projects description: separate entity for each osgeo project with list of members objectClass: organizationalUnit dn: cn=admin,ou=projects,dc=osgeo,dc=org cn: admin description: osgeo sysadmin group objectClass: groupOfNames member: uid=jbrown,ou=people,dc=osgeo,dc=org member: uid=jsmith,ou=people,dc=osgeo,dc=org dn: ou=svn,dc=osgeo,dc=org ou: svn description: separate entity for for each repository.list of members with commit rights objectClass: organizationalUnit dn: cn=fdo,ou=svn,dc=osgeo,dc=org objectClass: groupOfNames cn: fdo member: uid=jsmith,ou=people,dc=osgeo,dc=org member: uid=jbrown,ou=people,dc=osgeo,dc=org dn: cn=gdal,ou=svn,dc=osgeo,dc=org cn: gdal objectClass: groupOfNames objectClass: top member: uid=jbrown,ou=people,dc=osgeo,dc=org member: uid=jsmith,ou=people,dc=osgeo,dc=org dn: cn=mapbender,ou=svn,dc=osgeo,dc=org objectClass: groupOfNames cn: mapbender member: uid=jsmith,ou=people,dc=osgeo,dc=org dn: cn=mapguide,ou=svn,dc=osgeo,dc=org objectClass: groupOfNames cn: mapguide member: uid=jbrown,ou=people,dc=osgeo,dc=org