Difference between revisions of "SAC:LDAP"
Jump to navigation
Jump to search
(reordered sections) |
|||
| Line 1: | Line 1: | ||
| − | OSGeo endevours to offer a "single signon" for OSGeo services | + | OSGeo endevours to offer a "single signon" for OSGeo services. It is currently used for [[Subversion]], [[Trac Instances|Trac]], and [[SAC_Service_Status#Web|Drupal]]. It is hoped to also use it for [[SAC_Service_Status#Wiki|mediawiki]] and possibly some other [[SAC_Service_Status|services]] in the future. LDAP management is the responsibility of [[SAC]] (the System Administration Committee). |
| − | = LDAP | + | = LDAP Server (OpenLDAP) = |
| − | + | The userid database is kept in LDAP on ldap.osgeo.org ([[SAC_Service_Status#Secure|secure vm]]). | |
| − | + | It is served by OpenLDAP ([http://www.openldap.org/doc/admin/ OpenLDAP Admin Guide]). | |
| − | The | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | [http://www.openldap.org/doc/admin/ OpenLDAP Admin Guide] | ||
The ldap daemon can manipulated as 'root' user with, | The ldap daemon can manipulated as 'root' user with, | ||
| Line 50: | Line 17: | ||
Currently ldap structure is pretty basic. The purpose for keeping this structure simple is to allow for a more complex structure to be evolved as ldap becomes increasingly integrated into the full osgeo systems structure. | Currently ldap structure is pretty basic. The purpose for keeping this structure simple is to allow for a more complex structure to be evolved as ldap becomes increasingly integrated into the full osgeo systems structure. | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | == LDAP structure == | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
*dc=osgeo,dc=org | *dc=osgeo,dc=org | ||
**cn=Manager | **cn=Manager | ||
| Line 186: | Line 134: | ||
member: uid=jbrown,ou=people,dc=osgeo,dc=org | member: uid=jbrown,ou=people,dc=osgeo,dc=org | ||
</pre> | </pre> | ||
| + | |||
| + | = LDAP Clients = | ||
| + | |||
| + | == Web interface == | ||
| + | |||
| + | The LDAP web admin tools written in python by Frank Warmerdam can currently be found in /usr/lib/cgi-bin on the "web vm" (ie. www2.osgeo.org). The canonical urls are still to www.osgeo.org but it has redirects for these urls to www2.osgeo.org. The scripts read the LDAP manager password from a credentials file that will need to be updated anytime the master LDAP manager password is changed. | ||
| + | |||
| + | Some public notes on OSGeo userids available at: | ||
| + | |||
| + | http://www.osgeo.org/osgeo_userid | ||
| + | |||
| + | Administrators can login to this special ldap search tool, and will see email address, and will have a link to edit the LDAP entries. You need to be in the cn=admin,ou=projects listing. | ||
| + | |||
| + | https://www.osgeo.org/cgi-bin/auth/ldap_web_search.py | ||
| + | |||
| + | SVN and other groups can be administered with the group editor. You need to either be in the group being viewed/modified or in the cn=admin,ou=projects group in order to edit a group. | ||
| + | |||
| + | Edit GDAL commit list: | ||
| + | https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=gdal | ||
| + | |||
| + | Edit Admins list: | ||
| + | https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=admin&ou=projects | ||
| + | |||
| + | To edit an individual userid use ldap_user_edit.py. If you add ?userid=''osgeo_userid'' you can edit someone elses ldap entry as long as you are in the admins group. | ||
| + | |||
| + | https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py | ||
| + | https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py?userid=osgeotest123 | ||
| + | |||
| + | To edit the list of people who have shell access to the various projects servers, including the download server use the following url. You have to be in the group already, or in the Admins group in order to add and remove people. Adding someone will add the required posixAccount and related attributes to the users LDAP entry. | ||
| + | |||
| + | https://www.osgeo.org/cgi-bin/auth/ldap_shell.py | ||
| + | |||
| + | The ldap_shell.py script can also operate on other groups used for shell access using the group attribute. Currently the only other group is the sac group used for shell access on the core services VMs at OSU OSL. | ||
| + | |||
| + | https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=sac | ||
| + | |||
| + | == Command line interface == | ||
| + | |||
| + | ''' Loading an ldif file into an ldap directory ''' | ||
| + | $ ldapadd -a -W -x -D "cn=Manager,dc=osgeo,dc=org" -f fileName.ldif | ||
| + | |||
| + | ''' Accessing the ldap directory through phpldapadmin ''' | ||
| + | |||
| + | [ NOTE: broken as of March 2016 ] | ||
| + | |||
| + | <s>access an ldapadmin interface at https://www.osgeo.org/ldapadmin</s> | ||
| + | |||
| + | Access to this interface is restricted to the admin group | ||
| + | |||
| + | ''' Querying the LDAP database from the command line ''' | ||
| + | |||
| + | This command seems to dump the whole LDAP database. Use with care, but sometime it's the easiest way to search (using grep): | ||
| + | |||
| + | $ ldapsearch -H ldaps://ldap.osgeo.org/ -b dc=osgeo,dc=org -x | ||
| + | |||
| + | Refine your search based on the structure listed below. | ||
| + | Example list all SVN groups (limit the ou to svn, then search for objects with the right objectClass). | ||
| + | $ ldapsearch -H ldaps://ldap.osgeo.org/ -s one -b ou=svn,dc=osgeo,dc=org -x "(&(objectClass=groupOfNames))" | grep cn | ||
| + | |||
| + | |||
= Troubleshooting = | = Troubleshooting = | ||
Revision as of 00:33, 4 May 2016
OSGeo endevours to offer a "single signon" for OSGeo services. It is currently used for Subversion, Trac, and Drupal. It is hoped to also use it for mediawiki and possibly some other services in the future. LDAP management is the responsibility of SAC (the System Administration Committee).
LDAP Server (OpenLDAP)
The userid database is kept in LDAP on ldap.osgeo.org (secure vm). It is served by OpenLDAP (OpenLDAP Admin Guide).
The ldap daemon can manipulated as 'root' user with,
$ /etc/init.d/slapd start|stop|restart|
The main ldap config file is,
/etc/ldap/slapd.conf
To see detailed logging for ldap, change "loglevel 1" to "loglevel 3" in /etc/ldap/slapd.conf, restart the service and watch /var/log/debug. But be careful leaving it like this too long, the log grows quickly and is not rotated.
Currently ldap structure is pretty basic. The purpose for keeping this structure simple is to allow for a more complex structure to be evolved as ldap becomes increasingly integrated into the full osgeo systems structure.
LDAP structure
- dc=osgeo,dc=org
- cn=Manager
- ou=people
- Separate entity for each user
- uid=login,ou=people,dc=osgeo,dc=org
- objectClass=inetOrgPerson
- cn=firstName lastName
- sn=lastName
- uid=login
- mail=email@address
- userPassword={md5}YPTyViiMKhiuWKEmFUOKLA==
- Also contains posixAccount and shadowAccount fields if this account is login enabled.
- ou=projects,dc=osgeo,dc=org
- objectClass=organizationalUnit
- ou=project
- description=separate entity for each osgeo project with list of members
- Separate entity for each project group
- cn=admin,ou=projects,dc=osgeo,dc=org
- objectClass=groupOfNames
- cn=admin
- description=osgeo sysadmin group
- ou=svn
- objectClass=organizationalUnit
- ou=svn
- description=separate entity for each repository with list of members with commit rights
- separate entity for each svn group (for example FDO)
- cn=fdo,ou=svn,dc=osgeo,dc=org
- objectClass=groupOfNames
- cn=fdo
- member= dn of member
- ou=Shell (parent for "login" groups)
- description=NextUID:nnnnn (the next unix uidNumber value to assign)
- cn=telascience,ou=Shell,dc=osgeo,dc=org (list of all userids with telascience login access)
- uniqueMember=dn of member
Example ldif file
version: 1
dn: dc=osgeo,dc=org
objectClass: dcObject
objectClass: organization
description: OSGeo ldap dit
o: OSGeo
dc: osgeo
dn: cn=Manager,dc=osgeo,dc=org
objectClass: organizationalRole
cn: Manager
dn: ou=people,dc=osgeo,dc=org
ou: people
description: all users of osgeo
objectClass: organizationalUnit
dn: uid=jsmith,ou=people,dc=osgeo,dc=org
objectClass: inetOrgPerson
uid: jsmith
cn: Jon Smith
sn: Smith
givenName: Jon
mail: jsmith@somewhere.com
userPassword: {md5}5Or4zfzGqo3jh/6iIUgKcA==
dn: uid=jbrown,ou=people,dc=osgeo,dc=org
objectClass: inetOrgPerson
uid: jbrown
cn: Jane Brown
sn: Brown
givenName: Jane
mail: jbrown@someotherplace.com
userPassword: {md5}1iWhTyvkK2m4Uuar+Dp/IA==
dn: ou=projects,dc=osgeo,dc=org
ou: projects
description: separate entity for each osgeo project with list of members
objectClass: organizationalUnit
dn: cn=admin,ou=projects,dc=osgeo,dc=org
cn: admin
description: osgeo sysadmin group
objectClass: groupOfNames
member: uid=jbrown,ou=people,dc=osgeo,dc=org
member: uid=jsmith,ou=people,dc=osgeo,dc=org
dn: ou=svn,dc=osgeo,dc=org
ou: svn
description: separate entity for for each repository.list of members with commit rights
objectClass: organizationalUnit
dn: cn=fdo,ou=svn,dc=osgeo,dc=org
objectClass: groupOfNames
cn: fdo
member: uid=jsmith,ou=people,dc=osgeo,dc=org
member: uid=jbrown,ou=people,dc=osgeo,dc=org
dn: cn=gdal,ou=svn,dc=osgeo,dc=org
cn: gdal
objectClass: groupOfNames
objectClass: top
member: uid=jbrown,ou=people,dc=osgeo,dc=org
member: uid=jsmith,ou=people,dc=osgeo,dc=org
dn: cn=mapbender,ou=svn,dc=osgeo,dc=org
objectClass: groupOfNames
cn: mapbender
member: uid=jsmith,ou=people,dc=osgeo,dc=org
dn: cn=mapguide,ou=svn,dc=osgeo,dc=org
objectClass: groupOfNames
cn: mapguide
member: uid=jbrown,ou=people,dc=osgeo,dc=org
LDAP Clients
Web interface
The LDAP web admin tools written in python by Frank Warmerdam can currently be found in /usr/lib/cgi-bin on the "web vm" (ie. www2.osgeo.org). The canonical urls are still to www.osgeo.org but it has redirects for these urls to www2.osgeo.org. The scripts read the LDAP manager password from a credentials file that will need to be updated anytime the master LDAP manager password is changed.
Some public notes on OSGeo userids available at:
http://www.osgeo.org/osgeo_userid
Administrators can login to this special ldap search tool, and will see email address, and will have a link to edit the LDAP entries. You need to be in the cn=admin,ou=projects listing.
https://www.osgeo.org/cgi-bin/auth/ldap_web_search.py
SVN and other groups can be administered with the group editor. You need to either be in the group being viewed/modified or in the cn=admin,ou=projects group in order to edit a group.
Edit GDAL commit list:
https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=gdal
Edit Admins list:
https://www.osgeo.org/cgi-bin/auth/ldap_group.py?group=admin&ou=projects
To edit an individual userid use ldap_user_edit.py. If you add ?userid=osgeo_userid you can edit someone elses ldap entry as long as you are in the admins group.
https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py?userid=osgeotest123
To edit the list of people who have shell access to the various projects servers, including the download server use the following url. You have to be in the group already, or in the Admins group in order to add and remove people. Adding someone will add the required posixAccount and related attributes to the users LDAP entry.
https://www.osgeo.org/cgi-bin/auth/ldap_shell.py
The ldap_shell.py script can also operate on other groups used for shell access using the group attribute. Currently the only other group is the sac group used for shell access on the core services VMs at OSU OSL.
https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=sac
Command line interface
Loading an ldif file into an ldap directory
$ ldapadd -a -W -x -D "cn=Manager,dc=osgeo,dc=org" -f fileName.ldif
Accessing the ldap directory through phpldapadmin
[ NOTE: broken as of March 2016 ]
access an ldapadmin interface at https://www.osgeo.org/ldapadmin
Access to this interface is restricted to the admin group
Querying the LDAP database from the command line
This command seems to dump the whole LDAP database. Use with care, but sometime it's the easiest way to search (using grep):
$ ldapsearch -H ldaps://ldap.osgeo.org/ -b dc=osgeo,dc=org -x
Refine your search based on the structure listed below. Example list all SVN groups (limit the ou to svn, then search for objects with the right objectClass).
$ ldapsearch -H ldaps://ldap.osgeo.org/ -s one -b ou=svn,dc=osgeo,dc=org -x "(&(objectClass=groupOfNames))" | grep cn
Troubleshooting
- "sudo" unavailable to LDAP-authenticated users on Debian7. See:
- https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/926350 and
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647
- Short form: "libgnutls" in Debian7 is linked against "libgcrypt" which refuses to work in setuid-binaries - like "sudo".
- Solution: Rebuild "libgnutls" using "libnettle" instead of "libgcrypt":
- aptitude install libhogweed2 libnettle4 nettle-dev libp11-kit-dev
- apt-get remove libgnutls-dev
- apt-get source gnutls26
- # remove --with-libgcrypt from the debian/rules file
- # build using this command:
- debuild -i -uc -us -b
- Functional GnuTLS packages available on "secure" in /home/martin/GnuTLS.Deb/
- "sudo" unavailable to LDAP-authenticated users on Debian6 with backports. See:
- Solution:
<hostname>:~# cat /etc/apt/preferences.d/sudo.pref Package: sudo Pin: version 1.7.4* Pin-Priority: 1000