Tech:Ldap

Miraheze uses ldap as an authentication system for some of our infrastructure such as Grafana and Icingabweb2.

You can use ldapcherry to modify a user, add a user or change the roles the user has. A user can also use it to change their password. The commands below will do similar from the command line (plus extras that cannot be done in the UI).

You can find the ldap password in /etc/ldapvi.conf. All these steps have to be done using ldap1.miraheze.org.

Terminology:
 * cn = Common Name


 * sn = Surname


 * UID = username you'll login with


 * givenName = First Name

Add New User
1. Add the following to a file named user.ldif: dn: uid= ,ou=people,dc=miraheze,dc=org changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson uid: givenName:  sn: cn:  mail: userPassword:

The 'uid' attribute is equal to the username you are using. It is recommended to set the 'cn' attribute equal to the contents of 'uid'. 'givenName' is usually your first name, while 'sn' is your surname. You cannot directly put your password in this ldif file, instead you need to generate a hash through.

2. Run.

Add New Group
1. Add the following to group.ldif

cn= ,ou=groups,dc=miraheze,dc=org objectClass: top objectClass: groupOfNames cn: users

2. Run

Add User to existing group
1. Create the following in add_member.ldif

dn: cn= ,ou=groups,dc=miraheze,dc=org changetype: modify add: memberuid memberUid:

2. Run

Alternatively you can do:

1. Run.

2. Add user uid to. So it's one per line.

Note that you need to add the memberOf field to the user which can be done with:

1. Run.

2. Add

Note: Existing groups are "sre" and "matomo-super".

Modify user field
1. Add the following to modify.ldif (note you can add and delete):

dn: uid= ,ou=people,dc=miraheze,dc=org changetype: modify delete: memberOf memberOf: cn=sre,ou=groups,dc=miraheze,dc=org

2. Run

Modify Existing User
1. Run  on the ldap server (so ldap1.miraheze.org).

2. Change the bit you want and save.

Modify Existing Group
1. Run  on the ldap server (so ldap1.miraheze.org).

2. Change the bit you want and save.

Change User Password
1. Run.

2. Run  on the ldap server (so ldap1.miraheze.org).

3. Locate the user you want to change and then locate the password field.

(Use the {SSHA} you got from the previous step).

4. Save.

Change admin password
To change the admin password do the following:

1. Run

2. Run the following:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// << E0F dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcRootPW olcRootPW: {SSHA got from first step} E0F

3. Run

(Don't forget to change the password in the private puppet repo too)

Adding base dn
1. Add the following to a .ldif file

dn: ou=people,dc=miraheze,dc=org objectClass: organizationalUnit ou: people

dn: ou=groups,dc=miraheze,dc=org objectClass: organizationalUnit ou: groups

2. Run

(The password can be found in the private puppet repo)

Deleting user or group
To delete a user do the following:

1. Run.

To delete a group do the follow:

1. Run.

LDAP Index
1. Add the following to index.ldif:

dn: olcDatabase={1}mdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: cn pres,sub,eq - add: olcDbIndex olcDbIndex: sn pres,sub,eq - add: olcDbIndex olcDbIndex: uid pres,sub,eq - add: olcDbIndex olcDbIndex: displayName pres,sub,eq - add: olcDbIndex olcDbIndex: default sub - add: olcDbIndex olcDbIndex: uidNumber eq - add: olcDbIndex olcDbIndex: gidNumber eq - add: olcDbIndex olcDbIndex: mail,givenName eq,subinitial - add: olcDbIndex olcDbIndex: dc eq

2. Run