Tech:Ldap

From Miraheze Meta, Miraheze's central coordination wiki
Revision as of 17:21, 25 January 2024 by Universal Omega (talk | contribs) (ldap141 -> ldap171)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Miraheze uses ldap as an authentication system for some of our infrastructure, such as Grafana and Icingaweb2.

You can use ldapvi to modify a user, add a user, or change the roles the user has. You can also use https://ldapwiki.miraheze.org to change your password.

You can find the ldap password in /etc/ldapvi.conf. All these steps have to be done using ldap171.wikitide.net.

Terminology:

  • cn = Common Name
  • sn = Surname
  • UID = username you'll login with
  • givenName = First Name

Add New User[edit | edit source]

1. Add the following to a file named user.ldif:

dn: uid=<uid>,ou=people,dc=miraheze,dc=org
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: <uid>
givenName: <firstName>
sn: <surname>
cn: <cn>
userPassword: <pass>

The 'uid' attribute is equal to the username you are using. It is recommended to set the 'cn' attribute equal to the contents of 'uid'. 'givenName' is usually your first name, while 'sn' is your surname. You cannot directly put your password in this ldif file, instead you need to generate a hash through sudo -i slappasswd.

2. Run ldapadd -x -D cn=write-user,dc=miraheze,dc=org -W -f user.ldif.

Add New Group[edit | edit source]

1. Add the following to group.ldif

dn: cn=<name of group>,ou=groups,dc=miraheze,dc=org
objectClass: top
objectClass: groupOfNames
cn: <name of group>
member:

2. Run ldapadd -x -W -D "cn=write-user,dc=miraheze,dc=org" -f group.ldif

Add User to existing group[edit | edit source]

1. Create the following in add_member.ldif

dn: cn=<group name>,ou=groups,dc=miraheze,dc=org
changetype: modify
add: member
member: uid=<user_uid>,ou=people,dc=miraheze,dc=org

2. Run ldapmodify -x -W -D "cn=write-user,dc=miraheze,dc=org" -f add_member.ldif

Alternatively you can do:

1. Run modify-ldap-group <group>.

2. Add member with value uid=<user_uid>,ou=people,dc=miraheze,dc=org. Must be one per line.

Modify user field[edit | edit source]

1. Add the following to modify.ldif (note you can add and delete):

dn: uid=<user>,ou=people,dc=miraheze,dc=org
changetype: modify
delete: memberOf
memberOf: cn=sre,ou=groups,dc=miraheze,dc=org

2. Run sudo ldapmodify -x -D cn=write-user,dc=miraheze,dc=org -W -f modify.ldif

Modify Existing User[edit | edit source]

1. Run modify-ldap-user <user> on the ldap server (so ldap171.wikitide.net).

2. Change the bit you want and save.

Modify Existing Group[edit | edit source]

1. Run modify-ldap-group <group> on the ldap server (so ldap171.wikitide.net).

2. Change the bit you want and save.

Change User Password[edit | edit source]

1. Run slappasswd.

2. Run ldapvi on the ldap server (so ldap171.wikitide.net).

3. Locate the user you want to change and then locate the password field.

(Use the {SSHA} you got from the previous step).

4. Save.

Change admin password[edit | edit source]

To change the admin password do the following:

1. Run slappasswd

2. Run the following:

ldapmodify -Q -Y EXTERNAL -H ldapi:/// << E0F
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA got from first step}
E0F

3. Run ldappasswd -x -D cn=admin,dc=miraheze,dc=org -W -S

(Don't forget to change the password in the private puppet repo too)

Adding base dn[edit | edit source]

1. Add the following to a .ldif file

dn: ou=people,dc=miraheze,dc=org
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=miraheze,dc=org
objectClass: organizationalUnit
ou: groups

2. Run sudo ldapadd -x -D cn=admin,dc=miraheze,dc=org -W -f basedn.ldif

(The password can be found in the private puppet repo)

Deleting user or group[edit | edit source]

To delete a user do the following:

1. Run ldapdelete -W -D "cn=write-user,dc=miraheze,dc=org" "uid=<user uid>,ou=people,dc=miraheze,dc=org".

To delete a group do the follow:

1. Run ldapdelete -W -D "cn=write-user,dc=miraheze,dc=org" "cn=<group name>,ou=people,dc=miraheze,dc=org".

LDAP Index[edit | edit source]

1. Add the following to index.ldif:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: cn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: sn pres,sub,eq
-
add: olcDbIndex
olcDbIndex: uid pres,sub,eq
-
add: olcDbIndex
olcDbIndex: displayName pres,sub,eq
-
add: olcDbIndex
olcDbIndex: default sub
-
add: olcDbIndex
olcDbIndex: uidNumber eq
-
add: olcDbIndex
olcDbIndex: gidNumber eq
-
add: olcDbIndex
olcDbIndex: mail,givenName eq,subinitial
-
add: olcDbIndex
olcDbIndex: dc eq

2. Run ldapmodify -Y EXTERNAL -H ldapi:/// -f ./index.ldif

Existing LDAP groups[edit | edit source]

sre
sre-mediawiki
sre-infrastructure
sre-management
stewards
cvt
matomo-users
users
board
trustandsafety

Note: Non-exhaustive list

Monitoring[edit | edit source]

LDAP can be monitored via Grafana by accessing this link.