LDAP

From SOWNWiki
Jump to: navigation, search

About LDAP

LDAP is a standard for accessing directory information. It can be used to authenticate against Microsoft Active Directory domains. iSolutions uses this standard to authenticate its users @soton.ac.uk hence SOWN has to talk to it.

LDAP is a popular standard and is supported by several servers including OpenLDAP and Novell eDirectory. Several systems can communicate using LDAP like FreeRADIUS and MediaWiki to provide user authentication and store access settings.

Use in SOWN

LDAP is now used to store the user details of SOWN community users as well as the permissions granted to SOWN users. LDAP is also used to authenticate user access to sown-dev, and to this wiki.

A number of user groups have been created, to replace the previously used user levels. This means is that access to different systems can easily be granted to specific sets of users.

LDAP Groups

The following LDAP groups currently exist:

DPAAdmin

Members of this group have access to user details, access to which is restricted under the Data Protection Act. Members of this group are normally also be members of the SOWNAdmin group.

SOWNAdmin

Members of this group have permission to access the SOWN administration system, but do not have access to user details. They are also able to use sown-dev for development purposes. Members of this group are normally also be members of the SOWNWikiUser group.

SOWNWikiUser

Members of this group have access to edit this wiki.

LDAP Config

LDAP Config

We have a minimal LDAP schema to allow us to add attributes to sown user accounts. This can be found in /etc/ldap/slapd.d/cn=config/cn=schema/cn={4}sown.ldif. To make changes you must edit the file /etc/ldap/schema/sown.schema. To import this into the database do the following:

  • First, create a conversion schema_convert.conf file containing the following lines:
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/sown.schema
  • Next, create a temporary directory to hold the output:
mkdir /tmp/ldif_output
  • Now using slapcat convert the schema files to LDIF:
slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={4}sown,cn=schema,cn=config" > /tmp/cn=sown.ldif

This produces a file that looks like

dn: cn={4}sown,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}sown

<The SOWN Schema>

structuralObjectClass: olcSchemaConfig
entryUUID: 51659b96-9980-102f-9d0e-5d487b2c9456
creatorsName: cn=config
createTimestamp: 20101211144018Z
entryCSN: 20101211144018.073934Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20101211144018Z
  • Change the top line to be dn: cn=sown,cn=schema,cn=config and the 3rd line to be cn: sown
  • Remove all the lines below structuralObjectClass: olcSchemaConfig

This should produce:

dn: cn={4}sown,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}sown

<The SOWN Schema>
  • Now you can add the schema by running the command ldapadd -x -D cn=admin,cn=config -W -f /tmp/cn\=sown.ldif

Currently there is an attribute wikiUserName to override the username of an LDAP user in mediawiki. To learn more see the wiki config file and the wiki LDAP plugin code.

There are also two fields for NT hashes taken from the Samba schema:

attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
	DESC 'LanManager Password'
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
	DESC 'MD4 hash of the unicode password'
	EQUALITY caseIgnoreIA5Match
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )