Infrastructure:LDAP

From Kosmos Wiki
Revision as of 16:58, 19 February 2020 by Greg (talk | contribs) (Create initial Infrastructure page for LDAP)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Server

We use 389 Directory Server, installed using this Chef cookbook. The server runs on ldap.kosmos.org. The future plan is to make the LDAP server only accessible to services that use it for authentication and authorization, as well as the upcoming Kosmos Accounts Web UI

Directory structure

Here is a diagram of the directory structure we use on ldap.kosmos.org:

                         ------------------------
                         |   dc=kosmos,dc=org   |
                         | (organizationalUnit) |
                         ------------------------
                                     |
                         ------------------------
                         |       cn=users       |
                         | (organizationalRole) |
                         ------------------------
                                |         |
             ------------------------ ------------------------
             |     ou=kosmos.org    | |     ou=account.pro   |
             | (organizationalUnit) | | (organizationalUnit) |
             ------------------------ ------------------------
                        |                         |
 ------------------------------------- -------------------------------------
 | cn=example_user                   | | cn=example_user                   |
 | (account,person,extensibleObject) | | (account,person,extensibleObject) |
 ------------------------------------- -------------------------------------

Here is an LDIF representation of an example of what we use on ldap.kosmos.org:

# container for the organizationUnits (domains)
dn: cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

# kosmos.org, users, kosmos.org
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: Kosmos
ou: kosmos.org
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)

# xmpp account, used by ejabberd to search for users and change passwords
dn: cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
cn: xmpp
sn: xmpp
uid: xmpp
userPassword: secret

# wiki account, used by mediawiki to search for users and change passwords
dn: cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
cn: wiki
sn: wiki
uid: wiki
userPassword: secret

# xmpp role, used to filter users that have access to XMPP
dn: cn=xmpp_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: xmpp_role
nsRoleFilter: (&(objectclass=person)(xmpp=enabled))
Description: filtered role for xmpp on kosmos.org

# example user for kosmos.org
dn: cn=example_user,ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
objectClass: extensibleObject
cn: example_user
sn: example_user
uid: example_user
mail: example_user@example.com
xmpp: enabled
userPassword: secret

# account.pro, users, kosmos.org
dn: ou=account.pro,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: account
ou: account.pro
aci: (target="ldap:///cn=*,ou=account.pro,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-account-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=account.pro,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=account.pro,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-account-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=account.pro,cn=users,dc=kosmos,dc=org";)

# xmpp account, used by ejabberd to search for users and change passwords
dn: cn=xmpp,ou=account.pro,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
cn: xmpp
sn: xmpp
uid: xmpp
userPassword: secret

# xmpp role, used to filter users that have access to XMPP
dn: cn=xmpp_role,ou=5apps.com,cn=users,dc=kosmos,dc=org
objectclass: top
objectclass: LDAPsubentry
objectclass: nsRoleDefinition
objectclass: nsComplexRoleDefinition
objectclass: nsFilteredRoleDefinition
cn: xmpp_role
nsRoleFilter: (&(objectclass=person)(xmpp=enabled))
Description: filtered role for xmpp on 5apps.com

# example user for account.pro
dn: cn=example_pro,ou=account.pro,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
objectClass: extensibleObject
cn: example_pro
sn: example_pro
uid: example_pro
mail: exampleaccount.pro
xmpp: enabled
userPassword: secret