Services:Accounts

From Kosmos Wiki
Revision as of 10:28, 15 September 2020 by Greg (talk | contribs) (Document LDAP admin commands)
Jump to navigation Jump to search

Unified accounts for Kosmos services

This is work in progress! For now, unified accounts are only enabled on this wiki and XMPP. We have decided to use LDAP[1] to let users have the same credentials (username and password) across Kosmos services.

The LDAP server is running on ldap.kosmos.org[2].

Admin commands

The ldapsearch and ldapadd command-line tool are provided by different packages depending on your OS. For example ldap-utils on Ubuntu, openldap-clients on Fedora, openldap on Arch Linux. It is already provided in a default macOS installation.

This can also be done using the LDAP client library of your choice.

Listing accounts

ldapsearch -x -W -D 'cn=Directory Manager' -b "ou=users,dc=kosmos,dc=org" -H "ldaps://ldap.kosmos.org"

Adding an account

Generate a hashed password

This example is using Ruby, but anything that can generate a salted SHA512 hash will also work. 

$ ruby -r base64 -r digest -r securerandom -e 'salt = SecureRandom.hex(32); password = "random_password"; puts "{SSHA512}" + Base64.strict_encode64(Digest::SHA512.digest(password+salt) + salt)'
{SSHA512}WsELiZM9MlUM004LF3jpV5OuV+qTsGoRR1RzffdtUuPpzOl57I7WmKL+S46/KR8HUtYPRh1ttmsNvGUX/agxLjBkZGI0MTczNWNiZjkxMDI0NGEzZTE2ZDBlNGJkMDQ5N2ZhMjVjMjQ1NzFlZmJlNmZmODhmNjE5OGM1YWM3Zjc=

Add the account

ldapadd -x -W -D 'cn=Directory Manager' -H "ldaps://ldap.kosmos.org" << EOF
dn: cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
objectClass: extensibleObject
cn: alice
sn: alice
uid: alice
mail: alice@example.com
userPassword: {SSHA512}WsELiZM9MlUM004LF3jpV5OuV+qTsGoRR1RzffdtUuPpzOl57I7WmKL+S46/KR8HUtYPRh1ttmsNvGUX/agxLjBkZGI0MTczNWNiZjkxMDI0NGEzZTE2ZDBlNGJkMDQ5N2ZhMjVjMjQ1NzFlZmJlNmZmODhmNjE5OGM1YWM3Zjc=
EOF

adding new entry "cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org"

Changing your password

Changing your password will be made possible in the upcoming Kosmos Accounts Web UI. But for now, you have these two options:

Via XMPP client

You can change your Kosmos account password globally from any XMPP client, which allows you to change your XMPP password.

Via command-line interface

The ldappasswd command-line tool is provided by different packages depending on your OS. For example ldap-utils on Ubuntu, openldap-clients on Fedora, openldap on Arch Linux. It is already provided in a default macOS installation.

The following command will set your new password, if you type your current password (replace yourusername with your username): 

ldappasswd -x -D cn='yourusername',ou=kosmos.org,cn=users,dc=kosmos,dc=org -W -S -H "ldaps://ldap.kosmos.org"

It will ask you the following passwords: 

New password:
Re-enter new password:
Enter LDAP Password:

"New password" is the password that will be set on your LDAP account. "LDAP password" is your current password

If you need any help do not hesitate to ask for help in our chatroom.

References

  1. Lightweight Directory Access Protocol
  2. Infrastructure
Retrieved from "https://wiki.kosmos.org/index.php?title=Services:Accounts&oldid=736"