Difference between revisions of "Services:Accounts"
(Document LDAP admin commands) |
|||
| Line 4: | Line 4: | ||
The LDAP server is running on ldap.kosmos.org<ref>[[Infrastructure#barnard.kosmos.org|Infrastructure]]</ref>. | The LDAP server is running on ldap.kosmos.org<ref>[[Infrastructure#barnard.kosmos.org|Infrastructure]]</ref>. | ||
| + | |||
| + | == Admin commands == | ||
| + | |||
| + | The ''ldapsearch'' and ''ldapadd'' command-line tool are provided by different packages depending on your OS. For example ''ldap-utils'' on Ubuntu, ''openldap-clients'' on Fedora, ''openldap'' on Arch Linux. It is already provided in a default macOS installation. | ||
| + | |||
| + | This can also be done using the LDAP client library of your choice. | ||
| + | |||
| + | === Listing accounts === | ||
| + | |||
| + | ldapsearch -x -W -D 'cn=Directory Manager' -b "ou=users,dc=kosmos,dc=org" -H "ldaps://ldap.kosmos.org" | ||
| + | |||
| + | === Adding an account === | ||
| + | |||
| + | ==== Generate a hashed password ==== | ||
| + | |||
| + | This example is using Ruby, but anything that can generate a salted SHA512 hash will also work. | ||
| + | |||
| + | $ ruby -r base64 -r digest -r securerandom -e 'salt = SecureRandom.hex(32); password = "random_password"; puts "{SSHA512}" + Base64.strict_encode64(Digest::SHA512.digest(password+salt) + salt)' | ||
| + | {SSHA512}WsELiZM9MlUM004LF3jpV5OuV+qTsGoRR1RzffdtUuPpzOl57I7WmKL+S46/KR8HUtYPRh1ttmsNvGUX/agxLjBkZGI0MTczNWNiZjkxMDI0NGEzZTE2ZDBlNGJkMDQ5N2ZhMjVjMjQ1NzFlZmJlNmZmODhmNjE5OGM1YWM3Zjc= | ||
| + | |||
| + | ==== Add the account ==== | ||
| + | |||
| + | ldapadd -x -W -D 'cn=Directory Manager' -H "ldaps://ldap.kosmos.org" << EOF | ||
| + | dn: cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org | ||
| + | objectClass: top | ||
| + | objectClass: account | ||
| + | objectClass: person | ||
| + | objectClass: extensibleObject | ||
| + | cn: alice | ||
| + | sn: alice | ||
| + | uid: alice | ||
| + | mail: alice@example.com | ||
| + | userPassword: {SSHA512}WsELiZM9MlUM004LF3jpV5OuV+qTsGoRR1RzffdtUuPpzOl57I7WmKL+S46/KR8HUtYPRh1ttmsNvGUX/agxLjBkZGI0MTczNWNiZjkxMDI0NGEzZTE2ZDBlNGJkMDQ5N2ZhMjVjMjQ1NzFlZmJlNmZmODhmNjE5OGM1YWM3Zjc= | ||
| + | EOF | ||
| + | |||
| + | adding new entry "cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org" | ||
== Changing your password == | == Changing your password == | ||
Revision as of 10:28, 15 September 2020
Contents
Unified accounts for Kosmos services
This is work in progress! For now, unified accounts are only enabled on this wiki and XMPP. We have decided to use LDAP[1] to let users have the same credentials (username and password) across Kosmos services.
The LDAP server is running on ldap.kosmos.org[2].
Admin commands
The ldapsearch and ldapadd command-line tool are provided by different packages depending on your OS. For example ldap-utils on Ubuntu, openldap-clients on Fedora, openldap on Arch Linux. It is already provided in a default macOS installation.
This can also be done using the LDAP client library of your choice.
Listing accounts
ldapsearch -x -W -D 'cn=Directory Manager' -b "ou=users,dc=kosmos,dc=org" -H "ldaps://ldap.kosmos.org"
Adding an account
Generate a hashed password
This example is using Ruby, but anything that can generate a salted SHA512 hash will also work.
$ ruby -r base64 -r digest -r securerandom -e 'salt = SecureRandom.hex(32); password = "random_password"; puts "{SSHA512}" + Base64.strict_encode64(Digest::SHA512.digest(password+salt) + salt)'
{SSHA512}WsELiZM9MlUM004LF3jpV5OuV+qTsGoRR1RzffdtUuPpzOl57I7WmKL+S46/KR8HUtYPRh1ttmsNvGUX/agxLjBkZGI0MTczNWNiZjkxMDI0NGEzZTE2ZDBlNGJkMDQ5N2ZhMjVjMjQ1NzFlZmJlNmZmODhmNjE5OGM1YWM3Zjc=
Add the account
ldapadd -x -W -D 'cn=Directory Manager' -H "ldaps://ldap.kosmos.org" << EOF
dn: cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org
objectClass: top
objectClass: account
objectClass: person
objectClass: extensibleObject
cn: alice
sn: alice
uid: alice
mail: alice@example.com
userPassword: {SSHA512}WsELiZM9MlUM004LF3jpV5OuV+qTsGoRR1RzffdtUuPpzOl57I7WmKL+S46/KR8HUtYPRh1ttmsNvGUX/agxLjBkZGI0MTczNWNiZjkxMDI0NGEzZTE2ZDBlNGJkMDQ5N2ZhMjVjMjQ1NzFlZmJlNmZmODhmNjE5OGM1YWM3Zjc=
EOF
adding new entry "cn=alice,ou=kosmos.org,cn=users,dc=kosmos,dc=org"
Changing your password
Changing your password will be made possible in the upcoming Kosmos Accounts Web UI. But for now, you have these two options:
Via XMPP client
You can change your Kosmos account password globally from any XMPP client, which allows you to change your XMPP password.
Via command-line interface
The ldappasswd command-line tool is provided by different packages depending on your OS. For example ldap-utils on Ubuntu, openldap-clients on Fedora, openldap on Arch Linux. It is already provided in a default macOS installation.
The following command will set your new password, if you type your current password (replace yourusername with your username):
ldappasswd -x -D cn='yourusername',ou=kosmos.org,cn=users,dc=kosmos,dc=org -W -S -H "ldaps://ldap.kosmos.org"
It will ask you the following passwords:
New password: Re-enter new password: Enter LDAP Password:
"New password" is the password that will be set on your LDAP account. "LDAP password" is your current password
If you need any help do not hesitate to ask for help in our chatroom.
