1,103
edits
Equipment/Turing: Difference between revisions
From London Hackspace Wiki
current state of LDAP.
No edit summary |
(current state of LDAP.) |
||
| Line 28: | Line 28: | ||
Access is limited to Trustees only since it contains the membership db. | Access is limited to Trustees only since it contains the membership db. | ||
== LDAP == | |||
Turing has an LDAP db on it that is replicated to [[denning]] for use on machines in the space. | |||
It sort of works. | |||
on [[denning]] we get these errors in the logs: | |||
<nowiki> | |||
Sep 11 21:53:33 denning slapd[786]: slap_client_connect: URI=ldaps://turing.hackspace.org.uk DN="cn=admin,dc=london,dc=hackspace,dc=org,dc=uk" ldap_sasl_bind_s failed (-1) | |||
Sep 11 21:53:33 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying | |||
Sep 11 22:37:37 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server | |||
Sep 11 22:37:37 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying | |||
Sep 11 22:50:27 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server | |||
Sep 11 22:50:27 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying | |||
</nowiki> | |||
They appear to be harmless. | |||
Turing has iptables rules that allow access to the LDAP server from denning. | |||
The LDAP server uses an ssl cert from startcom, it expires on Mar 25 2015. | |||
We use a schema that is compatible with samba for 2 reason: | |||
* We might want user logins to samba at some point | |||
* The sambaNTPassword attribute is understood by freeradius and is needed for MS-CHAP auth for spacefed. | |||
however the sambaNTPassword hash is quite weak, and the sambaLMPassword hash is silly, so ideally: | |||
* the sambaLMPassword attribute would contain nonsense that can never be authenticated against | |||
* the sambaNTPassword attribute would be for a different password from the userPassword | |||
Currently we're using '!' for the sambaLMPassword attribute value. | |||
=== cheat sheet at the moment === | |||
==== Add a user ==== | |||
<nowiki> | |||
smbldap-useradd -a -A 1 -c "<Gcos Comment>" -N <FirstName> -S <Surname> <username></nowiki> | |||
==== change a password ==== | |||
<nowiki> | |||
smbldap-passwd <username></nowiki> | |||
==== list a users details ==== | |||
<nowiki> | |||
smbldap-usershow <username></nowiki> | |||
or: | |||
<nowiki> | |||
smbldap-userinfo -l <username></nowiki> | |||
==== delete a user ==== | |||
<nowiki> | |||
smbldap-userdel <username></nowiki> | |||
==== add a user to a group ==== | |||
<nowiki> | |||
smbldap-usermod -G +<groupname> <username></nowiki> | |||
==== List the members of a group ==== | |||
<nowiki> | |||
smbldap-groupshow <group name></nowiki> | |||
==== Remove a member from a group ==== | |||
<nowiki> | |||
smbldap-usermod -G -<groupname> <username></nowiki> | |||
=== Changes to tools on turing === | |||
The smbldap tools were patched with these patches | |||
* http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-userlist.pl?view=patch&r1=135&r2=134&pathrev=135 | |||
* http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-grouplist.pl?view=patch&r1=135&r2=134&pathrev=135 | |||
... and smbldap-passwd was patched to generate bogus LM password hashes | |||
<nowiki> | |||
--- smbldap-passwd.prev 2013-08-06 08:01:54.000000000 +0000 | |||
+++ smbldap-passwd 2014-09-11 23:31:33.000000000 +0000 | |||
@@ -157,7 +157,8 @@ | |||
# the sambaPwdLastSet must be updating | |||
my $date=time; | |||
my @mods; | |||
- push(@mods, 'sambaLMPassword' => $sambaLMPassword); | |||
+ # XXX modified by jasper to generate an invalid LM password. | |||
+ push(@mods, 'sambaLMPassword' => '!'); #$sambaLMPassword); | |||
push(@mods, 'sambaNTPassword' => $sambaNTPassword); | |||
push(@mods, 'sambaPwdLastSet' => $date); | |||
if (defined $config{defaultMaxPasswordAge}) { | |||
</nowiki> | |||
== Graphs == | == Graphs == | ||
