Equipment/Turing: Difference between revisions
From London Hackspace Wiki
No edit summary |
(current state of LDAP.) |
||
| Line 28: | Line 28: | ||
Access is limited to Trustees only since it contains the membership db. | Access is limited to Trustees only since it contains the membership db. | ||
== LDAP == | |||
Turing has an LDAP db on it that is replicated to [[denning]] for use on machines in the space. | |||
It sort of works. | |||
on [[denning]] we get these errors in the logs: | |||
<nowiki> | |||
Sep 11 21:53:33 denning slapd[786]: slap_client_connect: URI=ldaps://turing.hackspace.org.uk DN="cn=admin,dc=london,dc=hackspace,dc=org,dc=uk" ldap_sasl_bind_s failed (-1) | |||
Sep 11 21:53:33 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying | |||
Sep 11 22:37:37 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server | |||
Sep 11 22:37:37 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying | |||
Sep 11 22:50:27 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server | |||
Sep 11 22:50:27 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying | |||
</nowiki> | |||
They appear to be harmless. | |||
Turing has iptables rules that allow access to the LDAP server from denning. | |||
The LDAP server uses an ssl cert from startcom, it expires on Mar 25 2015. | |||
We use a schema that is compatible with samba for 2 reason: | |||
* We might want user logins to samba at some point | |||
* The sambaNTPassword attribute is understood by freeradius and is needed for MS-CHAP auth for spacefed. | |||
however the sambaNTPassword hash is quite weak, and the sambaLMPassword hash is silly, so ideally: | |||
* the sambaLMPassword attribute would contain nonsense that can never be authenticated against | |||
* the sambaNTPassword attribute would be for a different password from the userPassword | |||
Currently we're using '!' for the sambaLMPassword attribute value. | |||
=== cheat sheet at the moment === | |||
==== Add a user ==== | |||
<nowiki> | |||
smbldap-useradd -a -A 1 -c "<Gcos Comment>" -N <FirstName> -S <Surname> <username></nowiki> | |||
==== change a password ==== | |||
<nowiki> | |||
smbldap-passwd <username></nowiki> | |||
==== list a users details ==== | |||
<nowiki> | |||
smbldap-usershow <username></nowiki> | |||
or: | |||
<nowiki> | |||
smbldap-userinfo -l <username></nowiki> | |||
==== delete a user ==== | |||
<nowiki> | |||
smbldap-userdel <username></nowiki> | |||
==== add a user to a group ==== | |||
<nowiki> | |||
smbldap-usermod -G +<groupname> <username></nowiki> | |||
==== List the members of a group ==== | |||
<nowiki> | |||
smbldap-groupshow <group name></nowiki> | |||
==== Remove a member from a group ==== | |||
<nowiki> | |||
smbldap-usermod -G -<groupname> <username></nowiki> | |||
=== Changes to tools on turing === | |||
The smbldap tools were patched with these patches | |||
* http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-userlist.pl?view=patch&r1=135&r2=134&pathrev=135 | |||
* http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-grouplist.pl?view=patch&r1=135&r2=134&pathrev=135 | |||
... and smbldap-passwd was patched to generate bogus LM password hashes | |||
<nowiki> | |||
--- smbldap-passwd.prev 2013-08-06 08:01:54.000000000 +0000 | |||
+++ smbldap-passwd 2014-09-11 23:31:33.000000000 +0000 | |||
@@ -157,7 +157,8 @@ | |||
# the sambaPwdLastSet must be updating | |||
my $date=time; | |||
my @mods; | |||
- push(@mods, 'sambaLMPassword' => $sambaLMPassword); | |||
+ # XXX modified by jasper to generate an invalid LM password. | |||
+ push(@mods, 'sambaLMPassword' => '!'); #$sambaLMPassword); | |||
push(@mods, 'sambaNTPassword' => $sambaNTPassword); | |||
push(@mods, 'sambaPwdLastSet' => $date); | |||
if (defined $config{defaultMaxPasswordAge}) { | |||
</nowiki> | |||
== Graphs == | == Graphs == | ||
Revision as of 00:40, 12 September 2014
| Turing | |
|---|---|
 | |
| Model | Virtual |
| Sub-category | Systems |
| Status | Good working order |
| Last updated | 23 November 2018 17:33:32 |
| Consumables | Unknown |
| Accessories | Unknown |
| Training requirement | yes |
| Training link | Unknown |
| ACnode | no |
| Owner | LHS |
| Origin | Sponsorship |
| Location | A Bitfolk datacenter |
| Maintainers | The Trustees |
Purpose
Runs the UK Hackspace website and hosts wikis for any spaces that want. Also hosts the membership system and forwards the webcams for London Hackspace.
Name
Named after Alan Turing.
See also: System naming
Access
Access is limited to Trustees only since it contains the membership db.
LDAP
Turing has an LDAP db on it that is replicated to denning for use on machines in the space.
It sort of works.
on denning we get these errors in the logs:
Sep 11 21:53:33 denning slapd[786]: slap_client_connect: URI=ldaps://turing.hackspace.org.uk DN="cn=admin,dc=london,dc=hackspace,dc=org,dc=uk" ldap_sasl_bind_s failed (-1) Sep 11 21:53:33 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying Sep 11 22:37:37 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server Sep 11 22:37:37 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying Sep 11 22:50:27 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server Sep 11 22:50:27 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying
They appear to be harmless.
Turing has iptables rules that allow access to the LDAP server from denning.
The LDAP server uses an ssl cert from startcom, it expires on Mar 25 2015.
We use a schema that is compatible with samba for 2 reason:
- We might want user logins to samba at some point
- The sambaNTPassword attribute is understood by freeradius and is needed for MS-CHAP auth for spacefed.
however the sambaNTPassword hash is quite weak, and the sambaLMPassword hash is silly, so ideally:
- the sambaLMPassword attribute would contain nonsense that can never be authenticated against
- the sambaNTPassword attribute would be for a different password from the userPassword
Currently we're using '!' for the sambaLMPassword attribute value.
cheat sheet at the moment
Add a user
smbldap-useradd -a -A 1 -c "<Gcos Comment>" -N <FirstName> -S <Surname> <username>
change a password
smbldap-passwd <username>
list a users details
smbldap-usershow <username>
or:
smbldap-userinfo -l <username>
delete a user
smbldap-userdel <username>
add a user to a group
smbldap-usermod -G +<groupname> <username>
List the members of a group
smbldap-groupshow <group name>
Remove a member from a group
smbldap-usermod -G -<groupname> <username>
Changes to tools on turing
The smbldap tools were patched with these patches
- http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-userlist.pl?view=patch&r1=135&r2=134&pathrev=135
- http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-grouplist.pl?view=patch&r1=135&r2=134&pathrev=135
... and smbldap-passwd was patched to generate bogus LM password hashes
--- smbldap-passwd.prev 2013-08-06 08:01:54.000000000 +0000
+++ smbldap-passwd 2014-09-11 23:31:33.000000000 +0000
@@ -157,7 +157,8 @@
# the sambaPwdLastSet must be updating
my $date=time;
my @mods;
- push(@mods, 'sambaLMPassword' => $sambaLMPassword);
+ # XXX modified by jasper to generate an invalid LM password.
+ push(@mods, 'sambaLMPassword' => '!'); #$sambaLMPassword);
push(@mods, 'sambaNTPassword' => $sambaNTPassword);
push(@mods, 'sambaPwdLastSet' => $date);
if (defined $config{defaultMaxPasswordAge}) {
Graphs
IP
212.13.195.146 85.119.83.146 (hackspace.vps.bitfolk.com)
Services
These run as daemons automatically:
- Apache
- postgres
- mjpegproxy-webcams (in screen, no logging)
