Equipment/Turing: Difference between revisions

From London Hackspace Wiki
(more smbldap-tools patches)
m (Updated LDAP info (no more Denning as it goes to ldap-secondary now, and it does work))
 
(5 intermediate revisions by one other user not shown)
Line 32: Line 32:
== LDAP ==
== LDAP ==


Turing has an LDAP db on it that is replicated to [[denning]] for use on machines in the space.
Turing has an [[LDAP]] db on it that is replicated to ldap-secondary (Hackspace VM in Wembley) for use on machines in the space.


It sort of works.
Turing has iptables rules that allow access to the [[LDAP]] server from ldap-secondary (Hackspace VM).


on [[denning]] we get these errors in the logs:
We use a schema that is compatible with Samba for 2 reason:


<nowiki>
* We might want user logins to Samba at some point
Sep 11 21:53:33 denning slapd[786]: slap_client_connect: URI=ldaps://turing.hackspace.org.uk DN="cn=admin,dc=london,dc=hackspace,dc=org,dc=uk" ldap_sasl_bind_s failed (-1)
* The sambaNTPassword attribute is understood by FreeRADIUS and is needed for MS-CHAP auth for spacefed.
Sep 11 21:53:33 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying
Sep 11 22:37:37 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server
Sep 11 22:37:37 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying
Sep 11 22:50:27 denning slapd[786]: do_syncrep2: rid=000 (-1) Can't contact LDAP server
Sep 11 22:50:27 denning slapd[786]: do_syncrepl: rid=000 rc -1 retrying
</nowiki>
 
They appear to be harmless.
 
Turing has iptables rules that allow access to the LDAP server from denning.
 
The LDAP server uses an ssl cert from startcom, it expires on Mar 25 2015.
 
We use a schema that is compatible with samba for 2 reason:
 
* We might want user logins to samba at some point
* The sambaNTPassword attribute is understood by freeradius and is needed for MS-CHAP auth for spacefed.


however the sambaNTPassword hash is quite weak, and the sambaLMPassword hash is silly, so ideally:
however the sambaNTPassword hash is quite weak, and the sambaLMPassword hash is silly, so ideally:
Line 63: Line 46:
* the sambaNTPassword attribute would be for a different password from the userPassword  
* the sambaNTPassword attribute would be for a different password from the userPassword  


Currently we're using '!' for the sambaLMPassword attribute value.
Currently we are not adding sambaLMPassword attribute's to the database.


=== cheat sheet at the moment ===
=== cheat sheet at the moment ===
==== Add a user ====
<nowiki>
smbldap-useradd -a -A 1 -c "<Gcos Comment>"  -N <FirstName> -S <Surname> <username></nowiki>
==== change a password ====
<nowiki>
smbldap-passwd <username></nowiki>


==== list a users details ====
==== list a users details ====
Line 86: Line 59:
  <nowiki>
  <nowiki>
smbldap-userinfo -l <username></nowiki>
smbldap-userinfo -l <username></nowiki>
==== delete a user ====
<nowiki>
smbldap-userdel <username></nowiki>


==== add a user to a group ====
==== add a user to a group ====
Line 106: Line 74:
  <nowiki>
  <nowiki>
smbldap-usermod -G -<groupname> <username></nowiki>
smbldap-usermod -G -<groupname> <username></nowiki>
==== Edit the acl's ====
(assuming ldapvi is installed)
<nowiki>
ldapvi -Y EXTERNAL -h ldapi:/// -b olcDatabase={1}hdb,cn=config -v  "(olcAccess=*)" olcAccess</nowiki>


=== Issues ===
=== Issues ===
Line 111: Line 87:
* might need to add an index to memberUid
* might need to add an index to memberUid


=== Changes to tools on turing ===
=== Changes to tools on Turing ===


The smbldap tools were patched with these patches
The smbldap tools were patched with these patches
Line 118: Line 94:
* http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-grouplist.pl?view=patch&r1=135&r2=134&pathrev=135
* http://svn.gna.org/viewcvs/smbldap-tools/trunk/smbldap-grouplist.pl?view=patch&r1=135&r2=134&pathrev=135


... and smbldap-passwd was patched to generate bogus LM password hashes
... and a few others, you can see them all here:
 
<nowiki>
--- smbldap-passwd.prev 2013-08-06 08:01:54.000000000 +0000
+++ smbldap-passwd 2014-09-11 23:31:33.000000000 +0000
@@ -157,7 +157,8 @@
# the sambaPwdLastSet must be updating
my $date=time;
my @mods;
- push(@mods, 'sambaLMPassword' => $sambaLMPassword);
+ # XXX modified by jasper to generate an invalid LM password.
+ push(@mods, 'sambaLMPassword' => '!'); #$sambaLMPassword);
push(@mods, 'sambaNTPassword' => $sambaNTPassword);
push(@mods, 'sambaPwdLastSet' => $date);
if (defined $config{defaultMaxPasswordAge}) {
</nowiki>
 
... and /usr/share/perl5/smbldap_tools.pm needs patching with:


<nowiki>
https://github.com/londonhackspace/hackspace-foundation-sites/tree/ldap/ldap
--- smbldap_tools.pm.orig 2013-08-06 09:01:54.000000000 +0100
+++ smbldap_tools.pm 2014-09-15 21:48:27.000000000 +0100
@@ -106,6 +106,7 @@
  list_union
  list_minus
  account_by_sid
+  user_by_uid
  user_next_uid
  user_next_rid
  group_next_uid
</nowiki>


== Graphs ==
== Graphs ==

Latest revision as of 17:33, 23 November 2018

Turing
Hackspace Unknown.png
Model Virtual
Sub-category Systems
Status Good working order
Last updated 23 November 2018 17:33:32
Consumables Unknown
Accessories Unknown
Training requirement yes
Training link Unknown
ACnode no
Owner LHS
Origin Sponsorship
Location A Bitfolk datacenter
Maintainers The Trustees

Purpose

Runs the UK Hackspace website and hosts wikis for any spaces that want. Also hosts the membership system and forwards the webcams for London Hackspace.

Name

Named after Alan Turing.

See also: System naming

Access

Access is limited to Trustees only since it contains the membership db.


LDAP

Turing has an LDAP db on it that is replicated to ldap-secondary (Hackspace VM in Wembley) for use on machines in the space.

Turing has iptables rules that allow access to the LDAP server from ldap-secondary (Hackspace VM).

We use a schema that is compatible with Samba for 2 reason:

  • We might want user logins to Samba at some point
  • The sambaNTPassword attribute is understood by FreeRADIUS and is needed for MS-CHAP auth for spacefed.

however the sambaNTPassword hash is quite weak, and the sambaLMPassword hash is silly, so ideally:

  • the sambaLMPassword attribute would contain nonsense that can never be authenticated against
  • the sambaNTPassword attribute would be for a different password from the userPassword

Currently we are not adding sambaLMPassword attribute's to the database.

cheat sheet at the moment

list a users details

smbldap-usershow <username>

or:

smbldap-userinfo -l <username>

add a user to a group

smbldap-usermod -G +<groupname> <username>

List the members of a group

smbldap-groupshow <group name>

Remove a member from a group

smbldap-usermod -G -<groupname> <username>

Edit the acl's

(assuming ldapvi is installed)

ldapvi -Y EXTERNAL -h ldapi:/// -b olcDatabase={1}hdb,cn=config -v  "(olcAccess=*)" olcAccess


Issues

  • might need to add an index to memberUid

Changes to tools on Turing

The smbldap tools were patched with these patches

... and a few others, you can see them all here:

https://github.com/londonhackspace/hackspace-foundation-sites/tree/ldap/ldap

Graphs

IP

212.13.195.146 85.119.83.146 (hackspace.vps.bitfolk.com)

Services

These run as daemons automatically:

  • Apache
  • postgres
  • mjpegproxy-webcams (in screen, no logging)