LDAP

We have decided to expose our master members list via LDAP. This ensures we can maintain one set of users and passwords across all our systems.

We are using openldap's slapd running on:

ldaps://readinghackspace.org.uk

The security is setup to allow anonymous querying (except for email addresses and credentials) and everyone can update their own entry.

All other edit operations require you are a member of the 'adm' group.

You can connect to the service with any LDAP client. If you bind with an account in the 'adm' group you are responsible for acting sensibly. If you bind as a normal user please feel free to try and hack/break the system.

A web interface is available at https://readinghackspace.org.uk/accounts/.

= Replication =

The is a replicated server on ldaps://ibm-x345.readinghackspace.org.uk but it is only available within the firewall.

If you are inside the firewall please ensure you use both servers for reliability; with most client libraries just specify both addresses e.g.:

import ldap l = ldap.initialize("ldaps://ibm-x345.readinghackspace.org.uk/ ldaps://readinghackspace.org.uk/")

= SSL =

For ease we have used a StartSSL signed certificate, this requires renewing bi-annually (current expiry date can be seen in the cert). user:BWare is currently responsible for maintaining this.

Most distributions trust these certs by default. (If you have trouble check you have TLS_CACERTDIR or TLS_CACERT set appropriately in ldap.conf, or download and add http://www.startssl.com/certs/ca.crt manually).

= PC =

Any general-use PC's at the space should be setup to use LDAP for user accounts. Details vary by distribution but you need to configure PAM and NSS (the are normally examples you can just uncomment).

= Door =

TODO: We should switch the RFID door over to using the LDAP to check authorization. By convention we are storing our RFID tags in "employeeNumber".

= MediaWiki =

We use HTTP Basic authentication over SSL coupled with MediaWiki's LDAP module. This ensures that emails and groups are stored in the LDAP and allows for simple SSO with most other web-based systems.

MediaWiki's password reset and changing functionality all works and will update your password across all systems.

n.b. The debian packaged version of mediawiki-extensions-ldapauth is completely broken. The up-to-date version needs two attempts to succeed, I have fudged this with a redirect but improvements welcome.

= phpBB =

Again using HTTP Basic authentication over SSL and phpBB's LDAP module. Here the is a slight complication as we wanted to do SSO across the sub-domain, so the actual login URL redirects to the main domain, which then proxies the request back to the sub-domain.