FeministWiki:Server setup: Difference between revisions

FeministWiki:Server setup (view source)

Revision as of 00:31, 12 January 2024

3,392 bytes added , 12 January

→‎OpenLDAP configuration database

Technician

Bureaucrats, Interface administrators, Administrators

1,086

edits

@@ Line 205: / Line 205: @@
 === OpenLDAP configuration database ===
+First of all, check if there are important changes in the base configuration of slapd.  For this, we can copy the old configuration into some directory on the new server and run a recursive diff:
+ # Run on old server
+ rsync -r /etc/ldap/slapd.d/ feministwiki.dev:/tmp/slapd.d
+ # Run on new server
+ diff -ru --color=always /tmp/slapd.d /etc/ldap/slapd.d | less -R
+There are going to be a number of changes that are expected.  Namely:
+# CRCs, UIDs, timestamps, and other such auto-generated fields
+# FeministWiki-specific things that only exists in the old configuration
+If these are the '''only''' differences you can see, then it should be safety to completely override the config on the new server with the old one, using the instructions in the following section.
+Otherwise, skip to the section after that and recreate the FeministWiki-specific configuration from scratch.
+==== Complete copying of old configuration ====
+''Note: This is an '''alternative''' method to that described in the '''next''' section. See above for which one to choose.''
 Stop the LDAP server and delete the configuration database '''on the new server (careful!)''':
@@ Line 215: / Line 236: @@
   slapcat -n 0 | ssh feministwiki.dev 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
+==== Recreation of FeministWiki configuration ====
+''Note: This is an '''alternative''' method to that described in the '''previous''' section. See above for which one to choose.''
+Running the following sequence of commands, taken from [[FeministWiki:LDAP Schema]], should work:
+ # Create fwMember object class
+ ldapadd -Y external -H ldapi:// <<EOF
+ dn: cn=feministwiki,cn=schema,cn=config
+ objectClass: olcSchemaConfig
+ cn: feministwiki
+ olcAttributeTypes: {0}( 1.3.6.1.4.1.42.2.27.99.1.1
+    NAME 'fwRecoveryMail'
+    DESC 'FeministWiki password recovery mail'
+    EQUALITY caseIgnoreMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+ olcObjectClasses: {1}( 1.3.6.1.4.1.42.2.27.99.2.1
+    NAME 'fwMember'
+    DESC 'FeministWiki member'
+    SUP inetOrgPerson
+    STRUCTURAL
+    MAY ( fwRecoveryMail ) )
+ EOF
+ # Set attribute permissions
+ ldapmodify -Y external -H ldapi:// <<EOF
+ dn: olcDatabase={1}mdb,cn=config
+ changetype: modify
+ add: olcAccess
+ olcAccess: {2}to attrs=sn,mail by self write
+ olcAccess: {3}to attrs=fwRecoveryMail by self write by dn.exact="cn=readonly,dc=feministwiki,dc=org" search
+ olcAccess: {4}to attrs=manager by self read
+ EOF
+ # Enable the ppolicy dynamic module
+ ldapmodify -Y external -H ldapi:// <<EOF
+ dn: cn=module{0},cn=config
+ changetype: modify
+ add: olcModuleLoad
+ olcModuleLoad: ppolicy
+ EOF
+ # Add the ppolicy overlay with olcPPolicyHashCleartext set to TRUE
+ ldapadd -Y external -H ldapi:// <<EOF
+ dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
+ objectClass: olcPPolicyConfig
+ olcOverlay: ppolicy
+ olcPPolicyHashCleartext: TRUE
+ EOF
+ # Set the default password policy
+ # The policy object referenced here doesn't exist yet,
+ # but will exist once we copy over the main database.
+ ldapmodify -Y external -H ldapi:// <<EOF
+ dn: olcOverlay={0}ppolicy,olcDatabase={1}mdb,cn=config
+ changetype: modify
+ add: olcPPolicyDefault
+ olcPPolicyDefault: cn=default,ou=pwdPolicies,dc=feministwiki,dc=org
+ EOF
+ # Load the lastbind module
+ ldapmodify -Y external -H ldapi:// <<EOF
+ dn: cn=module{0},cn=config
+ changetype: modify
+ add: olcModuleLoad
+ olcModuleLoad: lastbind
+ EOF
+ # Enable the lastbind overlay
+ ldapadd -Y external -H ldapi:// <<EOF
+ dn: olcOverlay=lastbind,olcDatabase={1}mdb,cn=config
+ objectClass: olcLastBindConfig
+ olcOverlay: lastbind
+ olcLastBindPrecision: 60
+ EOF
 ==== Breaking changes in OpenLDAP ====