of Various FOSS Services for Educational Institutes LDAP Based Setup of Various FOSS Services for Educational Institutes Abhijit A. M. College of Engineering Pune (COEP) abhijit.comp@coep.ac.in FOSSMeet, NITC, 11 Mar 2017 (C) Abhijit A.M. FOSSMeet 2017 @ NITC

Orientation To introduce FOSS services for educational institutes configurable using LDAP One login/password for all services FOSSMeet 2017 @ NITC

Outline LDAP What is LDAP How to setup open LDAP Setup at COEP, differences with disroot.org Shell scripts to maintain your LDAP server About disroot.org Configuration Configuration of Moodle, Nextcloud, Mediawiki and Desktop with LDAP Unmet Challenges Possible extensions Requirements for Single Sign On services FOSSMeet 2017 @ NITC

disroot.org services FOSSMeet 2017 @ NITC

Highlights of disroot implementation Aims Tools: open, decentralized , federated and respectful towards freedom and privacy LDAP based authentication Nextcloud base Email, Storage (nextCloud), Chats, Spreadsheet Supports matrix protocol Social network requires separate account No Single Sign On (SSO) yet FOSSMeet 2017 @ NITC

LDAP: How it works architecture split between a frontend which handles network access and protocol processing, and a backend which deals strictly with data storage. FOSSMeet 2017 @ NITC http://collaboration.cmc.ec.gc.ca/science/rpn/biblio/ddj/Website/articles/SA/v13/i05/a3_f1.gif

LDAP open, vendor-neutral, industry standard application protocol accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Info about users, systems, networks, services, and applications Any organized set of records often with a hierarchical structure such as a corporate email directory FOSSMeet 2017 @ NITC https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

LDAP (2) An LDAP search translated into plain English "Search in the company email directory for all people located in Kozhikode whose name contains 'Abhijit' that have an email address. Please return their full name, email, title, and description Common use Central place to store usernames and passwords. Many different applications and services connect to the LDAP server to validate users Single user/password for many services FOSSMeet 2017 @ NITC

How COEP uses the LDAP server FOSSMeet 2017 @ NITC

A DIRECTORY TREE STRUCTURE COUNTRY STATE THE ORGANIZATION ORGANIZATIONAL UNIT FOSSMeet 2017 @ NITC PERSON

LDAP: Directory Structure Hieararchy of entries Entry = set of attributes Has a unique identifier: Distringuished Name (DN) Relative Distinguished Name, includes parent’s DN Hieararchy: e.g. if /foo/bar/myfile.txt were the DN, then myfile.txt would be the RDN. Attribute: Name + One or more values Defined in a schema A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree. FOSSMeet 2017 @ NITC https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

LDAP: Directory entry Example of LDAP entry, in LDIF format dn: cn=John Doe,dc=example,dc=co m cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: john@example.com manager: cn=Barbara Doe,dc=example,dc= com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top Where "dn" is the distinguished name of the entry Neither an attribute nor a part of the entry. "cn=John Doe" is RDN (Relative Distinguished Name) FOSSMeet 2017 @ NITC

LDAP: Directory entry Example of LDAP entry, in LDIF format dn: cn=John Doe,dc=example,dc=co m cn: John Doe givenName: John sn: Doe telephoneNumber: +1 888 555 6789 telephoneNumber: +1 888 555 1232 mail: john@example.com manager: cn=Barbara Doe,dc=example,dc= com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top Where "dc=example,dc=com" is the DN of the parent entry, "dc" denotes 'Domain Component'. Other lines: attributes in the entry. Attribute names are typically mnemonic strings, like "cn" for common name, "dc" for domain component, "mail" for e-mail address, and "sn" for surname. FOSSMeet 2017 @ NITC

Multiple Values DN: cn=Dave Hollinger, O=RPI, C=US CN: Dave Hollinger Each attribute can have multiple values, for example we could have the following record: DN: cn=Dave Hollinger, O=RPI, C=US CN: Dave Hollinger CN: David Hollinger Email: hollingd@cs.rpi.edu Email: hollid2@rpi.edu Email: satan@hackers.org http://ce.sharif.edu/courses/84-85/2/ce317/resources/root/lecture%20slides/8-%20LDAP.ppt FOSSMeet 2017 @ NITC

objectClass Commonly used attribute: objectClass Each record is object. Each record can have one or more attributes called objectClass Attributes of the record are defined according to objectClass E.g. dn=abhijit.comp, ou=comp,dc=coep,dc=org,dc=in cn: abhijit.comp objectClass: posixAccount mail: abhijit.comp@coep.ac.in Here posixAccount tells us that this entry must have the attributes: cn $ uid $ uidNumber $ gidNumber $ homeDirectory and can also have userPassword $ loginShell $ gecos $ description FOSSMeet 2017 @ NITC

objectClass You can define what attributes are required for objects with a specific value for the objectclass attribute. You can also define what attributes are allowed. New records must adhere to these settings! FOSSMeet 2017 @ NITC

A directory can have many different types of entries FOSSMeet 2017 @ NITC

Example: Directory Structure, OU, Dns, RDNs catalogue.pearsoned.co.uk/samplechapter/020178792X.pdf FOSSMeet 2017 @ NITC

Schemas The contents of the entries in a subtree is governed by a schema Defines the possible attribute types. Definition includes a syntax Most non-binary values in LDAPv3 use UTF-8 string syntax For example, a "mail" attribute might contain the value "user@example.com". A "jpegPhoto" attribute would contain photograph(s) in binary JPEG/JFIF format. A "member" attribute contains the DNs of other directory entries. FOSSMeet 2017 @ NITC

Schemas Definitions:Whether the attribute is single- valued or multi-valued, how to search/compare the attribute. The schema defines object classes. Each entry must have an objectClass attribute containing named classes defined in the schema. e.g. a person, organization or domain. Server administrators can define their own schemas in addition to the standard ones. Most of the times we don’t need to define new schema. Just use the existing ones. FOSSMeet 2017 @ NITC

Schema Examples attributetype ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' ) DESC 'RFC1274: user identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) Credit: http://ce.sharif.edu/courses/84-85/2/ce317/resources/root/lecture%20slides/8-%20LDAP.ppt FOSSMeet 2017 @ NITC

Basic Operations Bind Start TLS More operations Unbind Search - search for and/or retrieve directory entries, Compare - test if a named entry contains a given attribute value, Add a new entry, Delete an entry, Modify an entry, Modify DN - move or rename an entry, Abandon - abort a previous request, Extended Operation - generic operation used to define other operations, Unbind Credit: http://ce.sharif.edu/courses/84-85/2/ce317/resources/root/lecture%20slides/8-%20LDAP.ppt FOSSMeet 2017 @ NITC

phpldapadmin FOSSMeet 2017 @ NITC

openldap Free implementation of the Lightweight Directory Access Protocol (LDAP) BSD-style license called the OpenLDAP Public License. Runs on GNU/Linux, BSD- variants, AIX, Android, HP-UX, macOS, Solaris, Microsoft Windows (NT and derivatives, e.g. 2000, XP, Vista, Windows 7, etc.), and z/OS. FOSSMeet 2017 @ NITC

openldap OpenLDAP has three main components: slapd – stand-alone LDAP daemon and associated modules and tools libraries implementing the LDAP protocol and ASN.1 Basic Encoding Rules (BER) client software: ldapsearch, ldapadd, ldapdelete, and others FOSSMeet 2017 @ NITC

OpenLDAP integrated setup at COEP Services in use Moodle Mediawiki Nextcloud FOSS Server (Drupal) Proxy Server MRBS Dormant Helpdesk Kpoint Abandoned Desktop Authentication Upcoming Suggestions Portal COEP Website Desired, but not possible Email MIS FOSSMeet 2017 @ NITC

OpenLDAP Implemented at COEP FOSSMeet 2017 @ NITC

OpenLDAP Implemented at COEP - 2 FOSSMeet 2017 @ NITC

OpenLDAP Implemented at COEP - 3 FOSSMeet 2017 @ NITC

OpenLDAP Implemented at COEP: Typical LDIF entry # abhijit.comp, staff, comp, coep.org.in dn: cn=abhijit.comp,ou=staff,ou=comp,dc=coep,dc=org,dc=in gecos: abhijit.comp,staff,comp gidNumber: 102 homeDirectory: /it/staff/compit/abhijit.comp loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 2000 shadowMax: 99999 shadowWarning: 7 uid: abhijit.comp sn: abhijit.comp uidNumber: 10016 cn: abhijit.comp mail: abhijit.comp@coep.ac.in UserPassword:: e1NTSM0hVK1BhdGdleVFsaE1na1JJS0U= FOSSMeet 2017 @ NITC

OpenLDAP Implemented at COEP: Typical LDIF entry-2 dn: cn=111303001,ou=2017,ou=students,ou=comp,dc=coep,dc=org,dc=in uid: 111303001 mail: shettyas13.comp@coep.ac.in sn: 111303001 cn: 111303001 objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 2000 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 111303001 gidNumber: 1113030 homeDirectory: /comp/students/2017c/111303001 gecos: 111303001,2017c,students,comp userPassword:: e01ENX1Lblo0V1dteWFzMXk5b2lGdEZPT3JnPT0= FOSSMeet 2017 @ NITC

Key issues Hiearchy comp/student , comp/staff, comp/ntstaff OR Student/comp, student/entc , staff/comp, staff/entc Home folder path For a possible NFS based shared home directory for all users Desktop authentication also possible using LDAP Tried, tested and abandoned Performance issues cn for each user Roll Nos used Gidnumber design Defining groups for future use FOSSMeet 2017 @ NITC

Challenges faced Too many uses accounts needed 5000+ students, 400+ teachers, 500+ non- teaching staff Shell scripts to the rescue Copy them from me Passwords reset phpldapadmin setup Moodle as the only source for changing passwords Too many complications in having multiple software doing passwords change FOSSMeet 2017 @ NITC

Challenges faced IT Education Members who are not IT friendly Wiki to the rescue Usage: Still low But increasing FOSSMeet 2017 @ NITC

Challenges Faced Different Terminology Different software use different terms to refer to the same concept Login attribute, Login id, User Id, May sometimes mean cn or uidNumber Email not fetched from LDAP entries LDAP used only for authentication and users stored locally by software Duplication of data Duplicate users created by applications After you login using LDAP, application creates a copy FOSSMeet 2017 @ NITC

Challenges Faced Errors have creeped in LDIF entries Mistakes of the system administrator Passwords are forgotten by users ! A pain for the maintainers Phpldapadmin to rescue FOSSMeet 2017 @ NITC

Setting up your own openLDAP server Our current implementation On Ubuntu 12.04 (!) Good guide by ubuntu on setting up openLDAP https://help.ubuntu.com/lts/serverguide/openlda p-server.html Make life easy generate your own LDIF file containing all user accounts using shell script and just run one ldapadd command to add all accounts FOSSMeet 2017 @ NITC

Moodle – LDAP setup -1 FOSSMeet 2017 @ NITC

Moodle – LDAP setup -2 FOSSMeet 2017 @ NITC

Moodle – LDAP setup -3 FOSSMeet 2017 @ NITC

Moodle – LDAP setup -4 FOSSMeet 2017 @ NITC

Moodle – LDAP setup -5 FOSSMeet 2017 @ NITC

Moodle’s User Table Locally stores all the users authenticated from LDAP Does not cache the password Stores email id of it’s own If users change the email id, then does not reflect it in LDAP entry FOSSMeet 2017 @ NITC

Nextcloud - LDAP Setup - 1 FOSSMeet 2017 @ NITC

Nextcloud - LDAP Setup - 2 FOSSMeet 2017 @ NITC

Nextcloud - LDAP Setup - 3 FOSSMeet 2017 @ NITC

Nextcloud - LDAP Setup - 4 FOSSMeet 2017 @ NITC

Nextcloud - LDAP Setup – 5 (advanced) FOSSMeet 2017 @ NITC

Mediawiki – LDAP Settings Localsettings.php -1 wfLoadExtension("LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array("coep"); $wgLDAPServerNames = array("coep"=>"10.1.101.41"); $wgLDAPUseLocal = false; $LDAPEncryptionType = array("coep"=>"clear"); $wgLDAPBaseDNs = array("coep"=>"dc=coep,dc=org,dc=in"); $wgLDAPUserBaseDNs = array("coep"=>"dc=coep,dc=org,dc=in"); FOSSMeet 2017 @ NITC

Mediawiki – LDAP Settings Localsettings.php - 2 $wgLDAPProxyAgent = array( 'coep' => 'cn=Manager,dc=coep,dc=org,dc=in' ); $wgLDAPProxyAgentPassword = array( 'coep' => 'password-hidden-from-you' $wgLDAPSearchAttributes = array('coep' => 'uid'); $wgLDAPGroupObjectclass = array("coep"=>"posixgroup"); FOSSMeet 2017 @ NITC

<?php namespace LDAP; MRBS LDAP Settings - 1 <?php namespace LDAP; /*********************** * LDAP Authentication ***********************/ $auth["session"] = "php"; $auth["type"] = "ldap"; $auth["realm"] = "mrbs"; $ldap_host = "ldap://10.1.101.41"; $ldap_port = 389; $ldap_v3 = true; FOSSMeet 2017 @ NITC

$ldap_user_attrib = "uid"; $ldap_dn_search_attrib = "uid"; MRBS LDAP Settings - 2 $ldap_tls = false; $ldap_user_attrib = "uid"; $ldap_dn_search_attrib = "uid"; $ldap_base_dn = "dc=coep,dc=org,dc=in"; $ldap_dn_search_dn = "cn=Manager,dc=coep,dc=org,dc= in"; $ldap_dn_search_password = "password-hidden-from-you"; $ldap_get_user_email = TRUE; $ldap_email_attrib = 'mail'; FOSSMeet 2017 @ NITC

Drupal – Simpleldap module confiugration FOSSMeet 2017 @ NITC

Future Possibilities Single sign on Users should sign in only once and all services should be available automatically Moodle has SSO support Other services will need code modifications Possible additions Desktop login (with decentralised NFS servers) Diaspora pod Buddypress ... FOSSMeet 2017 @ NITC

Credits https://en.wikipedia.org/wiki/OpenLDAP https://en.wikipedia.org/wiki/LDAP http://disroot.org FOSSMeet 2017 @ NITC