Faidon has uploaded a new change for review.
https://gerrit.wikimedia.org/r/80577
Change subject: RT: allow login via LDAP
......................................................................
RT: allow login via LDAP
Currently limited to the "wmf" group, pending discussion. Commenting-out
the "group" line should be enough to open it up to everyone.
RT LDAP config is tested, but puppet manifest is not.
Change-Id: I35403ecab5bef6b56a3bf8d4c379d6ca75b8730c
RT: 5649
---
M manifests/misc/rt-server-apache.pp
A templates/rt/52-ldap.conf.erb
2 files changed, 59 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/77/80577/1
diff --git a/manifests/misc/rt-server-apache.pp
b/manifests/misc/rt-server-apache.pp
index 6680153..695b92c 100644
--- a/manifests/misc/rt-server-apache.pp
+++ b/manifests/misc/rt-server-apache.pp
@@ -16,9 +16,16 @@
$rt_mysql_host = $dbhost
$rt_mysql_port = $dbport
+ include ldap::role::config::labs
+ $ldap_server = $ldap::role::config::labs::ldapconfig['servernames'][0]
+ $ldap_bind_dn = $ldap::role::config::labs::ldapconfig['proxyagent']
+ $ldap_bind_pass = $ldap::role::config::labs::ldapconfig['proxypass']
+ $ldap_base_dn = $ldap::role::config::labs::ldapconfig['basedn']
+
package { [ 'request-tracker4',
'rt4-db-mysql',
'rt4-clients',
+ 'rt4-extension-authenexternalauth',
'libdbd-pg-perl' ]:
ensure => latest;
}
@@ -34,6 +41,13 @@
require => Package['request-tracker4'],
content => template('rt/51-dbconfig-common.erb'),
notify => Exec['update-rt-siteconfig'];
+ '/etc/request-tracker4/RT_SiteConfig.d/52-externalauth':
+ require => [
+ Package['request-tracker4'],
+ Package['rt4-extension-authenexternalauth'],
+ ],
+ content => template('rt/52-externalauth.erb'),
+ notify => Exec['update-rt-siteconfig'];
'/etc/request-tracker4/RT_SiteConfig.d/80-wikimedia':
require => Package['request-tracker4'],
source => 'puppet:///files/rt/80-wikimedia',
diff --git a/templates/rt/52-ldap.conf.erb b/templates/rt/52-ldap.conf.erb
new file mode 100644
index 0000000..837df24
--- /dev/null
+++ b/templates/rt/52-ldap.conf.erb
@@ -0,0 +1,45 @@
+Set( @Plugins, qw(RT::Authen::ExternalAuth) );
+
+Set($ExternalAuthPriority, [ 'LDAP' ]);
+Set($ExternalInfoPriority, [ 'LDAP' ]);
+Set($ExternalServiceUsesSSLorTLS, 1);
+Set($AutoCreateNonExternalUsers, 0);
+
+Set($ExternalSettings, {
+ 'LDAP' => {
+ 'type' => 'ldap',
+ 'server' => '<%= @ldap_server %>',
+ 'user' => '<%= @ldap_bind_dn %>',
+ 'pass' => '<%= @ldap_bind_pass %>',
+ 'base' => 'ou=people,<%= @ldap_base_dn %>',
+ 'filter' => '(objectClass=posixAccount)',
+ 'group' => 'cn=wmf,ou=groups,dc=wikimedia,dc=org',
+ 'group_attr' => 'member',
+ 'group_attr_value' => 'dn',
+ 'group_scope' => 'base',
+ 'tls' => 1,
+ 'ssl_version' => 3,
+ 'net_ldap_args' => [ version => 3 ],
+ 'attr_match_list' => [
+ 'Name',
+ 'EmailAddress',
+ 'RealName',
+ ],
+ 'attr_map' => {
+ 'Name' => 'uid',
+ 'EmailAddress' => 'mail',
+ 'Organization' => 'physicalDeliveryOfficeName',
+ 'RealName' => 'cn',
+ 'ExternalAuthId' => 'uid',
+ 'Gecos' => 'uid',
+ 'WorkPhone' => 'telephoneNumber',
+ 'Address1' => 'streetAddress',
+ 'City' => 'l',
+ 'State' => 'st',
+ 'Zip' => 'postalCode',
+ 'Country' => 'co'
+ },
+ },
+} );
+
+1;
--
To view, visit https://gerrit.wikimedia.org/r/80577
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I35403ecab5bef6b56a3bf8d4c379d6ca75b8730c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
