Faidon has uploaded a new change for review. https://gerrit.wikimedia.org/r/80577
Change subject: RT: allow login via LDAP ...................................................................... RT: allow login via LDAP Currently limited to the "wmf" group, pending discussion. Commenting-out the "group" line should be enough to open it up to everyone. RT LDAP config is tested, but puppet manifest is not. Change-Id: I35403ecab5bef6b56a3bf8d4c379d6ca75b8730c RT: 5649 --- M manifests/misc/rt-server-apache.pp A templates/rt/52-ldap.conf.erb 2 files changed, 59 insertions(+), 0 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/77/80577/1 diff --git a/manifests/misc/rt-server-apache.pp b/manifests/misc/rt-server-apache.pp index 6680153..695b92c 100644 --- a/manifests/misc/rt-server-apache.pp +++ b/manifests/misc/rt-server-apache.pp @@ -16,9 +16,16 @@ $rt_mysql_host = $dbhost $rt_mysql_port = $dbport + include ldap::role::config::labs + $ldap_server = $ldap::role::config::labs::ldapconfig['servernames'][0] + $ldap_bind_dn = $ldap::role::config::labs::ldapconfig['proxyagent'] + $ldap_bind_pass = $ldap::role::config::labs::ldapconfig['proxypass'] + $ldap_base_dn = $ldap::role::config::labs::ldapconfig['basedn'] + package { [ 'request-tracker4', 'rt4-db-mysql', 'rt4-clients', + 'rt4-extension-authenexternalauth', 'libdbd-pg-perl' ]: ensure => latest; } @@ -34,6 +41,13 @@ require => Package['request-tracker4'], content => template('rt/51-dbconfig-common.erb'), notify => Exec['update-rt-siteconfig']; + '/etc/request-tracker4/RT_SiteConfig.d/52-externalauth': + require => [ + Package['request-tracker4'], + Package['rt4-extension-authenexternalauth'], + ], + content => template('rt/52-externalauth.erb'), + notify => Exec['update-rt-siteconfig']; '/etc/request-tracker4/RT_SiteConfig.d/80-wikimedia': require => Package['request-tracker4'], source => 'puppet:///files/rt/80-wikimedia', diff --git a/templates/rt/52-ldap.conf.erb b/templates/rt/52-ldap.conf.erb new file mode 100644 index 0000000..837df24 --- /dev/null +++ b/templates/rt/52-ldap.conf.erb @@ -0,0 +1,45 @@ +Set( @Plugins, qw(RT::Authen::ExternalAuth) ); + +Set($ExternalAuthPriority, [ 'LDAP' ]); +Set($ExternalInfoPriority, [ 'LDAP' ]); +Set($ExternalServiceUsesSSLorTLS, 1); +Set($AutoCreateNonExternalUsers, 0); + +Set($ExternalSettings, { + 'LDAP' => { + 'type' => 'ldap', + 'server' => '<%= @ldap_server %>', + 'user' => '<%= @ldap_bind_dn %>', + 'pass' => '<%= @ldap_bind_pass %>', + 'base' => 'ou=people,<%= @ldap_base_dn %>', + 'filter' => '(objectClass=posixAccount)', + 'group' => 'cn=wmf,ou=groups,dc=wikimedia,dc=org', + 'group_attr' => 'member', + 'group_attr_value' => 'dn', + 'group_scope' => 'base', + 'tls' => 1, + 'ssl_version' => 3, + 'net_ldap_args' => [ version => 3 ], + 'attr_match_list' => [ + 'Name', + 'EmailAddress', + 'RealName', + ], + 'attr_map' => { + 'Name' => 'uid', + 'EmailAddress' => 'mail', + 'Organization' => 'physicalDeliveryOfficeName', + 'RealName' => 'cn', + 'ExternalAuthId' => 'uid', + 'Gecos' => 'uid', + 'WorkPhone' => 'telephoneNumber', + 'Address1' => 'streetAddress', + 'City' => 'l', + 'State' => 'st', + 'Zip' => 'postalCode', + 'Country' => 'co' + }, + }, +} ); + +1; -- To view, visit https://gerrit.wikimedia.org/r/80577 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I35403ecab5bef6b56a3bf8d4c379d6ca75b8730c Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon <fai...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits