====== 57North ID ======

57North ID combines an LDAP server with a user management portal and a CAS IdP to become a single, centralised point for user identity within 57North. All 57North services should authenticate against it, which they can do in a handful of ways:

  * CAS single sign-on, intended for web-based services
  * LDAP username/password sign-on, intended for local services such as 57North-managed desktops
  * SSH public keys, for SSH-based network services

It supports two types of accounts - member and guest. The intention is that every user signs up as a guest, and HackHub will manage promoting them to members according to 57North's membership procedures.

The CAS server is at https://id.57north.org.uk, and follows [http://jasig.github.io/cas/4.1.x/protocol/CAS-Protocol-Specification.html JASIG's CAS protocol version 3.0], minus proxy tokens as they are currently unimplemented. There are a variety of clients available for most languages and frameworks, or if you have an XML parser and an HTTP client library it can be implemented in about ten lines of code. The server requires an admin (currently Shell) to whitelist CAS clients by URL. It supports two endpoints - https://id.57north.org.uk for member-only services, and https://guest.id.57north.org.uk for services which all users with a 57North ID can access, such as a wiki or other public service.

The LDAP server will be accessible at <code>ldap.57north.org.uk</code> via TLS, as soon as I can be convinced it's secure enough. Users are under <code>ou=users,dc=57north,dc=org,dc=uk</code>.

The code for the CAS server and portal is hosted at https://git.57north.org.uk/shell/57n-id/, and runs on '''finzean''', as does the LDAP server.

===== Enabled Services =====

The following services are enabled to use 57North ID for authentication:

{{topic>project +ID&nodate&nodesc&nouser}}

===== How to Configure ID =====

  - Follow [[projects:hackhub#process|Hackhub]]
  - ''apt install nodejs redis''
  - ''adduser 57n-id'' - ensure 57n-id has no password, has a /home/57n-id and a shell of /bin/sh
  - ''su -l 57n-id''
    - ''git clone https://github.com/hackerdeen/57n-id''
    - ''cd 57n-id && npm install''
    - create ''/home/57n-id/57n-id/ldap-password.txt'' containing the ldap password

==== Resetting someone's password ====

If someone has forgotten their ID password it can be reset from ''finzean'' with a command like <code>ldappasswd -D "uid=id-admin,ou=special-users,dc=57north,dc=org,dc=uk" -W -S "uid=<username>,ou=users,dc=57north,dc=org,dc=uk"</code> This will first ask for the new password to set for them (twice) and then LDAP password for ''id-admin'' which can be found in ''~57n-id/57n-id/ldap-password.txt''

  
{{tag>project dormant finzean infrastructure}}