57North ID combines an LDAP server with a user management portal and a CAS IdP to become a single, centralised point for user identity within 57North. All 57North services should authenticate against it, which they can do in a handful of ways:
It supports two types of accounts - member and guest. The intention is that every user signs up as a guest, and HackHub will manage promoting them to members according to 57North's membership procedures.
The CAS server is at https://id.57north.org.uk, and follows [http://jasig.github.io/cas/4.1.x/protocol/CAS-Protocol-Specification.html JASIG's CAS protocol version 3.0], minus proxy tokens as they are currently unimplemented. There are a variety of clients available for most languages and frameworks, or if you have an XML parser and an HTTP client library it can be implemented in about ten lines of code. The server requires an admin (currently Shell) to whitelist CAS clients by URL. It supports two endpoints - https://id.57north.org.uk for member-only services, and https://guest.id.57north.org.uk for services which all users with a 57North ID can access, such as a wiki or other public service.
The LDAP server will be accessible at
ldap.57north.org.uk
via TLS, as soon as I can be convinced it's secure enough. Users are under
ou=users,dc=57north,dc=org,dc=uk
.
The code for the CAS server and portal is hosted at https://git.57north.org.uk/shell/57n-id/, and runs on 'finzean
', as does the LDAP server.
The following services are enabled to use 57North ID for authentication:
apt install nodejs redis
adduser 57n-id
- ensure 57n-id has no password, has a /home/57n-id and a shell of /bin/shsu -l 57n-id
git clone https://github.com/hackerdeen/57n-id
cd 57n-id && npm install
/home/57n-id/57n-id/ldap-password.txt
containing the ldap password
If someone has forgotten their ID password it can be reset from finzean
with a command like
ldappasswd -D "uid=id-admin,ou=special-users,dc=57north,dc=org,dc=uk" -W -S "uid=<username>,ou=users,dc=57north,dc=org,dc=uk"
This will first ask for the new password to set for them (twice) and then LDAP password for id-admin
which can be found in ~57n-id/57n-id/ldap-password.txt