User Tools

Site Tools


projects:57_north_id

57North ID

57North ID combines an LDAP server with a user management portal and a CAS IdP to become a single, centralised point for user identity within 57North. All 57North services should authenticate against it, which they can do in a handful of ways:

  • CAS single sign-on, intended for web-based services
  • LDAP username/password sign-on, intended for local services such as 57North-managed desktops
  • SSH public keys, for SSH-based network services

It supports two types of accounts - member and guest. The intention is that every user signs up as a guest, and HackHub will manage promoting them to members according to 57North's membership procedures.

The CAS server is at https://id.57north.org.uk, and follows [http://jasig.github.io/cas/4.1.x/protocol/CAS-Protocol-Specification.html JASIG's CAS protocol version 3.0], minus proxy tokens as they are currently unimplemented. There are a variety of clients available for most languages and frameworks, or if you have an XML parser and an HTTP client library it can be implemented in about ten lines of code. The server requires an admin (currently Shell) to whitelist CAS clients by URL. It supports two endpoints - https://id.57north.org.uk for member-only services, and https://guest.id.57north.org.uk for services which all users with a 57North ID can access, such as a wiki or other public service.

The LDAP server will be accessible at

ldap.57north.org.uk

via TLS, as soon as I can be convinced it's secure enough. Users are under

ou=users,dc=57north,dc=org,dc=uk

.

The code for the CAS server and portal is hosted at https://git.57north.org.uk/shell/57n-id/, and runs on 'finzean', as does the LDAP server.

Enabled Services

The following services are enabled to use 57North ID for authentication:

How to Configure ID

  1. Follow Hackhub
  2. apt install nodejs redis
  3. adduser 57n-id - ensure 57n-id has no password, has a /home/57n-id and a shell of /bin/sh
  4. su -l 57n-id
    1. cd 57n-id && npm install
    2. create /home/57n-id/57n-id/ldap-password.txt containing the ldap password

Resetting someone's password

If someone has forgotten their ID password it can be reset from finzean with a command like

ldappasswd -D "uid=id-admin,ou=special-users,dc=57north,dc=org,dc=uk" -W -S "uid=<username>,ou=users,dc=57north,dc=org,dc=uk"

This will first ask for the new password to set for them (twice) and then LDAP password for id-admin which can be found in ~57n-id/57n-id/ldap-password.txt

projects/57_north_id.txt · Last modified: 2023/04/11 22:06 by Robert McWilliam