There are already many days since I've worked at Ceata, for my internship. To see that I din't waste my time, I will make an unsual report, or more exactly a guide.
As a mentor for my internship it was Victor Nițu, alias nightsh on irc. Initialy we wanted to make a plugin for etherpad-lite, to enable drawing along with text editing, but we thought that it would not make such a great impact for the community. And by the way, after a while, we found that it was already made, which already works at tableta.ceata.org. Tiberiu C. Turbureanu, alias tct, asked us to address another problem: we have too many websites, a lot of services, all spread around in the virtual machine (ceata.org), and which are available at all sort of URL's. So here is what tct proposed us: to install openLDAP & GOsa, and to unify the logins of all websites.
After that, I found out that this thing is called SSO, Sigle Sign-ON, and GOsa + LDAP was a way to implement it. GOsa was previously used in a similar project: at KDE. Apparently the KDE guys hit the same problem as we did, and they already had at identity.kde.org something that we wanted too, because tct gave that as an example. I'm saing so, because as we found out, they weren't using GOsa anymore.
Anyway, we started the work., and I began reading tutorials on openLDAP, a book from O'Reilly, but without any luck. GOsa was some time ago installed there, and they messed up the configurations. We almost got down the whole server, because of some post-removal scripts from DPKG.
Maybe you are already asking yourselves: Why on earth is he talking about GOsa, when this guide was supposed to be about certain Solena?
Well, the story is something like this: out of curiosity, and also the need to talk with somebody more experienced in the field, I wrote a mail at firstname.lastname@example.org, and guess what? Ben Cooksley answers, a guy about which you will definately will hear about in what is to come. He is a friendly guy, which helped us a lot. He told me that he previously maintained GOsa+LDAP set-up at KDE, as we were wishing. Then, I found out that they hit some drawbacks of GOsa, and this was why they developed Solena.
"For website login, Solena is suited perfectly for this. GOsa can do it as well. Please be aware that GOsa does have some flaws which made it hard for people to interact with it. It should be treated as a desktop application even though it is accessed via the web." -- Ben Cooksley
But... we will leave the story for a while, because we will get back to it from time to time.
On Ceata's virtual machine, where most of the websites are, we have an Ubuntu 10.04 LTS. Let's install it:
$ sudo apt-get install slapd ldap-utils
...and as easy as that, we already have all we need.
there are 2 main posibilities to configure OpenLDAP:
by using the folder /etc/ldap/slapd.d/cn=config, which we configure by adding files .ldif and they are loaded instantly, (one of the advantages). The whole procedure is eplained here: help.ubuntu.com/10.04/serverguide/openldap-server.htmlor, as we choosed, by using a central configuration file, /etc/ldap/slapd.config
Because slapd doen't use by default the second method, we need to modify this: /etc/default/slapd, and change this line, so it looked like this: SLAPD_CONF=/etc/ldap/slapd.config
we are done. The main reason we used the second method, is that we find it simpler. but remember: each time you change something in slap.conf, restart the slapd server: sudo /etc/init.d/slapd restart
Now let's get to configuring LDAP to fit Solena needs: for slapd.conf you can use this sample configuration - (link to the file)
remember to change the password from the rootpw. for this, use slappasswd for generating the hashes, and apg for generating random passwords.
There is still another thing to make, before we are done: we need to load a .ldif file, (lightweight directory interchange format) . we need to adapt the example-directory.ldif, and especially setting the various passwords out there. Solena depends pretty much on that file, so please don't do any major changes there.
Here the things are a little bit overhelming, but is not that complicated: we choose a folder, where we want to install Solena. we used /var/www/; and after we cd there, we run:
git clone git://anongit.kde.org/websites/identity-kde-org
the folder you get, you can rename it to whatever you like. After this, you should create a file in /etc/apache2/sites-available whith the folowing content:
<VirtualHost *> ServerName cont.ceata.org ServerAdmin email@example.com DocumentRoot /var/www/cont </VirtualHost>
modify it as apropriate.
sudo a2ensite <the name of the file above>
...and apache already started serving our webinterface to OpenLDAP, Solena.
We still have a few bumps: the database, and the correct setup of Solena.
Some configuration for Solena:
'ldap' => array( 'class' => 'SLdapServer', 'baseDn' => 'dc=ceata,dc=org', 'bindDn' => 'cn=Sysadmin,dc=ceata,dc=org', 'bindPassword' => '<password-for-sysadmin>', 'operateAsUser' => true, ), 'db' => array( 'connectionString' => 'mysql:host=localhost;dbname=solena', 'emulatePrepare' => true, 'username' => 'solena2', 'password' => '<password-for-the-database>', 'charset' => 'utf8',
We have rushed in a serious problem, which Ben helped us to solve: at the time, we didn't use https for the Solena, and Solena was made to take advantage of it. A temporary workaround was to edit main.php, and change the following lines:
//ini_set('session.cookie_secure', true); - comment it out //and to set 'secure' to false here: //'csrfCookie' => array('secure' => false, 'httpOnly' => true), // //Voila, it should already work with http. // //In the next guide, I will show you how we got https back, and how we connected several services to openLDAP.