Okupy/Installation

Development environment
git clone git://github.com/dastergon/gentoo-identity-bootstrap git clone git://github.com/gentoo/identity.gentoo.org cd identity.gentoo.org cp okupy/settings/development.py.sample okupy/settings/development.py cp okupy/settings/local_settings.py.sample okupy/settings/local_settings.py
 * Clone somewhere the gentoo-identity-bootstrap repository:
 * Clone (in a different directory) the identity.gentoo.org repository:
 * Copy the sample settings files:
 * Edit development.py:
 * In STATICFILES_DIRS, replace /path/to/gentoo-identity-bootstrap with the absolute path that you cloned the gentoo-identity-bootstrap repository earlier
 * Edit local_settings.py:
 * Add sqlite3 db (sufficient for testing)
 * Add LDAP configuration (if applicable)
 * Get the dependencies (choose one of the followings):
 * 1) With pip:
 * Optional: setup virtualenv
 * Install the dependencies:

pip install -r requirements.txt


 * 2) With emerge (Gentoo-specific):
 * Add the okupy overlay:

layman -a okupy
 * Install the dependencies:

ACCEPT_KEYWORDS="**" emerge --onlydeps okupy

python manage.py syncdb python manage.py test --settings=okupy.tests.settings tests
 * Sync the database:
 * To run the tests:
 * More information about the tests in Workflow

Production environment

 * Create the dedicated user that will run okupy (`useradd -m okupy`)
 * Perform the same setup as for Development environment (using the okupy user)
 * `python manage.py collectstatic` (answer `yes`, using okupy user)

uWSGI setup

 * Install `www-servers/uwsgi` with `USE=python`
 * Copy `/etc/conf.d/uwsgi` to `/etc/conf.d/uwsgi.okupy`
 * Put the following options in `/etc/conf.d/uwsgi.okupy`

UWSGI_SOCKET=/home/okupy/okupy.wsgi UWSGI_LOG_FILE=/home/okupy/uwsgi.okupy.log UWSGI_DIR=/home/okupy/identity.gentoo.org UWSGI_USER=okupy UWSGI_GROUP=okupy # buffer-size is necessary to pass SSL certificates UWSGI_EXTRA_OPTIONS='--buffer-size 65536 --plugins python27 --wsgi okupy.wsgi'


 * Symlink `/etc/init.d/uwsgi.okupy` to `/etc/init.d/uwsgi`
 * `/etc/init.d/uwsgi.okupy start`

NGINX setup

 * Install `www-servers/nginx`
 * Copy the server certificates and private keys to `/etc/ssl/nginx/`
 * Concatenate all the allowed CA certificates for client auth:

cat /etc/ssl/* > /etc/ssl/nginx/all_certs.pem


 * Add the following options in `/etc/nginx/nginx.conf`

http { ssl_session_cache shared:SSL:10m;

upstream okupy { # connect to uWSGI server unix:///home/okupy/okupy.wsgi; }

server { listen 0.0.0.0; server_name identity.tampakrap.gr;

access_log /var/log/nginx/localhost.access_log main; error_log /var/log/nginx/localhost.error_log info;

root /var/www/localhost/htdocs;

# redirect all http traffic to https:// location / { rewrite    ^ https://$http_HOST$request_uri permanent; }           }

server { listen 0.0.0.0:443; server_name identity.tampakrap.gr;

ssl on; # certificates for the main domain ssl_certificate /etc/ssl/nginx/identity_tampakrap_gr_cacert.crt; ssl_certificate_key /etc/ssl/nginx/identity_tampakrap_gr.key; ssl_session_timeout 10m;

access_log /var/log/nginx/localhost.ssl_access_log main; error_log /var/log/nginx/localhost.ssl_error_log info;

root /var/www/localhost/htdocs;

location /static { alias /home/identity/identity.gentoo.org/static; }

location / { uwsgi_pass okupy; include /etc/nginx/uwsgi_params; }           }

server { listen 0.0.0.0:443; server_name auth.identity.tampakrap.gr;

ssl on; # certificates for auth. subdomain ssl_certificate /etc/ssl/nginx/auth_identity_tampakrap_gr_cacert.crt; ssl_certificate_key /etc/ssl/nginx/auth_identity_tampakrap_gr.key; ssl_client_certificate /etc/ssl/nginx/all_certs.pem;

# verify_client == ask for user certificate ssl_session_timeout 30s; ssl_verify_client optional;

access_log /var/log/nginx/localhost.ssl_access_log main; error_log /var/log/nginx/localhost.ssl_error_log info;

root /var/www/localhost/htdocs;

location /static { alias /home/identity/identity.gentoo.org/static; }

location / { uwsgi_pass okupy; include /etc/nginx/uwsgi_params;

# pass certificate verification result # and the certificate (so we could extract e-mails) uwsgi_param SSL_CLIENT_VERIFY $ssl_client_verify; uwsgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert; }           }        }

virtualenv

 * `emerge virtualenv` (replace this command with an equivalent in case you are working in a non-Gentoo distro)
 * `virtualenv .virtualenv`
 * `source .virtualenv/bin/activate`
 * The `.virtualenv` directory is already in `.gitignore`, so please prefer this name
 * `deactivate` will exit the virtual environment

OpenLDAP Server

 * (TODO)

OpenLDAP client only
* In Gentoo: `USE="minimal" emerge -av openldap` ``` BASE       dc=tampakrap, dc=gr SIZELIMIT  0 TIMELIMIT  10 TLS_REQCERT demand TLS_CACERT /etc/openldap/ssl/cacert.pem TLS_CERT   /etc/openldap/ssl/evidence.tampakrap.gr.crt TLS_KEY    /etc/openldap/ssl/evidence.tampakrap.gr.key URI        ldap://evidence.tampakrap.gr ``` ```python AUTH_LDAP_SERVER_URI = 'ldap://evidence.tampakrap.gr'
 * We have a testing instance on `ldap://evidence.tampakrap.gr`
 * Contact [tampakrap](http://github.com/tampakrap) to get the certificates and the rootDN credentials
 * Install OpenLDAP package:
 * Put the certificates in `/etc/openldap/ssl`
 * Put the following content in `/etc/openldap/ldap.conf`:
 * In `settings/local.py`:

AUTH_LDAP_CONNECTION_OPTIONS = { ldap.OPT_X_TLS_DEMAND: False, }

AUTH_LDAP_BIND_DN = '' AUTH_LDAP_BIND_PASSWORD = ''

AUTH_LDAP_ADMIN_BIND_DN = '(the rootDN you got from tampakrap)' AUTH_LDAP_ADMIN_BIND_PASSWORD = '(the rootpw you got from tampakrap)'

AUTH_LDAP_USER_ATTR = 'uid' AUTH_LDAP_USER_BASE_DN = 'ou=users,dc=tampakrap,dc=gr'

AUTH_LDAP_PERMIT_EMPTY_PASSWORD = False

AUTH_LDAP_START_TLS = True

AUTH_LDAP_USER_OBJECTCLASS = ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'shadowAccount', 'ldapPublicKey', 'gentooGroup'] AUTH_LDAP_DEV_OBJECTCLASS = ['gentooDevGroup'] ```
 * 1) objectClasses that are used by any user
 * 1) additional objectClasses that are used by developers