pizza-auth 2.0 install guide

PIZZA Auth

LDAP-Backed Services Auth System for EVE Online

Requirements

Please install the following with pip:

  • eveapi
  • Flask
  • Flask-Login
  • Requests
  • python-ldap
  • xmpppy

Optional:

To install python-ldap you will need to install the header files for
libldap2, libsasl2, and libssl.

C dependencies, usually from your distro's package manager:

  • dnspython

Configuration

Configuration is done via a config.json file in the web application's root folder, here's a sample one:

{
    "pingbot": {
        "username": "pingbot",
        "passwd": "",
        "domain": ""
    },

    "keytools": {
        "executorkeyid": "",
        "executorkeyvcode": "",
        "alliancelimit": 4.9
    },

    "groups": {
        "closedgroups": [
            "admin",
            "ping",
            "capital"
        ],
        "opengroups": [
            "dota",
            "social",
        ],
        "publicgroups": [
            "dota"
        ]
    },
    "ts3": {
        "user": "serveradmin",
        "password": "",
        "server": "",
        "port": 10011,
        "servergroups": {
            "full": "1",
            "ally": "2",
            "none": "3"
        }
    },

    "ldap": {
        "server": "ldap://localhost/",
        "admin": "cn=admin,dc=yoursite,dc=com",
        "password": "",
        "basedn": "dc=yoursite,dc=com",
        "memberdn": "ou=People,dc=yoursite,dc=com"
    },

    "skillindexer": {
        "server": "localhost",
        "user": "authuser",
        "password": "",
        "database": "auth"
    }

}

Installation

LDAP

This software is intended to be used with OpenLDAP, along with it's standard schemas, there is one extra schema included in the schema directory called pizza.schema.

You can insert this into an ou=config setup like so:

Create a schema_convert.conf with contents like this

include /etc/ldap/schema/core.schema  
include /etc/ldap/schema/collective.schema  
include /etc/ldap/schema/corba.schema  
include /etc/ldap/schema/cosine.schema  
include /etc/ldap/schema/duaconf.schema  
include /etc/ldap/schema/dyngroup.schema  
include /etc/ldap/schema/inetorgperson.schema  
include /etc/ldap/schema/java.schema  
include /etc/ldap/schema/misc.schema  
include /etc/ldap/schema/nis.schema  
include /etc/ldap/schema/openldap.schema  
include /etc/ldap/schema/ppolicy.schema  
include /etc/ldap/schema/pizza.schema  

Make a folder to put converted schemas into

mkdir /tmp/ldif_output  

Run the conversion

slaptest -f schema_convert.conf -F /tmp/ldif_output  

edit the {xx}pizza.ldif file and rename it so the dn/cn look like this

dn: cn=pizza,cn=schema,cn=config  
cn: pizza  

And remove the extra lines that look like this from the end:

structuralObjectClass: olcSchemaConfig  
entryUUID: 65f628a4-aa72-1032-9bfb-3d59b251971c  
creatorsName: cn=config  
createTimestamp: 20130905122822Z  
entryCSN: 20130905122822.411617Z#000000#000#000000  
modifiersName: cn=config  
modifyTimestamp: 20130905122822Z  

Insert the new schema

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/ldif_output/cn=config/cn=schema/cn=\{xx\}pizza.ldif  

Deploying under uwsgi

To deploy the application as a wsgi container you can use the following uwsgi settings. These may be adapted for other wsgi-capable application servers.

[uwsgi]
socket = /var/run/auth.sock  
chmod-socket = 666  
processes = 4  
master = true  
chdir = /opt/pizza-auth  
pp = /opt/pizza-auth  
module = pizza_auth.main  
callable = app  

This can be served using an nginx site configuration like the following:

server {  
        server_name auth.yourdomain.net;

        root /var/www/;

        location / {
                include         uwsgi_params;
                uwsgi_pass      unix:/var/run/auth.sock;
        }
}

Initial user setup

Install a tool such as shelldap to help you edit the LDAP data

You use by doing something like shelldap --server localhost --binddn cn=admin,dc=your,dc=org --basedn dc=your,dc=org

Ensure the People and Groups folders exist as mentioned in your config with

mkdir ou=People  
mkdir ou=Groups  

Sign up with the user you'd like to be the first admin, via the web interface, then do this:

cd ou=People  
edit uid=your_username  

Add these two lines

authGroup: admin  
authGroup: ping  

and save the entry

Pingbot user setup

Open shelldap and do this:

cd ou=People  
cp uid=youruser uid=pingbot  
edit uid=pingbot  

Rename the user to pingbot, truncate your api key, put it in whatever corp and alliance you want, ensure it has all 3 of these:

accountStatus: Internal  
accountStatus: Ally  
accountStatus: Ineligible  

so that it can log into all 3 jabber virtualhosts

Then log into the admin panel of your jabber server (for ejabberd this is http://localhost:5280/admin)

And add pingbot@* as an admin user so that it can use the broadcast module.