-
-
Notifications
You must be signed in to change notification settings - Fork 107
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This auth logic actually has nothing to do with openldap and we shouldn't include it here. It's pam_ldap and should really go in some sort of pam_ldap cookbook. We will *probably* create that. We already have the newly imported to chef sssd_ldap cookbook, which is the modern way to handle ldap including sudo and password changes. Use that instead. Signed-off-by: Tim Smith <[email protected]>
- Loading branch information
Showing
14 changed files
with
32 additions
and
319 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,45 +1,32 @@ | ||
| openldap Cookbook | ||
| ================= | ||
| # openldap Cookbook | ||
|
|
||
| [](http://travis-ci.org/chef-cookbooks/openldap) | ||
| [](https://supermarket.chef.io/cookbooks/openldap) | ||
| [](http://travis-ci.org/chef-cookbooks/openldap) [](https://supermarket.chef.io/cookbooks/openldap) | ||
|
|
||
| Configures a server to be an OpenLDAP master, OpenLDAP replication slave, or OpenLDAP client. | ||
| Configures a server to be an OpenLDAP master or replication slave. Also includes a recipe to install the client libs, but not to setup actual LDAP auth as there are several ways to do this. We recommend looking at our [sssd_ldap cookbook](https://github.com/chef-cookbooks/sssd_ldap) | ||
|
|
||
| ## Requirements | ||
|
|
||
| ### Platforms | ||
|
|
||
| Requirements | ||
| ------------ | ||
| #### Platforms | ||
| - Ubuntu 12.04+ | ||
| - Debian | ||
| - FreeBSD 10 | ||
| - RHEL and derivatives | ||
|
|
||
| #### Chef | ||
| ### Chef | ||
|
|
||
| - Chef 11+ | ||
|
|
||
| #### Cookbooks | ||
| ### Cookbooks | ||
|
|
||
| - openssl (for slave recipe) | ||
| - freebsd | ||
|
|
||
| Note: The openldap::auth recipe will restart sshd and nscd if the openssh or nscd recipes are included in the runlist | ||
|
|
||
| Attributes | ||
| ---------- | ||
| Be aware of the attributes used by this cookbook and adjust the defaults for your environment where required, in `attributes/default.rb`. | ||
| ## Attributes | ||
|
|
||
| ### Overall install attributes | ||
| - `openldap['package_install_action']` - The action to be taken for all packages in the recipes. Defaults to :install, but can also be set to :upgrade to upgrade all packages referenced in the recipes. | ||
|
|
||
| ### Client node attributes | ||
|
|
||
| - `openldap['server_uri']` - the URI of the LDAP server | ||
| - `openldap['basedn']` - basedn | ||
| - `openldap['cn']` - admin | ||
| - `openldap['server']` - the LDAP server fully qualified domain name, default `'ldap'.node['domain']`. | ||
| - `openldap['tls_enabled']` - specifies whether TLS will be used at all. Setting this to fals will result in your credentials being sent in clear-text. | ||
| - `openldap['tls_checkpeer']` - specifies whether the client should verify the server's TLS certificate. Highly recommended to set tls_checkpeer to true for production uses in order to avoid man-in-the-middle attacks. Defaults to false for testing and backwards compatibility. | ||
| - `openldap['pam_password']` - specifies the password change protocol to use. Defaults to md5. | ||
| - `openldap['package_install_action']` - The action to be taken for all packages in the recipes. Defaults to :install, but can also be set to :upgrade to upgrade all packages referenced in the recipes. | ||
|
|
||
| ### Server node attributes | ||
|
|
||
|
|
@@ -49,25 +36,19 @@ Be aware of the attributes used by this cookbook and adjust the defaults for you | |
| - `openldap['slapd_rid']` - unique integer ID, required if type is slave. | ||
| - `openldap['slapd_master']` - hostname of slapd master, attempts to search for slapd_type master. | ||
| - `openldap['syncrepl_filter']` - The search filter to use in the replication | ||
| - `openldap['syncrepl_interval']` - The interval for the sync. Defaults to 1 day | ||
| - `openldap['syncrepl_interval']` - The interval for the sync. Defaults to 1 day | ||
| - `openldap['database']` - Preferred database backend, defaults to HDB or MDB (for FreeBSD). | ||
| - `openldap['manage_ssl']` - Whether or not this cookbook manages your SSL certificates. | ||
| If set to `true`, this cookbook will expect your SSL certificates to be in files/default/ssl and will configure slapd appropriately. | ||
| If set to `false`, you will need to provide your SSL certificates **prior** to this recipe being run. Be sure to set `openldap['ssl_cert']` and `openldap['ssl_key']` appropriately. | ||
| - `openldap['manage_ssl']` - Whether or not this cookbook manages your SSL certificates. If set to `true`, this cookbook will expect your SSL certificates to be in files/default/ssl and will configure slapd appropriately. If set to `false`, you will need to provide your SSL certificates **prior** to this recipe being run. Be sure to set `openldap['ssl_cert']` and `openldap['ssl_key']` appropriately. | ||
| - `openldap['ssl_cert']` - The full path to your SSL certificate. | ||
| - `openldap['ssl_key']` - The full path to your SSL key. | ||
| - `openldap['ssl_cert_source_cookbook']` - The cookbook to find the ssl cert. Defaults to this cookbook | ||
| - `openldap['ssl_cert_source_cookbook']` - The cookbook to find the ssl cert. Defaults to this cookbook | ||
| - `openldap['ssl_cert_source_path']` - The path in the cookbook to find the ssl cert file. | ||
| - `openldap['ssl_key_source_cookbook']` - The cookbook to find the ssl key. Defaults to this cookbook | ||
| - `openldap['ssl_key_source_cookbook']` - The cookbook to find the ssl key. Defaults to this cookbook | ||
| - `openldap['ssl_key_source_path']` - The path in the cookbook to find the ssl key file. | ||
| - `openldap['ssl_ciphersuite']` - The OpenSSL cipher suite specification to use. Defaults to none (use system default) | ||
| - `openldap['cafile']` - Your certificate authority's certificate (or intermediate authorities), if needed. | ||
|
|
||
| Recipes | ||
| ------- | ||
| ### auth | ||
|
|
||
| Sets up the system for using openldap for user authentication. | ||
| ## Recipes | ||
|
|
||
| ### default | ||
|
|
||
|
|
@@ -89,50 +70,41 @@ Sets the `node['openldap']['slapd_type']` to master and then includes the `openl | |
|
|
||
| Sets the `node['openldap']['slapd_type']` to slave, then includes the `openldap::server` recipe. If the node is running chef-solo, then the `node['openldap']['slapd_replpw']` and `node['openldap']['slapd_master']` attributes must be set in the JSON attributes file passed to `chef-solo`. | ||
|
|
||
| ## Usage | ||
|
|
||
| Usage | ||
| ----- | ||
| Edit Rakefile variables for SSL certificate. | ||
|
|
||
| On client systems, | ||
|
|
||
| ```ruby | ||
| include_recipe "openldap::auth" | ||
| ``` | ||
|
|
||
| This will install the required packages and configuration for client systems. This is required on openldap server installs as well, so this is a good candidate for inclusion in a base role or cookbook. | ||
|
|
||
| On server systems, if there's only on LDAP server, then use the `openldap::server` recipe. If replication is required, use the `openldap::master` and `openldap::slave` recipes instead. | ||
|
|
||
| If there's only on LDAP server, then use the `openldap::server` recipe. If replication is required, use the `openldap::master` and `openldap::slave` recipes instead. | ||
|
|
||
| ### A note about certificates | ||
|
|
||
| Certificates created by the Rakefile are self signed. If you have a purchased CA, that can be used. | ||
|
|
||
| We provide two methods of managing SSL certificates, based off of `openldap['manage_ssl']`. | ||
|
|
||
| If `openldap['manage_ssl']` is `true`, then this cookbook manage your certificates itself, and will expect all certificates, intermediate certificates, and keys to be in the same file as defined in `openldap['ssl_cert']`. To prevent forking this cookbook you can provide the cookbook that contains the cert files using the `openldap['ssl_cert_source_cookbook'] ` and `openldap['ssl_key_source_cookbook']` attributes. By default they expect the files to exist within this cookbook. | ||
| If `openldap['manage_ssl']` is `true`, then this cookbook manage your certificates itself, and will expect all certificates, intermediate certificates, and keys to be in the same file as defined in `openldap['ssl_cert']`. To prevent forking this cookbook you can provide the cookbook that contains the cert files using the `openldap['ssl_cert_source_cookbook']` and `openldap['ssl_key_source_cookbook']` attributes. By default they expect the files to exist within this cookbook. | ||
|
|
||
| If `openldap['manage_ssl']` is `false`, then you will need to place the SSL certificates on the client file system **prior** to this cookbook being run. This provides you the flexibility to provide the same set of SSL certificates for multiple uses as well as in one place across your environment, but you will need to manage them. | ||
|
|
||
| - Set `openldap['ssl_cert']`, `openldap['ssl_key']`, and `openldap['cafile']` appropriately. | ||
| - Ensure that that user openldap can access these files. Watch out for apparmor and SELinux if you are placing your SSL certificates in a non-default location. | ||
|
|
||
| ### New Directory | ||
| ### New LDAP Directory | ||
|
|
||
| If installing for the first time, the initial directory needs to be created. Create an ldif file, and start populating the directory. | ||
|
|
||
| ### Passwords | ||
|
|
||
| Set the password, openldap['rootpw'] for the rootdn in the node's attributes. This should be a password hash generated from slappasswd. The default slappasswd command on Ubuntu 8.10 and Mac OS X 10.5 will generate a SHA1 hash: | ||
|
|
||
| $ slappasswd -s "secretsauce" | ||
| {SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/ | ||
| ``` | ||
| $ slappasswd -s "secretsauce" | ||
| {SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/ | ||
| ``` | ||
|
|
||
| Set this by default in the attributes file, or on the node's entry in the webui. | ||
|
|
||
| ## License & Authors | ||
|
|
||
| License & Authors | ||
| ----------------- | ||
|
|
||
| **Author:** Cookbook Engineering Team (<[email protected]>) | ||
| **Author:** Cookbook Engineering Team ([[email protected]](mailto:[email protected])) | ||
|
|
||
| **Copyright:** 2008-2016, Chef Software, Inc. | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,6 @@ | |
| # Attributes:: default | ||
| # | ||
| # Copyright 2008-2015, Chef Software, Inc. | ||
| # Copyright 2015-2016, Tim Smith <[email protected]> | ||
| # | ||
| # Licensed under the Apache License, Version 2.0 (the "License"); | ||
| # you may not use this file except in compliance with the License. | ||
|
|
@@ -75,22 +74,18 @@ | |
| end | ||
| default['openldap']['packages']['client_pkg'] = 'ldap-utils' | ||
| default['openldap']['packages']['srv_pkg'] = 'slapd' | ||
| default['openldap']['packages']['auth_pkgs'] = %w(libnss-ldap libpam-ldap) | ||
| when 'rhel' | ||
| default['openldap']['packages']['bdb'] = 'db4-utils' | ||
| default['openldap']['packages']['client_pkg'] = 'openldap-clients' | ||
| default['openldap']['packages']['srv_pkg'] = 'openldap-servers' | ||
| default['openldap']['packages']['auth_pkgs'] = %w(nss-pam-ldapd) | ||
| when 'freebsd' | ||
| default['openldap']['packages']['bdb'] = 'libdbi' | ||
| default['openldap']['packages']['client_pkg'] = 'openldap-client' | ||
| default['openldap']['packages']['srv_pkg'] = 'openldap-server' | ||
| default['openldap']['packages']['auth_pkgs'] = %w(pam_ldap) | ||
| else | ||
| default['openldap']['packages']['bdb'] = 'db-utils' | ||
| default['openldap']['packages']['client_pkg'] = 'ldap-utils' | ||
| default['openldap']['packages']['srv_pkg'] = 'slapd' | ||
| default['openldap']['packages']['auth_pkgs'] = %w(libnss-ldap libpam-ldap) | ||
| end | ||
|
|
||
| # | ||
|
|
@@ -100,36 +95,18 @@ | |
| default['openldap']['basedn'] = 'dc=localdomain' | ||
| default['openldap']['cn'] = 'admin' | ||
| default['openldap']['server'] = 'ldap.localdomain' | ||
| default['openldap']['port'] = 389 | ||
| default['openldap']['server_uri'] = "ldap://#{openldap['server']}/" | ||
| default['openldap']['tls_enabled'] = true | ||
|
|
||
| # The NSS filters here determine what users and groups the machine knows about | ||
| default['openldap']['nss_base']['passwd'] = ["ou=people,#{node['openldap']['basedn']}"] | ||
| default['openldap']['nss_base']['shadow'] = ["ou=people,#{node['openldap']['basedn']}"] | ||
| default['openldap']['nss_base']['group'] = ["ou=groups,#{node['openldap']['basedn']}"] | ||
| default['openldap']['nss_base']['automount'] = ["ou=automount,#{node['openldap']['basedn']}"] | ||
|
|
||
| unless node['domain'].nil? || node['domain'].split('.').count < 2 | ||
| default['openldap']['basedn'] = "dc=#{node['domain'].split('.').join(',dc=')}" | ||
| default['openldap']['server'] = "ldap.#{node['domain']}" | ||
| end | ||
|
|
||
| default['openldap']['rootpw'] = nil | ||
| default['openldap']['preseed_dir'] = '/var/cache/local/preseeding' | ||
| default['openldap']['pam_password'] = 'md5' | ||
| default['openldap']['loglevel'] = 'sync config' | ||
| default['openldap']['schemas'] = %w(core.schema cosine.schema nis.schema inetorgperson.schema) | ||
|
|
||
| # dynamically generated pam.d files | ||
| # additional attributes added here will be added to the common-account, common-auth, common-password, and common-session files | ||
| default['openldap']['pam_hash']['account']['sufficient'] = %w(pam_unix.so) | ||
| default['openldap']['pam_hash']['account']['[default=bad success=ok user_unknown=ignore]'] = %w(pam_ldap.so) | ||
| default['openldap']['pam_hash']['auth']['sufficient'] = ['pam_unix.so likeauth nullok_secure', 'pam_ldap.so use_first_pass'] | ||
| default['openldap']['pam_hash']['auth']['required'] = ['pam_group.so use_first_pass', 'pam_deny.so', 'pam_warn.so'] | ||
| default['openldap']['pam_hash']['password']['sufficient'] = ['pam_unix.so nullok obscure min=8 max=8 md5', 'pam_ldap.so'] | ||
| default['openldap']['pam_hash']['session']['required'] = ['pam_unix.so', 'pam_mkhomedir.so skel=/etc/skel/', 'pam_ldap.so'] | ||
|
|
||
| default['openldap']['manage_ssl'] = false | ||
| default['openldap']['tls_checkpeer'] = false | ||
| default['openldap']['ssl_dir'] = "#{openldap['dir']}/ssl" | ||
|
|
@@ -160,9 +137,5 @@ | |
| # The maximum number of entries that is returned for a search operation | ||
| default['openldap']['server_config_hash']['sizelimit'] = 500 | ||
|
|
||
| default['openldap']['client_config_hash']['ldap_version'] = 3 | ||
| default['openldap']['client_config_hash']['bind_policy'] = 'soft' | ||
| default['openldap']['client_config_hash']['pam_password'] = openldap['pam_password'] | ||
|
|
||
| # package settings | ||
| default['openldap']['package_install_action'] = :install | ||
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.