d8c8412cb4
This patch enhanced region configuration to support LDAP as shared service optionally for both IPv4 and IPV6 management network. By sharing LDAP service, management of system users can be centralized at primary region. A LDAP_SERVICE_URL=<[ldap://]ip_address[:port]> can be specified in the [SHARED_SERVICES] section of region configuration file, the secondary regions will then be setup and share the LDAP service running at the specified URL of the primary region. If no LDAP_SERVICE_URL is specified in the [SHARED_SERVICES] section, the secondary regions will setup and use local LDAP service running at the region's controllers. Decouple NSLCD from the open-ldap SM service and manage it by PMOND instead. This is needed because in the Shared LDAP case, we deprovision the open-ldap service on the Secondary Region which renders NSLCD unmanaged. Additionally, we allow the Secondary Region or Sub Clouds to bind anonymously, but still need to support LDAP read operations in these regions such as ldapfinger or lsldap. For this purpose, the ldapscripts runtime library has been modified to allow anonymous binds during LDAP search operations. Change-Id: Ic9f4d157c0eab02a8dabbdae28d508d4aef05fa2
158 lines
4.6 KiB
Puppet
158 lines
4.6 KiB
Puppet
class platform::ldap::params (
|
|
$admin_pw,
|
|
$admin_hashed_pw = undef,
|
|
$provider_uri = undef,
|
|
$server_id = undef,
|
|
$ldapserver_remote = false,
|
|
$ldapserver_host = undef,
|
|
$bind_anonymous = false,
|
|
) {}
|
|
|
|
class platform::ldap::server
|
|
inherits ::platform::ldap::params {
|
|
if ! $ldapserver_remote {
|
|
include ::platform::ldap::server::local
|
|
}
|
|
}
|
|
|
|
class platform::ldap::server::local
|
|
inherits ::platform::ldap::params {
|
|
exec { 'slapd-convert-config':
|
|
command => '/usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/schema/',
|
|
onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf'
|
|
}
|
|
|
|
exec { 'slapd-conf-move-backup':
|
|
command => '/bin/mv -f /etc/openldap/slapd.conf /etc/openldap/slapd.conf.backup',
|
|
onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf'
|
|
}
|
|
|
|
service { 'nscd':
|
|
ensure => 'running',
|
|
enable => true,
|
|
name => 'nscd',
|
|
hasstatus => true,
|
|
hasrestart => true,
|
|
}
|
|
|
|
service { 'openldap':
|
|
ensure => 'running',
|
|
enable => true,
|
|
name => "slapd",
|
|
hasstatus => true,
|
|
hasrestart => true,
|
|
}
|
|
|
|
exec { 'stop-openldap':
|
|
command => '/usr/bin/systemctl stop slapd.service',
|
|
}
|
|
|
|
exec { 'update-slapd-conf':
|
|
command => "/bin/sed -i \\
|
|
-e 's#provider=ldap.*#provider=${provider_uri}#' \\
|
|
-e 's:serverID.*:serverID ${server_id}:' \\
|
|
-e 's:credentials.*:credentials=${admin_pw}:' \\
|
|
-e 's:^rootpw .*:rootpw ${admin_hashed_pw}:' \\
|
|
-e 's:modulepath .*:modulepath /usr/lib64/openldap:' \\
|
|
/etc/openldap/slapd.conf",
|
|
onlyif => '/usr/bin/test -e /etc/openldap/slapd.conf'
|
|
}
|
|
|
|
# don't populate the adminpw if binding anonymously
|
|
if ! $bind_anonymous {
|
|
file { "/usr/local/etc/ldapscripts/ldapscripts.passwd":
|
|
content => $admin_pw,
|
|
}
|
|
}
|
|
|
|
file { "/usr/share/cracklib/cracklib-small":
|
|
ensure => link,
|
|
target => "/usr/share/cracklib/cracklib-small.pwd",
|
|
}
|
|
|
|
# start openldap with updated config and updated nsswitch
|
|
# then convert slapd config to db format. Note, slapd must have run and created the db prior to this.
|
|
Exec['stop-openldap'] ->
|
|
Exec['update-slapd-conf'] ->
|
|
Service['nscd'] ->
|
|
Service['nslcd'] ->
|
|
Service['openldap'] ->
|
|
Exec['slapd-convert-config'] ->
|
|
Exec['slapd-conf-move-backup']
|
|
}
|
|
|
|
|
|
class platform::ldap::client
|
|
inherits ::platform::ldap::params {
|
|
file { "/etc/openldap/ldap.conf":
|
|
ensure => 'present',
|
|
replace => true,
|
|
content => template('platform/ldap.conf.erb'),
|
|
}
|
|
|
|
file { "/etc/nslcd.conf":
|
|
ensure => 'present',
|
|
replace => true,
|
|
content => template('platform/nslcd.conf.erb'),
|
|
} ->
|
|
service { 'nslcd':
|
|
ensure => 'running',
|
|
enable => true,
|
|
name => 'nslcd',
|
|
hasstatus => true,
|
|
hasrestart => true,
|
|
}
|
|
|
|
if $::personality == 'controller' {
|
|
file { "/usr/local/etc/ldapscripts/ldapscripts.conf":
|
|
ensure => 'present',
|
|
replace => true,
|
|
content => template('platform/ldapscripts.conf.erb'),
|
|
}
|
|
}
|
|
}
|
|
|
|
class platform::ldap::bootstrap
|
|
inherits ::platform::ldap::params {
|
|
include ::platform::params
|
|
# Local ldap server is configured during bootstrap. It is later
|
|
# replaced by remote ldapserver configuration (if needed) during
|
|
# application of controller / compute / storage manifest.
|
|
include ::platform::ldap::server::local
|
|
include ::platform::ldap::client
|
|
|
|
Class['platform::ldap::server::local'] -> Class[$name]
|
|
|
|
$dn = 'cn=ldapadmin,dc=cgcs,dc=local'
|
|
|
|
exec { 'populate initial ldap configuration':
|
|
command => "ldapadd -D ${dn} -w ${admin_pw} -f /etc/openldap/initial_config.ldif"
|
|
} ->
|
|
exec { "create ldap admin user":
|
|
command => "ldapadduser admin root"
|
|
} ->
|
|
exec { "create ldap operator user":
|
|
command => "ldapadduser operator users"
|
|
} ->
|
|
exec { 'create ldap protected group':
|
|
command => "ldapaddgroup ${::platform::params::protected_group_name} ${::platform::params::protected_group_id}"
|
|
} ->
|
|
exec { "add admin to wrs protected group" :
|
|
command => "ldapaddusertogroup admin ${::platform::params::protected_group_name}",
|
|
} ->
|
|
exec { "add operator to wrs protected group" :
|
|
command => "ldapaddusertogroup operator ${::platform::params::protected_group_name}",
|
|
} ->
|
|
|
|
# Change operator shell from default to /usr/local/bin/cgcs_cli
|
|
file { "/tmp/ldap.cgcs-shell.ldif":
|
|
ensure => present,
|
|
replace => true,
|
|
source => "puppet:///modules/${module_name}/ldap.cgcs-shell.ldif"
|
|
} ->
|
|
exec { 'ldap cgcs-cli shell update':
|
|
command =>
|
|
"ldapmodify -D ${dn} -w ${admin_pw} -f /tmp/ldap.cgcs-shell.ldif"
|
|
}
|
|
}
|