This change added ppolicy-check-password package from
https://github.com/cedric-dufour/ppolicy-check-password
This package contains check_password.so that is used by ldap
to enforce password complexity for ldap users.
Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, controller unlock
PASS: after controller unlock, login by "admin" user on
console, and su to "admin" on ssh session.
PASS: failure path with incompliant passwords for ldap user
password change (eg, change password when first login)
Story: 2009101
Task: 44864
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: If5a1e5c6784c7354c0a4903e1d1c4abb21d8a01f
Change openldap pid and args file location from /var/run/slapd
to /run so it's aligned with CentOS. This will enable openldap
to be managed by SM.
Test Plan for Debian:
PASS: package build, image build
PASS: system boostrap
PASS: controller unlock, open-ldap service state in SM is
enabled-active enabled-active
Story: 2009101
Task: 44664
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I108a63d5b829b66ef24516f9e2c33fde0288f9a8
Porting all CentOS patches, and also align the file permission
with CentOS.
Test Plan: Verify the building, installing and booting test
PASS: Verify package build
PASS: Verify system install
PASS: Verify system boot
Story: 2009221
Task: 43415
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I7766d4aa26420c6f701a0dffaa7e9bf6b77e0c75
Ported all patches from CentOS.
Ported patch rootdn-should-not-bypass-ppolicy.patch + deleted unit test for it.
meta_data patches were not needed as they were only modifying the rpm spec.
Disabled unit tests part of debian build.
Ran the unit tests once before disabling and they pass.
Story: 2009221
Task: 43407
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Ia0b640c5cd2594daae5722b1c9743a3a800485ab
This update makes use of the PKG_GITREVCOUNT variable
to auto-version the packages in this repo.
Story: 2007750
Task: 39951
Change-Id: I854419c922b9db4edbbf6f1e987a982ec2ec7b59
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.
Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea
Story: 2004716
Task: 28748
Signed-off-by: Saul Wold <sgw@linux.intel.com>
The openldap-spec-file.patch contains some modifications to the
default configure command line.
After evaluated by Saul in task 27731, we should be able to remove
the part of configure options change in this patch.
However, it seems still some other changes in this patch could not be
removed, so the patch could not be reverted so far.
Deployment test pass and slapd service works.
Story: 2004216
Task: 28015
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Change-Id: I55e4961bf2ceb69bb0592f3fb34b4fded3a2e8fd
The change of 3 meta patches refers to %post section in spec file.
The comment in the patch mentions that we don't want change our custom
binddn and bindpw in nslcd.conf.
However, in spec file, "source" variabe could not be assigned to a valid
file name, as we could not find these *.conf files in /etc/ folder.
if test -s /etc/nss-ldapd.conf ; then
source=/etc/nss-ldapd.conf
elif test -s /etc/nss_ldap.conf ; then
source=/etc/nss_ldap.conf
elif test -s /etc/pam_ldap.conf ; then
source=/etc/pam_ldap.conf
else
source=/etc/ldap.conf
So it will not change nslcd.conf even if we do not remove
below code.
if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then
# Comment out the packaged default base and replace it.
sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target
grep -E '^base[[:blank:]]' $source >> $target
fi
grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]'
$source 2> /dev/null >> $target
We can use RPM instead of SRPM for nss-pam-ldapd package,
since related patches are not used anymore.
Deployment test pass.
Story: 2003768
Task: 28045
Depends-on: https://review.openstack.org/#/c/619976/
Change-Id: Ia4fa723d1a6ff9a7a8059fc2db1afec640ea41b1
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
Package openldap-config is added to config customized config file
of openldap.
Here is the customized change in slapd.service:
"
-After=syslog.target network-online.target
+Before=rsyncd.service
+After=network.target syslog-ng.target
-PIDFile=/var/run/openldap/slapd.pid
+PIDFile=/var/run/slapd.pid
-ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+ExecStart=/etc/init.d/openldap start
+ExecStop=/etc/init.d/openldap stop
+ExecReload=/etc/init.d/openldap restart
+RemainAfterExit=yes
"
Here is the customized change in slapd.sysconfig:
"
-#SLAPD_OPTIONS=""
+SLAPD_OPTIONS=""
"
Test:
Pass build and multi node deploy test. Confirmed related config
file is the same as before in deploy node.
Story: 2003768
Task: 26462
Depends-On: https://review.openstack.org/618440
Change-Id: I2559a8e43619449d6179ed913181052d653fa91d
Signed-off-by: slin14 <shuicheng.lin@intel.com>
There is security related issue with lshell, and it is not
maintained now. So remove it from our system to avoid
security issue.
To remove lshell:
1. Package sudo-config is created for wrs.sudo configure file
following the refactor process.
2. ldapusersetup in ldapscripts is modified to use bash only.
lshell support is removed.
ldapusersetup related patches are merged into 1 for easy
maintenance.
Test has been done:
Build and deploy test is done, also unit tests for ldap are
executed with pass, except lshell related test.
Closes-Bug: 1795451
Change-Id: Ia5de1bc94d22eb6c9bea6d9a96e92564ad848b19
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Problem:
- Centos 7.5 upgraded nss-pam-ldapds.
- Porting of nss-pam-ldapds patches did not resolve and 'fuzz' in the line
numbers of the patches.
- If nss-pam-ldapd is built by rpm 4.11, or default version of rpm
until 4.14 is compiled, a fuzzy patch results in the creating
of an .orig file.
- Packaging of nss-pam-ldapds failes due to the unexpected, and
unpackaged .orig file
Solution:
Safest solution is to de-fuzz our nss-pam-ldapds patches.
Story: 2003389
Task: 26755
Change-Id: I82092c3ff4d7cf711d0e1542e61bccb491bd8388
Signed-off-by: Sun Austin <austin.sun@intel.com>
Decouple NSLCD from the open-ldap SM service and manage it by PMOND
instead. This is needed because in the Shared LDAP case, we deprovision
the open-ldap service on the Secondary Region which renders NSLCD
unmanaged.
Additionally, we allow the Secondary Region or Sub Clouds to bind
anonymously, but still need to support LDAP read operations in these
regions such as ldapfinger or lsldap. For this purpose, the ldapscripts
runtime library has been modified to allow anonymous binds during LDAP
search operations.
Change-Id: I3d4a709d058963be61a0311a539cd020f54118d6
Signed-off-by: Jack Ding <jack.ding@windriver.com>
Signed-off-by: Scott Little <scott.little@windriver.com>
