Synchronize salt configuration with gvaldap

2016-01-31 16:34:53 +01:00 · 2016-01-31 16:34:53 +01:00 · 2ff2a8174c
parent e8da0baf70
commit 2ff2a8174c
8 changed files with 142 additions and 15 deletions
--- a/pillar/gnuviechadmin/gvaldap.sls
+++ b/pillar/gnuviechadmin/gvaldap.sls
@ -1,4 +1,5 @@
 include:
+  - gnuviechadmin
  - gnuviechadmin.queues.common
  - gnuviechadmin.queues.gvaldap

@ -6,3 +7,5 @@ gnuviechadmin:
  component:
    name: gvaldap
    amqp_user: ldap
+  ldap_admin_user: ldapadmin
+  allowed_hosts: 127.0.0.1,gvaldap.local,localhost
--- a/pillar/gnuviechadmin/init.sls
+++ b/pillar/gnuviechadmin/init.sls
@ -11,6 +11,8 @@ gnuviechadmin:
  osuserhomedirbase: /home
  osuserdefaultshell: /usr/bin/rssh
  uploadserver: gvafile.local
-  webmail_url: https://webmail.example.com/
-  phpmyadmin_url: https://phpmyadmin.example.com/
-  phppgadmin_url: https://phppgadmin.example.com/
+  ldap_domain: gva.local
+  ldap_url: ldap://gvaldap.local
+  ldap_base_dn: dc=gva,dc=local
+  ldap_groups_ou: groups
+  ldap_users_ou: users
--- a/pillar/gnuviechadmin/webinterface.sls
+++ b/pillar/gnuviechadmin/webinterface.sls
@ -1,4 +1,5 @@
 include:
+  - gnuviechadmin
  - gnuviechadmin.queues.common
  - gnuviechadmin.queues.gva

@ -7,3 +8,6 @@ gnuviechadmin:
    name: gva
    amqp_user: gva
    python_module: gnuviechadmin
+  webmail_url: https://webmail.example.com/
+  phpmyadmin_url: https://phpmyadmin.example.com/
+  phppgadmin_url: https://phppgadmin.example.com/
--- a/roots/base/init.sls
+++ b/roots/base/init.sls
@ -4,6 +4,7 @@ base-packages:
      - screen
      - htop
      - git
+      - locales-all

 /home/vagrant/.screenrc:
  file.managed:
--- a/roots/gnuviechadmin/gvaldap.sls
+++ b/roots/gnuviechadmin/gvaldap.sls
@ -9,3 +9,11 @@ gvaldap-packages:
      - libsasl2-dev
    - require_in:
      - pkg: gnuviechadmin-packages
+
+base-ldap-objects:
+  cmd.script:
+    - source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh
+    - template: jinja
+    - user: root
+    - group: root
+    - unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:ldap_admin_user') }}" | grep -q numEntries
--- a/roots/gnuviechadmin/gvaldap/create_base_ldap_objects.sh
+++ b/roots/gnuviechadmin/gvaldap/create_base_ldap_objects.sh
@ -0,0 +1,91 @@
+#!/bin/sh
+
+set -e
+
+{% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %}
+{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %}
+{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %}
+{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %}
+
+# setup password hashing for cleartext input
+ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif
+
+ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: ppolicy
+
+dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+olcPPolicyHashClearText: TRUE
+EOD
+
+# define ACLs on LDAP tree
+ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+  by self write
+  by anonymous auth
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * none
+olcAccess: {1}to dn.base=""
+  by * read
+olcAccess: {2}to dn.subtree="ou={{ ldap_users_ou }},{{ base_dn }}"
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * read
+olcAccess: {3}to dn.subtree="ou={{ ldap_groups_ou }},{{ base_dn }}"
+  by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
+  by * read
+olcAccess: {4}to *
+  by self write
+  by * read
+EOD
+
+# add OUs, groups and ldapadmin user
+ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["grains.get_or_set_hash"]("slapd.password") }}' <<EOD
+dn: ou={{ ldap_users_ou }},{{ base_dn }}
+changetype: add
+objectClass: top
+objectClass: organizationalUnit
+ou: {{ ldap_users_ou }}
+
+dn: ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: top
+objectClass: organizationalUnit
+ou: {{ ldap_groups_ou }}
+
+dn: cn=sftponly,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: sftponly
+gidNumber: 2000
+description: SFTP users
+
+dn: cn=wwwusers,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: wwwusers
+gidNumber: 2001
+
+dn: cn=webserver,ou={{ ldap_groups_ou }},{{ base_dn }}
+changetype: add
+objectClass: posixGroup
+cn: webserver
+gidNumber: 2002
+memberUid: www-data
+
+dn: cn={{ ldap_admin_user }},{{ base_dn }}
+changetype: add
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: {{ ldap_admin_user }}
+description: LDAP manager for celery worker
+userPassword:: {{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16).encode("base64") }}
+EOD
--- a/roots/gnuviechadmin/gvaldap/settings.sh
+++ b/roots/gnuviechadmin/gvaldap/settings.sh
@ -1,14 +1,14 @@
 #!/bin/sh

-export DJANGO_SETTINGS_MODULE="gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}"
-export GVALDAP_ADMIN_NAME="Jan Dittberner"
-export GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}"
-export GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}"
-export GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}"
-export GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}"
-export GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}"
-export GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}"
-export GVALDAP_SECRETKEY="{{ salt['grains.get_or_set_hash']('gnuviechadmin-gvaldap:SECRET_KEY', 50) }}"
-export GVALDAP_BROKER_URL="{{ broker_url }}"
-export GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}"
-export GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}"
+export DJANGO_SETTINGS_MODULE='gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}'
+export GVALDAP_ADMIN_NAME='Jan Dittberner'
+export GVALDAP_ADMIN_EMAIL='{{ salt['pillar.get']('gnuviechadmin:adminemail') }}'
+export GVALDAP_LDAP_URL='{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}'
+export GVALDAP_LDAP_USER='{{ 'cn=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_admin_user'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_LDAP_PASSWORD='{{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16) }}'
+export GVALDAP_BASEDN_GROUP='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_groups_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_BASEDN_USER='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_users_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
+export GVALDAP_SECRETKEY='{{ salt['grains.get_or_set_hash']('gnuviechadmin.secret_key', 50) }}'
+export GVALDAP_BROKER_URL='{{ broker_url }}'
+export GVALDAP_ALLOWED_HOSTS='{{ salt['pillar.get']('gnuviechadmin:allowed_hosts') }}'
+export GVALDAP_SERVER_EMAIL='{{ salt['pillar.get']('gnuviechadmin:mailfrom') }}'
--- a/roots/ldapserver/init.sls
+++ b/roots/ldapserver/init.sls
@ -0,0 +1,18 @@
+ldapserver-packages:
+  debconf.set:
+    - name: slapd
+    - data:
+        'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}' }
+        'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
+        'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
+  pkg.installed:
+    - pkgs:
+      - ldap-utils
+      - ldapscripts
+      - ldapvi
+      - slapd
+  service.running:
+    - name: slapd
+    - require:
+      - pkg: ldapserver-packages
+      - debconf: slapd