Synchronize salt configuration with gvaldap
This commit is contained in:
parent
e8da0baf70
commit
2ff2a8174c
8 changed files with 142 additions and 15 deletions
|
@ -1,4 +1,5 @@
|
||||||
include:
|
include:
|
||||||
|
- gnuviechadmin
|
||||||
- gnuviechadmin.queues.common
|
- gnuviechadmin.queues.common
|
||||||
- gnuviechadmin.queues.gvaldap
|
- gnuviechadmin.queues.gvaldap
|
||||||
|
|
||||||
|
@ -6,3 +7,5 @@ gnuviechadmin:
|
||||||
component:
|
component:
|
||||||
name: gvaldap
|
name: gvaldap
|
||||||
amqp_user: ldap
|
amqp_user: ldap
|
||||||
|
ldap_admin_user: ldapadmin
|
||||||
|
allowed_hosts: 127.0.0.1,gvaldap.local,localhost
|
||||||
|
|
|
@ -11,6 +11,8 @@ gnuviechadmin:
|
||||||
osuserhomedirbase: /home
|
osuserhomedirbase: /home
|
||||||
osuserdefaultshell: /usr/bin/rssh
|
osuserdefaultshell: /usr/bin/rssh
|
||||||
uploadserver: gvafile.local
|
uploadserver: gvafile.local
|
||||||
webmail_url: https://webmail.example.com/
|
ldap_domain: gva.local
|
||||||
phpmyadmin_url: https://phpmyadmin.example.com/
|
ldap_url: ldap://gvaldap.local
|
||||||
phppgadmin_url: https://phppgadmin.example.com/
|
ldap_base_dn: dc=gva,dc=local
|
||||||
|
ldap_groups_ou: groups
|
||||||
|
ldap_users_ou: users
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
include:
|
include:
|
||||||
|
- gnuviechadmin
|
||||||
- gnuviechadmin.queues.common
|
- gnuviechadmin.queues.common
|
||||||
- gnuviechadmin.queues.gva
|
- gnuviechadmin.queues.gva
|
||||||
|
|
||||||
|
@ -7,3 +8,6 @@ gnuviechadmin:
|
||||||
name: gva
|
name: gva
|
||||||
amqp_user: gva
|
amqp_user: gva
|
||||||
python_module: gnuviechadmin
|
python_module: gnuviechadmin
|
||||||
|
webmail_url: https://webmail.example.com/
|
||||||
|
phpmyadmin_url: https://phpmyadmin.example.com/
|
||||||
|
phppgadmin_url: https://phppgadmin.example.com/
|
||||||
|
|
|
@ -4,6 +4,7 @@ base-packages:
|
||||||
- screen
|
- screen
|
||||||
- htop
|
- htop
|
||||||
- git
|
- git
|
||||||
|
- locales-all
|
||||||
|
|
||||||
/home/vagrant/.screenrc:
|
/home/vagrant/.screenrc:
|
||||||
file.managed:
|
file.managed:
|
||||||
|
|
|
@ -9,3 +9,11 @@ gvaldap-packages:
|
||||||
- libsasl2-dev
|
- libsasl2-dev
|
||||||
- require_in:
|
- require_in:
|
||||||
- pkg: gnuviechadmin-packages
|
- pkg: gnuviechadmin-packages
|
||||||
|
|
||||||
|
base-ldap-objects:
|
||||||
|
cmd.script:
|
||||||
|
- source: salt://gnuviechadmin/gvaldap/create_base_ldap_objects.sh
|
||||||
|
- template: jinja
|
||||||
|
- user: root
|
||||||
|
- group: root
|
||||||
|
- unless: ldapsearch -Y EXTERNAL -H ldapi:// -b "{{ salt['pillar.get']('gnuviechadmin:ldap_base_dn') }}" "cn={{ salt['pillar.get']('gnuviechadmin:ldap_admin_user') }}" | grep -q numEntries
|
||||||
|
|
91
roots/gnuviechadmin/gvaldap/create_base_ldap_objects.sh
Normal file
91
roots/gnuviechadmin/gvaldap/create_base_ldap_objects.sh
Normal file
|
@ -0,0 +1,91 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
{% set base_dn = salt['pillar.get']('gnuviechadmin:ldap_base_dn') %}
|
||||||
|
{% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %}
|
||||||
|
{% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %}
|
||||||
|
{% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %}
|
||||||
|
|
||||||
|
# setup password hashing for cleartext input
|
||||||
|
ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif
|
||||||
|
|
||||||
|
ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
|
||||||
|
dn: cn=module{0},cn=config
|
||||||
|
changetype: modify
|
||||||
|
add: olcModuleLoad
|
||||||
|
olcModuleLoad: ppolicy
|
||||||
|
|
||||||
|
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
|
||||||
|
changetype: add
|
||||||
|
objectClass: olcOverlayConfig
|
||||||
|
objectClass: olcPPolicyConfig
|
||||||
|
olcOverlay: ppolicy
|
||||||
|
olcPPolicyHashClearText: TRUE
|
||||||
|
EOD
|
||||||
|
|
||||||
|
# define ACLs on LDAP tree
|
||||||
|
ldapmodify -v -H ldapi:// -Y EXTERNAL <<EOD
|
||||||
|
dn: olcDatabase={1}mdb,cn=config
|
||||||
|
changetype: modify
|
||||||
|
replace: olcAccess
|
||||||
|
olcAccess: {0}to attrs=userPassword,shadowLastChange
|
||||||
|
by self write
|
||||||
|
by anonymous auth
|
||||||
|
by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
|
||||||
|
by * none
|
||||||
|
olcAccess: {1}to dn.base=""
|
||||||
|
by * read
|
||||||
|
olcAccess: {2}to dn.subtree="ou={{ ldap_users_ou }},{{ base_dn }}"
|
||||||
|
by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
|
||||||
|
by * read
|
||||||
|
olcAccess: {3}to dn.subtree="ou={{ ldap_groups_ou }},{{ base_dn }}"
|
||||||
|
by dn="cn={{ ldap_admin_user }},{{ base_dn }}" write
|
||||||
|
by * read
|
||||||
|
olcAccess: {4}to *
|
||||||
|
by self write
|
||||||
|
by * read
|
||||||
|
EOD
|
||||||
|
|
||||||
|
# add OUs, groups and ldapadmin user
|
||||||
|
ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["grains.get_or_set_hash"]("slapd.password") }}' <<EOD
|
||||||
|
dn: ou={{ ldap_users_ou }},{{ base_dn }}
|
||||||
|
changetype: add
|
||||||
|
objectClass: top
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: {{ ldap_users_ou }}
|
||||||
|
|
||||||
|
dn: ou={{ ldap_groups_ou }},{{ base_dn }}
|
||||||
|
changetype: add
|
||||||
|
objectClass: top
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: {{ ldap_groups_ou }}
|
||||||
|
|
||||||
|
dn: cn=sftponly,ou={{ ldap_groups_ou }},{{ base_dn }}
|
||||||
|
changetype: add
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: sftponly
|
||||||
|
gidNumber: 2000
|
||||||
|
description: SFTP users
|
||||||
|
|
||||||
|
dn: cn=wwwusers,ou={{ ldap_groups_ou }},{{ base_dn }}
|
||||||
|
changetype: add
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: wwwusers
|
||||||
|
gidNumber: 2001
|
||||||
|
|
||||||
|
dn: cn=webserver,ou={{ ldap_groups_ou }},{{ base_dn }}
|
||||||
|
changetype: add
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: webserver
|
||||||
|
gidNumber: 2002
|
||||||
|
memberUid: www-data
|
||||||
|
|
||||||
|
dn: cn={{ ldap_admin_user }},{{ base_dn }}
|
||||||
|
changetype: add
|
||||||
|
objectClass: simpleSecurityObject
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: {{ ldap_admin_user }}
|
||||||
|
description: LDAP manager for celery worker
|
||||||
|
userPassword:: {{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16).encode("base64") }}
|
||||||
|
EOD
|
|
@ -1,14 +1,14 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
export DJANGO_SETTINGS_MODULE="gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}"
|
export DJANGO_SETTINGS_MODULE='gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}'
|
||||||
export GVALDAP_ADMIN_NAME="Jan Dittberner"
|
export GVALDAP_ADMIN_NAME='Jan Dittberner'
|
||||||
export GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}"
|
export GVALDAP_ADMIN_EMAIL='{{ salt['pillar.get']('gnuviechadmin:adminemail') }}'
|
||||||
export GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}"
|
export GVALDAP_LDAP_URL='{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}'
|
||||||
export GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}"
|
export GVALDAP_LDAP_USER='{{ 'cn=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_admin_user'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
|
||||||
export GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}"
|
export GVALDAP_LDAP_PASSWORD='{{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16) }}'
|
||||||
export GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}"
|
export GVALDAP_BASEDN_GROUP='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_groups_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
|
||||||
export GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}"
|
export GVALDAP_BASEDN_USER='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_users_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
|
||||||
export GVALDAP_SECRETKEY="{{ salt['grains.get_or_set_hash']('gnuviechadmin-gvaldap:SECRET_KEY', 50) }}"
|
export GVALDAP_SECRETKEY='{{ salt['grains.get_or_set_hash']('gnuviechadmin.secret_key', 50) }}'
|
||||||
export GVALDAP_BROKER_URL="{{ broker_url }}"
|
export GVALDAP_BROKER_URL='{{ broker_url }}'
|
||||||
export GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}"
|
export GVALDAP_ALLOWED_HOSTS='{{ salt['pillar.get']('gnuviechadmin:allowed_hosts') }}'
|
||||||
export GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}"
|
export GVALDAP_SERVER_EMAIL='{{ salt['pillar.get']('gnuviechadmin:mailfrom') }}'
|
||||||
|
|
18
roots/ldapserver/init.sls
Normal file
18
roots/ldapserver/init.sls
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
ldapserver-packages:
|
||||||
|
debconf.set:
|
||||||
|
- name: slapd
|
||||||
|
- data:
|
||||||
|
'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}' }
|
||||||
|
'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
|
||||||
|
'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd.password") }}'}
|
||||||
|
pkg.installed:
|
||||||
|
- pkgs:
|
||||||
|
- ldap-utils
|
||||||
|
- ldapscripts
|
||||||
|
- ldapvi
|
||||||
|
- slapd
|
||||||
|
service.running:
|
||||||
|
- name: slapd
|
||||||
|
- require:
|
||||||
|
- pkg: ldapserver-packages
|
||||||
|
- debconf: slapd
|
Loading…
Reference in a new issue