From 1060a848c38795fc929d3f407b86e5106c3a2735 Mon Sep 17 00:00:00 2001 From: Max Erenberg Date: Fri, 28 May 2021 00:04:03 -0400 Subject: [PATCH] add LDAP setup for auth1 container --- .gitignore | 2 + auth1/ldap/csc.schema | 35 +++++ auth1/ldap/data.ldif.j2 | 72 +++++++++ auth1/ldap/ldap.conf.j2 | 20 +++ auth1/ldap/nsswitch.conf | 20 +++ auth1/ldap/rfc2307bis.schema | 287 ++++++++++++++++++++++++++++++++++ auth1/ldap/slapd.conf.j2 | 148 ++++++++++++++++++ auth1/main.yml | 120 ++++++++++++++ coffee/main.yml | 2 +- dns/templates/dnsmasq.conf.j2 | 3 +- hosts | 2 + 11 files changed, 709 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 auth1/ldap/csc.schema create mode 100644 auth1/ldap/data.ldif.j2 create mode 100644 auth1/ldap/ldap.conf.j2 create mode 100644 auth1/ldap/nsswitch.conf create mode 100644 auth1/ldap/rfc2307bis.schema create mode 100644 auth1/ldap/slapd.conf.j2 create mode 100644 auth1/main.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e75d6b1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +# Vim +.*.swp diff --git a/auth1/ldap/csc.schema b/auth1/ldap/csc.schema new file mode 100644 index 0000000..e104398 --- /dev/null +++ b/auth1/ldap/csc.schema @@ -0,0 +1,35 @@ +# CSC Member Information Schema + +attributetype ( 1.3.6.1.4.1.27934.1.1.1 NAME 'term' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} ) + +attributetype ( 1.3.6.1.4.1.27934.1.1.2 NAME 'program' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.27934.1.1.3 NAME 'studentid' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.27934.1.1.4 NAME 'position' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) + +attributetype ( 1.3.6.1.4.1.27934.1.1.5 NAME 'nonMemberTerm' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} ) + +objectclass ( 1.3.6.1.4.1.27934.1.2.1 NAME 'member' + SUP top AUXILIARY + MUST ( cn $ uid ) + MAY ( studentid $ program $ term $ nonMemberTerm $ description $ position ) ) + +objectclass ( 1.3.6.1.4.1.27934.1.2.2 NAME 'club' + SUP top AUXILIARY + MUST ( cn $ uid ) ) + +objectclass ( 1.3.6.1.4.1.27934.1.2.3 NAME 'group' + SUP top STRUCTURAL + MUST ( cn ) + MAY ( uniqueMember ) ) diff --git a/auth1/ldap/data.ldif.j2 b/auth1/ldap/data.ldif.j2 new file mode 100644 index 0000000..ec02116 --- /dev/null +++ b/auth1/ldap/data.ldif.j2 @@ -0,0 +1,72 @@ +dn: {{ ldap_base }} +objectClass: top +objectClass: dcObject +objectClass: organization +dc: csclub +o: Computer Science Club + +dn: ou=People,{{ ldap_base }} +objectClass: organizationalUnit +ou: People + +dn: ou=Groups,{{ ldap_base }} +objectClass: organizationalUnit +ou: Groups + +dn: ou=SUDOers,{{ ldap_base }} +objectClass: top +objectClass: organizationalUnit +ou: SUDOers + +dn: cn=defaults,ou=SUDOers,{{ ldap_base }} +objectClass: top +objectClass: sudoRole +cn: defaults +sudoOption: !insults +sudoOption: !lecture +sudoOption: env_reset +sudoOption: listpw=never +sudoOption: shell_noargs + +dn: cn=syscom,ou=Groups,{{ ldap_base }} +objectClass: top +objectClass: group +objectClass: posixGroup +cn: syscom +gidNumber: 10001 +uniqueMember: uid=ctdalek,dc=People,{{ ldap_base }} + +dn: cn=%syscom,ou=SUDOers,{{ ldap_base }} +objectClass: top +objectClass: sudoRole +cn: %syscom +sudoUser: %syscom +sudoHost: ALL +sudoCommand: ALL +sudoRunAsUser: ALL + +# The password for each user is slapd. +# The hashes were generated with slappasswd. + +dn: uid=ctdalek,ou=People,{{ ldap_base }} +cn: Calum Dalek +userPassword: {SSHA}oaQvmex/jH2MeBsmxZ7YVyaKcC7zYwDK +loginShell: /bin/bash +homeDirectory: /home/ctdalek +uidNumber: 10101 +uid: ctdalek +gidNumber: 10101 +objectClass: top +objectClass: account +objectClass: posixAccount +objectClass: shadowAccount +objectClass: member +program: MAT/Mathematics Computer Science +term: s2021 + +dn: cn=ctdalek,ou=Groups,{{ ldap_base }} +objectClass: top +objectClass: group +objectClass: posixGroup +cn: ctdalek +gidNumber: 10101 diff --git a/auth1/ldap/ldap.conf.j2 b/auth1/ldap/ldap.conf.j2 new file mode 100644 index 0000000..16e033c --- /dev/null +++ b/auth1/ldap/ldap.conf.j2 @@ -0,0 +1,20 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 +BASE {{ ldap_base }} +URI ldap://{{ auth1_ipv4_addr }} + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never + +# TLS certificates (needed for GnuTLS) +TLS_CACERT /etc/ssl/certs/ca-certificates.crt + +SUDOERS_BASE ou=SUDOers,dc=csclub,dc=internal diff --git a/auth1/ldap/nsswitch.conf b/auth1/ldap/nsswitch.conf new file mode 100644 index 0000000..ef2999d --- /dev/null +++ b/auth1/ldap/nsswitch.conf @@ -0,0 +1,20 @@ +# /etc/nsswitch.conf +# +# Example configuration of GNU Name Service Switch functionality. +# If you have the `glibc-doc-reference' and `info' packages installed, try: +# `info libc "Name Service Switch"' for information about this file. + +passwd: files ldap +group: files ldap +shadow: files ldap + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis +sudoers: files ldap diff --git a/auth1/ldap/rfc2307bis.schema b/auth1/ldap/rfc2307bis.schema new file mode 100644 index 0000000..27f5484 --- /dev/null +++ b/auth1/ldap/rfc2307bis.schema @@ -0,0 +1,287 @@ +# builtin +#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' +# DESC 'An integer uniquely identifying a user in an administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) +# + +# builtin +#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' +# DESC 'An integer uniquely identifying a group in an +# administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' + DESC 'The GECOS field; the common name' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' + DESC 'The absolute path to the home directory' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' + DESC 'The path to the login shell' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' + DESC 'Netgroup triple' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' + DESC 'Service port number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' + DESC 'Service protocol name' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' + DESC 'IP protocol number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' + DESC 'ONC RPC number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' + DESC 'IPv4 addresses as a dotted decimal omitting leading + zeros or IPv6 addresses as defined in RFC2373' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' + DESC 'IP network as a dotted decimal, eg. 192.168, + omitting leading zeros' + SUP name + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' + DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, + omitting leading zeros' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' + DESC 'MAC address in maximal, colon separated hex + notation, eg. 00:00:92:90:ee:e2' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' + DESC 'rpc.bootparamd parameter' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' + DESC 'Boot image name' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' + DESC 'Name of a A generic NIS map' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' + DESC 'A generic NIS entry' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' + DESC 'NIS public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' + DESC 'NIS secret key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' + DESC 'NIS domain' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + +attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' + DESC 'automount Map Name' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' + DESC 'Automount Key value' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' + DESC 'Automount information' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY + DESC 'Abstraction of an account with POSIX attributes' + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ + description ) ) + +objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY + DESC 'Additional attributes for shadow passwords' + MUST uid + MAY ( userPassword $ description $ + shadowLastChange $ shadowMin $ shadowMax $ + shadowWarning $ shadowInactive $ + shadowExpire $ shadowFlag ) ) + +objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY + DESC 'Abstraction of a group of accounts' + MUST gidNumber + MAY ( userPassword $ memberUid $ + description ) ) + +objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL + DESC 'Abstraction an Internet Protocol service. + Maps an IP port and protocol (such as tcp or udp) + to one or more names; the distinguished value of + the cn attribute denotes the services canonical + name' + MUST ( cn $ ipServicePort $ ipServiceProtocol ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + DESC 'Abstraction of an IP protocol. Maps a protocol number + to one or more names. The distinguished value of the cn + attribute denotes the protocols canonical name' + MUST ( cn $ ipProtocolNumber ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL + DESC 'Abstraction of an Open Network Computing (ONC) + [RFC1057] Remote Procedure Call (RPC) binding. + This class maps an ONC RPC number to a name. + The distinguished value of the cn attribute denotes + the RPC services canonical name' + MUST ( cn $ oncRpcNumber ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY + DESC 'Abstraction of a host, an IP device. The distinguished + value of the cn attribute denotes the hosts canonical + name. Device SHOULD be used as a structural class' + MUST ( cn $ ipHostNumber ) + MAY ( userPassword $ l $ description $ manager ) ) + +objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + DESC 'Abstraction of a network. The distinguished value of + the cn attribute denotes the networks canonical name' + MUST ipNetworkNumber + MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) + +objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + DESC 'Abstraction of a netgroup. May refer to other netgroups' + MUST cn + MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) + +objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL + DESC 'A generic abstraction of a NIS map' + MUST nisMapName + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL + DESC 'An entry in a NIS map' + MUST ( cn $ nisMapEntry $ nisMapName ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY + DESC 'A device with a MAC address; device SHOULD be + used as a structural class' + MAY macAddress ) + +objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY + DESC 'A device with boot parameters; device SHOULD be + used as a structural class' + MAY ( bootFile $ bootParameter ) ) + +objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY + DESC 'An object with a public and secret key' + MUST ( cn $ nisPublicKey $ nisSecretKey ) + MAY ( uidNumber $ description ) ) + +objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY + DESC 'Associates a NIS domain with a naming context' + MUST nisDomain ) + +objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL + MUST ( automountMapName ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL + DESC 'Automount information' + MUST ( automountKey $ automountInformation ) + MAY description ) +## namedObject is needed for groups without members +objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top + STRUCTURAL MAY cn ) + diff --git a/auth1/ldap/slapd.conf.j2 b/auth1/ldap/slapd.conf.j2 new file mode 100644 index 0000000..360f354 --- /dev/null +++ b/auth1/ldap/slapd.conf.j2 @@ -0,0 +1,148 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. + +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/rfc2307bis.schema +include /etc/ldap/schema/inetorgperson.schema +include /etc/ldap/schema/sudo.schema +include /etc/ldap/schema/csc.schema +include /etc/ldap/schema/misc.schema + +pidfile /var/run/slapd/slapd.pid +argsfile /var/run/slapd/slapd.args + +#Warning: "stats" is *lots* of logging +loglevel sync +#loglevel stats config sync acl + +modulepath /usr/lib/ldap +moduleload back_hdb +moduleload syncprov +moduleload auditlog +moduleload unique + +# resource limits +#limits dn.base="cn=ldap-slave,{{ ldap_base }}" time=unlimited size=unlimited +#limits group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited +#limits group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited +#limits users size=1000 time=300 +#limits * size=10 time=30 + +# the above don't seem to work +sizelimit unlimited +timelimit unlimited + +# enable TLS connections +# TLSCertificateFile /etc/ssl/private/csclub-wildcard-chain.crt +# TLSCertificateKeyFile /etc/ssl/private/csclub-wildcard.key + +# enable TLS client authentication +#TLSCACertificateFile /etc/ssl/certs/csclub.pem +#TLSVerifyClient allow + +# consider local connections encrypted +localssf 128 + +# map kerberos users to ldap users +# sasl-realm CSCLUB.UWATERLOO.CA +# authz-regexp "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" +# "uid=$1,ou=people,{{ ldap_base }}" +# authz-regexp "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" +# "cn=ceod,{{ ldap_base }}" +# authz-regexp "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" +# "cn=ldap-slave,{{ ldap_base }}" +# authz-regexp "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth" +# "cn=renewal,{{ ldap_base }}" + +# map sasl external users to ldap users +#authz-regexp "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca" +# "cn=ldap-slave,{{ ldap_base }}" + +# kerberos has code to allow SASL external auth, but it doesn't work yet +#authz-regexp "cn=kdc[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca" +# "cn=kerberos-kdc,{{ ldap_base }}" +#authz-regexp "cn=kadmin.csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca" +# "cn=kerberos-admin,{{ ldap_base }}" + +access to * + by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by * break + +# systems committee get full access +access to * + by dn="cn=ceod,{{ ldap_base }}" write + by group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" write + by * break + +# slave servers get full read access for replication +access to * + by dn="cn=ldap-slave,{{ ldap_base }}" read + by * break + +# allow office staff to add terms +# the renewal program may do the same +access to attrs=term + by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add + by dn="cn=renewal,{{ ldap_base }}" add + by * read +access to attrs=nonMemberTerm + by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add + by dn="cn=renewal,{{ ldap_base }}" add + by * read + +# allow users to change their shells +access to attrs=loginShell + by self write + by * read + +# allow simple authentication +access to attrs=userPassword + by anonymous auth + by * none + +# allow access to attributes of top; they would otherwise be denied below +access to attrs=@top + by * read + +# default permit +access to * + by * read + +# main database options +# note: the mdb backend has a horrible bug in 2.4.31 +# that causes indexing to destroy the database +database hdb +suffix "{{ ldap_base }}" +directory "/var/lib/ldap" +rootdn cn=root,{{ ldap_base }} +index default eq +index objectClass +index entryCSN,entryUUID +index uid,uidNumber +index cn,gidNumber +index uniqueMember,memberUid +index sudoUser,sudoHost pres,sub,eq +index term,nonMemberTerm +index mailLocalAddress +index modifyTimestamp,createTimestamp + +# 4 MB cache. use db_stat -m to check hit rate +#dbconfig set_cachesize 0 4194304 0 +#cachesize 2000 +#idlcachesize 6000 +#checkpoint 512 30 + +# log all changes to the directory +overlay auditlog +auditlog /var/log/ldap/audit.log + +# enforce uniqueness of usernames etc. +overlay unique +unique_uri ldap:///ou=People,{{ ldap_base }}?uid,uidNumber?sub +unique_uri ldap:///ou=Group,{{ ldap_base }}?cn,gidNumber?sub + +# this is the master server +overlay syncprov +syncprov-checkpoint 100 10 +syncprov-sessionlog 100 diff --git a/auth1/main.yml b/auth1/main.yml new file mode 100644 index 0000000..1447270 --- /dev/null +++ b/auth1/main.yml @@ -0,0 +1,120 @@ +--- +- hosts: auth1 + vars: + ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}" + tasks: + - name: setup networking + import_role: + name: ../roles/network_setup + vars: + ipv4_addr: "{{ auth1_ipv4_addr }}" + - meta: flush_handlers + - name: install LDAP packages + apt: + name: "{{ item }}" + loop: + - slapd + - ldap-utils + - ldapvi + - libnss-ldapd + - libpam-ldapd + - nscd + - sudo-ldap + - name: copy slapd.conf + template: + src: ldap/slapd.conf.j2 + dest: /etc/ldap/slapd.conf + owner: openldap + group: openldap + notify: restart slapd + - name: move slapd.d directory + command: + cmd: mv /etc/ldap/slapd.d /etc/ldap/slapd.d.bak + removes: /etc/ldap/slapd.d + notify: restart slapd + - name: copy sudo.schema + copy: + remote_src: yes + src: /usr/share/doc/sudo-ldap/schema.OpenLDAP + dest: /etc/ldap/schema/sudo.schema + owner: openldap + group: openldap + notify: restart slapd + - name: copy other schemas + copy: + src: "ldap/{{ item }}" + dest: "/etc/ldap/schema/{{ item }}" + owner: openldap + group: openldap + loop: + - rfc2307bis.schema + - csc.schema + notify: restart slapd + - name: copy DB_CONFIG + copy: + remote_src: yes + src: /usr/share/slapd/DB_CONFIG + dest: /var/lib/ldap/DB_CONFIG + owner: openldap + group: openldap + notify: restart slapd + - name: make sure slapd is running + systemd: + name: slapd + state: started + - name: determine if cn=config is present + command: ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config -s base + ignore_errors: yes + register: cn_config_cmd + - name: stop slapd + systemd: + name: slapd + state: stopped + when: cn_config_cmd.rc == 0 + - name: purge old slapd database + shell: rm /var/lib/ldap/* + when: cn_config_cmd.rc == 0 + notify: restart slapd + - name: copy ldap.conf + template: + src: ldap/ldap.conf.j2 + dest: /etc/ldap/ldap.conf + notify: + - restart nslcd + - restart nscd + - name: add member->uniqueMember map + lineinfile: + line: map group member uniqueMember + path: /etc/nslcd.conf + notify: restart nslcd + - name: copy nsswitch.conf + copy: + src: ldap/nsswitch.conf + dest: /etc/nsswitch.conf + notify: restart nslcd + - name: disable mail_badpass for sudo + replace: + path: /etc/sudoers + regexp: "^(Defaults\\s+mail_badpass)$" + replace: "#\\1" + - meta: flush_handlers + - name: copy LDIF data + template: + src: ldap/data.ldif.j2 + dest: /etc/ldap/data.ldif + - name: load LDIF data + command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// + ignore_errors: yes + handlers: + - name: restart slapd + systemd: + name: slapd + state: restarted + - name: restart nslcd + systemd: + name: nslcd + state: restarted + - name: restart nscd + systemd: + name: nscd + state: restarted diff --git a/coffee/main.yml b/coffee/main.yml index c5c5e32..5a70bf2 100644 --- a/coffee/main.yml +++ b/coffee/main.yml @@ -13,7 +13,7 @@ state: present - name: override systemd services import_role: - name: ../../roles/systemd_workarounds + name: ../roles/systemd_workarounds vars: services: [ "mariadb" ] - name: allow remote connections to MariaDB diff --git a/dns/templates/dnsmasq.conf.j2 b/dns/templates/dnsmasq.conf.j2 index 7541d5d..fac609d 100644 --- a/dns/templates/dnsmasq.conf.j2 +++ b/dns/templates/dnsmasq.conf.j2 @@ -6,5 +6,6 @@ addn-hosts=/etc/dnsmasq_hosts address=/dns.{{ base_domain }}/{{ dns_ipv4_addr }} address=/mail.{{ base_domain }}/{{ mail_ipv4_addr }} cname=mailman.{{ base_domain }},mail.{{ base_domain }} -address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }} mx-host={{ base_domain }},mail.{{ base_domain }},50 +address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }} +address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }} diff --git a/hosts b/hosts index a5e73fb..518a36b 100644 --- a/hosts +++ b/hosts @@ -2,6 +2,7 @@ dns ansible_lxc_host=dns mail ansible_lxc_host=mail coffee ansible_lxc_host=coffee +auth1 ansible_lxc_host=auth1 outsider ansible_lxc_host=outsider [containers:vars] @@ -16,3 +17,4 @@ outsider_ipv4_addr = 192.168.125.2 dns_ipv4_addr = 192.168.122.4 mail_ipv4_addr = 192.168.122.52 coffee_ipv4_addr = 192.168.122.20 +auth1_ipv4_addr = 192.168.122.117