Merge branch 'standalone-bridge'
This commit is contained in:
commit
68ca51f016
|
@ -0,0 +1,6 @@
|
||||||
|
# This file Is the access control list for krb5 administration.
|
||||||
|
# When this file is edited run service krb5-admin-server restart to activate
|
||||||
|
# One common way to set up Kerberos administration is to allow any principal
|
||||||
|
# ending in /admin is given full administrative rights.
|
||||||
|
# To enable this, uncomment the following line:
|
||||||
|
*/admin *
|
|
@ -0,0 +1,19 @@
|
||||||
|
[kdcdefaults]
|
||||||
|
kdc_ports = 88
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
CSCLUB.INTERNAL = {
|
||||||
|
database_name = /var/lib/krb5kdc/principal
|
||||||
|
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
|
||||||
|
acl_file = /etc/krb5kdc/kadm5.acl
|
||||||
|
key_stash_file = /etc/krb5kdc/stash
|
||||||
|
kdc_ports = 88
|
||||||
|
max_life = 10h 0m 0s
|
||||||
|
max_renewable_life = 7d 0h 0m 0s
|
||||||
|
master_key_type = des3-hmac-sha1
|
||||||
|
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des3-cbc-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
|
||||||
|
default_principal_flags = +preauth
|
||||||
|
iprop_enable = true
|
||||||
|
iprop_slave_poll = 2m
|
||||||
|
iprop_port = 750
|
||||||
|
}
|
|
@ -0,0 +1,46 @@
|
||||||
|
[libdefaults]
|
||||||
|
default_realm = {{ krb_realm }}
|
||||||
|
|
||||||
|
# The following krb5.conf variables are only for MIT Kerberos.
|
||||||
|
kdc_timesync = 1
|
||||||
|
ccache_type = 4
|
||||||
|
forwardable = true
|
||||||
|
proxiable = true
|
||||||
|
|
||||||
|
dns_lookup_kdc = false
|
||||||
|
dns_lookup_realm = false
|
||||||
|
|
||||||
|
# For NFS, apparently
|
||||||
|
allow_weak_crypto = true
|
||||||
|
|
||||||
|
# The following encryption type specification will be used by MIT Kerberos
|
||||||
|
# if uncommented. In general, the defaults in the MIT Kerberos code are
|
||||||
|
# correct and overriding these specifications only serves to disable new
|
||||||
|
# encryption types as they are added, creating interoperability problems.
|
||||||
|
#
|
||||||
|
# The only time when you might need to uncomment these lines and change
|
||||||
|
# the enctypes is if you have local software that will break on ticket
|
||||||
|
# caches containing ticket encryption types it doesn't know about (such as
|
||||||
|
# old versions of Sun Java).
|
||||||
|
|
||||||
|
# default_tgs_enctypes = des3-hmac-sha1
|
||||||
|
# default_tkt_enctypes = des3-hmac-sha1
|
||||||
|
# permitted_enctypes = des3-hmac-sha1
|
||||||
|
|
||||||
|
# The following libdefaults parameters are only for Heimdal Kerberos.
|
||||||
|
fcc-mit-ticketflags = true
|
||||||
|
|
||||||
|
[realms]
|
||||||
|
{{ krb_realm }} = {
|
||||||
|
kdc = kdc1.{{ base_domain }}
|
||||||
|
admin_server = kadmin.{{ base_domain }}
|
||||||
|
}
|
||||||
|
|
||||||
|
[domain_realm]
|
||||||
|
.csclub.internal = {{ krb_realm }}
|
||||||
|
csclub.internal = {{ krb_realm }}
|
||||||
|
|
||||||
|
[logging]
|
||||||
|
kdc = SYSLOG:INFO:AUTH
|
||||||
|
admin_server = SYSLOG:INFO:AUTH
|
||||||
|
default = SYSLOG:INFO:AUTH
|
|
@ -45,17 +45,14 @@ sudoHost: ALL
|
||||||
sudoCommand: ALL
|
sudoCommand: ALL
|
||||||
sudoRunAsUser: ALL
|
sudoRunAsUser: ALL
|
||||||
|
|
||||||
# The password for each user is slapd.
|
|
||||||
# The hashes were generated with slappasswd.
|
|
||||||
|
|
||||||
dn: uid=ctdalek,ou=People,{{ ldap_base }}
|
dn: uid=ctdalek,ou=People,{{ ldap_base }}
|
||||||
cn: Calum Dalek
|
cn: Calum Dalek
|
||||||
userPassword: {SSHA}oaQvmex/jH2MeBsmxZ7YVyaKcC7zYwDK
|
userPassword: {SASL}ctdalek@{{ krb_realm }}
|
||||||
loginShell: /bin/bash
|
loginShell: /bin/bash
|
||||||
homeDirectory: /home/ctdalek
|
homeDirectory: /users/ctdalek
|
||||||
uidNumber: 10101
|
|
||||||
uid: ctdalek
|
uid: ctdalek
|
||||||
gidNumber: 10101
|
uidNumber: 20001
|
||||||
|
gidNumber: 20001
|
||||||
objectClass: top
|
objectClass: top
|
||||||
objectClass: account
|
objectClass: account
|
||||||
objectClass: posixAccount
|
objectClass: posixAccount
|
||||||
|
@ -69,4 +66,27 @@ objectClass: top
|
||||||
objectClass: group
|
objectClass: group
|
||||||
objectClass: posixGroup
|
objectClass: posixGroup
|
||||||
cn: ctdalek
|
cn: ctdalek
|
||||||
gidNumber: 10101
|
gidNumber: 20001
|
||||||
|
|
||||||
|
dn: uid=regular1,ou=People,{{ ldap_base }}
|
||||||
|
cn: Regular One
|
||||||
|
userPassword: {SASL}regular1@{{ krb_realm }}
|
||||||
|
loginShell: /bin/bash
|
||||||
|
homeDirectory: /users/regular1
|
||||||
|
uid: regular1
|
||||||
|
uidNumber: 20002
|
||||||
|
gidNumber: 20002
|
||||||
|
objectClass: top
|
||||||
|
objectClass: account
|
||||||
|
objectClass: posixAccount
|
||||||
|
objectClass: shadowAccount
|
||||||
|
objectClass: member
|
||||||
|
program: MAT/Mathematics Computer Science
|
||||||
|
term: s2021
|
||||||
|
|
||||||
|
dn: cn=regular1,ou=Group,{{ ldap_base }}
|
||||||
|
objectClass: top
|
||||||
|
objectClass: group
|
||||||
|
objectClass: posixGroup
|
||||||
|
cn: regular1
|
||||||
|
gidNumber: 20002
|
||||||
|
|
|
@ -45,15 +45,15 @@ timelimit unlimited
|
||||||
localssf 128
|
localssf 128
|
||||||
|
|
||||||
# map kerberos users to ldap users
|
# map kerberos users to ldap users
|
||||||
# sasl-realm CSCLUB.UWATERLOO.CA
|
sasl-realm CSCLUB.INTERNAL
|
||||||
# authz-regexp "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
authz-regexp "uid=([^/=]*),cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||||
# "uid=$1,ou=people,{{ ldap_base }}"
|
"uid=$1,ou=people,dc=csclub,dc=internal"
|
||||||
# authz-regexp "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
authz-regexp "uid=ceod/admin,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||||
# "cn=ceod,{{ ldap_base }}"
|
"cn=ceod,dc=csclub,dc=internal"
|
||||||
# authz-regexp "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
authz-regexp "uid=ldap/auth2.csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||||
# "cn=ldap-slave,{{ ldap_base }}"
|
"cn=ldap-slave,dc=csclub,dc=internal"
|
||||||
# authz-regexp "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
authz-regexp "uid=renewal/([^/=]*).csclub.internal,cn=CSCLUB.INTERNAL,cn=GSSAPI,cn=auth"
|
||||||
# "cn=renewal,{{ ldap_base }}"
|
"cn=renewal,dc=csclub,dc=internal"
|
||||||
|
|
||||||
# map sasl external users to ldap users
|
# map sasl external users to ldap users
|
||||||
#authz-regexp "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
#authz-regexp "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
||||||
|
|
143
auth1/main.yml
143
auth1/main.yml
|
@ -2,6 +2,7 @@
|
||||||
- hosts: auth1
|
- hosts: auth1
|
||||||
vars:
|
vars:
|
||||||
ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
||||||
|
krb_realm: "{{ base_domain.upper() }}"
|
||||||
tasks:
|
tasks:
|
||||||
- name: setup networking
|
- name: setup networking
|
||||||
import_role:
|
import_role:
|
||||||
|
@ -9,6 +10,7 @@
|
||||||
vars:
|
vars:
|
||||||
ipv4_addr: "{{ auth1_ipv4_addr }}"
|
ipv4_addr: "{{ auth1_ipv4_addr }}"
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
# LDAP
|
||||||
- name: install LDAP packages
|
- name: install LDAP packages
|
||||||
apt:
|
apt:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
|
@ -17,7 +19,6 @@
|
||||||
- ldap-utils
|
- ldap-utils
|
||||||
- ldapvi
|
- ldapvi
|
||||||
- libnss-ldapd
|
- libnss-ldapd
|
||||||
- libpam-ldapd
|
|
||||||
- nscd
|
- nscd
|
||||||
- sudo-ldap
|
- sudo-ldap
|
||||||
- name: copy slapd.conf
|
- name: copy slapd.conf
|
||||||
|
@ -50,14 +51,6 @@
|
||||||
- rfc2307bis.schema
|
- rfc2307bis.schema
|
||||||
- csc.schema
|
- csc.schema
|
||||||
notify: restart slapd
|
notify: restart slapd
|
||||||
- name: copy DB_CONFIG
|
|
||||||
copy:
|
|
||||||
remote_src: yes
|
|
||||||
src: /usr/share/slapd/DB_CONFIG
|
|
||||||
dest: /var/lib/ldap/DB_CONFIG
|
|
||||||
owner: openldap
|
|
||||||
group: openldap
|
|
||||||
notify: restart slapd
|
|
||||||
- name: make sure slapd is running
|
- name: make sure slapd is running
|
||||||
systemd:
|
systemd:
|
||||||
name: slapd
|
name: slapd
|
||||||
|
@ -75,6 +68,14 @@
|
||||||
shell: rm /var/lib/ldap/*
|
shell: rm /var/lib/ldap/*
|
||||||
when: cn_config_cmd.rc == 0
|
when: cn_config_cmd.rc == 0
|
||||||
notify: restart slapd
|
notify: restart slapd
|
||||||
|
- name: copy DB_CONFIG
|
||||||
|
copy:
|
||||||
|
remote_src: yes
|
||||||
|
src: /usr/share/slapd/DB_CONFIG
|
||||||
|
dest: /var/lib/ldap/DB_CONFIG
|
||||||
|
owner: openldap
|
||||||
|
group: openldap
|
||||||
|
notify: restart slapd
|
||||||
- name: copy ldap.conf
|
- name: copy ldap.conf
|
||||||
template:
|
template:
|
||||||
src: ldap/ldap.conf.j2
|
src: ldap/ldap.conf.j2
|
||||||
|
@ -103,8 +104,116 @@
|
||||||
src: ldap/data.ldif.j2
|
src: ldap/data.ldif.j2
|
||||||
dest: /etc/ldap/data.ldif
|
dest: /etc/ldap/data.ldif
|
||||||
- name: load LDIF data
|
- name: load LDIF data
|
||||||
command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:///
|
shell: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:/// || true
|
||||||
ignore_errors: yes
|
# Kerberos
|
||||||
|
- name: install Kerberos packages
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
loop:
|
||||||
|
- krb5-admin-server
|
||||||
|
- krb5-user
|
||||||
|
- libpam-krb5
|
||||||
|
- libsasl2-modules-gssapi-mit
|
||||||
|
- sasl2-bin
|
||||||
|
- name: override systemd services for Kerberos
|
||||||
|
import_role:
|
||||||
|
name: ../roles/systemd_workarounds
|
||||||
|
vars:
|
||||||
|
services: [ "krb5-admin-server", "krb5-kdc" ]
|
||||||
|
- name: copy krb5.conf
|
||||||
|
template:
|
||||||
|
src: kerberos/krb5.conf.j2
|
||||||
|
dest: /etc/krb5.conf
|
||||||
|
notify:
|
||||||
|
- restart kadmin
|
||||||
|
- name: copy kdc.conf
|
||||||
|
template:
|
||||||
|
src: kerberos/kdc.conf.j2
|
||||||
|
dest: /etc/krb5kdc/kdc.conf
|
||||||
|
notify:
|
||||||
|
- restart kdc
|
||||||
|
- name: copy kadm5.acl
|
||||||
|
copy:
|
||||||
|
src: kerberos/kadm5.acl
|
||||||
|
dest: /etc/krb5kdc/kadm5.acl
|
||||||
|
notify:
|
||||||
|
- restart kdc
|
||||||
|
- name: create new realm
|
||||||
|
command:
|
||||||
|
cmd: krb5_newrealm
|
||||||
|
# This is the KDC database master key
|
||||||
|
stdin: |
|
||||||
|
krb5
|
||||||
|
krb5
|
||||||
|
creates: /var/lib/krb5kdc/principal
|
||||||
|
- meta: flush_handlers
|
||||||
|
- name: add sysadmin principal
|
||||||
|
command:
|
||||||
|
cmd: kadmin.local
|
||||||
|
stdin: |
|
||||||
|
addprinc sysadmin/admin
|
||||||
|
krb5
|
||||||
|
krb5
|
||||||
|
- name: add user principals
|
||||||
|
command:
|
||||||
|
cmd: kadmin.local
|
||||||
|
stdin: |
|
||||||
|
addprinc {{ item }}
|
||||||
|
krb5
|
||||||
|
krb5
|
||||||
|
loop:
|
||||||
|
- ctdalek
|
||||||
|
- regular1
|
||||||
|
# TODO: add more hosts
|
||||||
|
- name: add host principals
|
||||||
|
command:
|
||||||
|
cmd: kadmin.local
|
||||||
|
stdin: |
|
||||||
|
addprinc -randkey host/auth1.{{ base_domain }}
|
||||||
|
addprinc -randkey ldap/auth1.{{ base_domain }}
|
||||||
|
# TODO: create an Ansible role for this
|
||||||
|
- name: copy keytab to host
|
||||||
|
command:
|
||||||
|
cmd: kadmin.local
|
||||||
|
stdin: |
|
||||||
|
ktadd host/auth1.{{ base_domain }}
|
||||||
|
ktadd ldap/auth1.{{ base_domain }}
|
||||||
|
- name: create keytab group
|
||||||
|
group:
|
||||||
|
name: keytab
|
||||||
|
- name: allow users in keytab group to read keytab
|
||||||
|
file:
|
||||||
|
path: /etc/krb5.keytab
|
||||||
|
group: keytab
|
||||||
|
mode: 0640
|
||||||
|
- name: add openldap user to necessary groups
|
||||||
|
user:
|
||||||
|
name: openldap
|
||||||
|
groups:
|
||||||
|
- keytab
|
||||||
|
- sasl
|
||||||
|
notify:
|
||||||
|
- restart slapd
|
||||||
|
- name: create /usr/lib/sasl2/slapd.conf
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
mech_list: plain login gssapi external
|
||||||
|
pwcheck_method: saslauthd
|
||||||
|
dest: /usr/lib/sasl2/slapd.conf
|
||||||
|
notify:
|
||||||
|
- restart slapd
|
||||||
|
- name: add config for saslauthd
|
||||||
|
replace:
|
||||||
|
path: /etc/default/saslauthd
|
||||||
|
regexp: "^{{ item.key }}=.*$"
|
||||||
|
replace: "{{ item.key }}={{ item.value }}"
|
||||||
|
loop:
|
||||||
|
- key: START
|
||||||
|
value: 'yes'
|
||||||
|
- key: MECHANISMS
|
||||||
|
value: '"kerberos5"'
|
||||||
|
notify:
|
||||||
|
- restart saslauthd
|
||||||
handlers:
|
handlers:
|
||||||
- name: restart slapd
|
- name: restart slapd
|
||||||
systemd:
|
systemd:
|
||||||
|
@ -118,3 +227,15 @@
|
||||||
systemd:
|
systemd:
|
||||||
name: nscd
|
name: nscd
|
||||||
state: restarted
|
state: restarted
|
||||||
|
- name: restart kadmin
|
||||||
|
systemd:
|
||||||
|
name: krb5-admin-server
|
||||||
|
state: restarted
|
||||||
|
- name: restart kdc
|
||||||
|
systemd:
|
||||||
|
name: krb5-kdc
|
||||||
|
state: restarted
|
||||||
|
- name: restart saslauthd
|
||||||
|
systemd:
|
||||||
|
name: saslauthd
|
||||||
|
state: restarted
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
copy:
|
copy:
|
||||||
content: |
|
content: |
|
||||||
{{ mail_ipv4_addr }} mail.{{ base_domain }}
|
{{ mail_ipv4_addr }} mail.{{ base_domain }}
|
||||||
|
{{ auth1_ipv4_addr }} auth1.{{ base_domain }}
|
||||||
dest: /etc/dnsmasq_hosts
|
dest: /etc/dnsmasq_hosts
|
||||||
notify: restart dnsmasq
|
notify: restart dnsmasq
|
||||||
- name: add dnsmasq config
|
- name: add dnsmasq config
|
||||||
|
|
|
@ -9,3 +9,6 @@ cname=mailman.{{ base_domain }},mail.{{ base_domain }}
|
||||||
mx-host={{ base_domain }},mail.{{ base_domain }},50
|
mx-host={{ base_domain }},mail.{{ base_domain }},50
|
||||||
address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
|
address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
|
||||||
address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }}
|
address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }}
|
||||||
|
cname=ldap1.{{ base_domain }},auth1.{{ base_domain }}
|
||||||
|
cname=kdc1.{{ base_domain }},auth1.{{ base_domain }}
|
||||||
|
cname=kadmin.{{ base_domain }},auth1.{{ base_domain }}
|
||||||
|
|
|
@ -14,6 +14,9 @@
|
||||||
ProtectHome=false
|
ProtectHome=false
|
||||||
ProtectControlGroups=false
|
ProtectControlGroups=false
|
||||||
ProtectKernelModules=false
|
ProtectKernelModules=false
|
||||||
|
InaccessibleDirectories=
|
||||||
|
ReadOnlyDirectories=
|
||||||
|
ReadWriteDirectories=
|
||||||
dest: "/etc/systemd/system/{{ item }}.service.d/override.conf"
|
dest: "/etc/systemd/system/{{ item }}.service.d/override.conf"
|
||||||
loop: "{{ services }}"
|
loop: "{{ services }}"
|
||||||
register: service_overrides
|
register: service_overrides
|
||||||
|
|
Loading…
Reference in New Issue