Merge branch 'evilham-openldap' into 'master'

[new-type] __openldap_server

See merge request ungleich-public/cdist!822
This commit is contained in:
poljakowski 2019-12-10 19:33:33 +01:00
commit c58c4b8309
11 changed files with 551 additions and 0 deletions

View file

@ -0,0 +1,44 @@
#!/bin/sh
manager_dn=$(cat "${__object}/parameter/manager-dn")
manager_password=$(cat "${__object}/parameter/manager-password")
description=$(cat "${__object}/parameter/description")
suffix=$(cat "${__object}/parameter/suffix")
suffix_dc=$(echo -n ${suffix} | awk -F',' '{print $1}' | awk -F'=' '{print $2}')
SLAPD_IPC=$(cat "${__object}/parameter/slapd-url" | tr '\n' ' ' | awk '{ print $1}')
cat <<DONE # | tee /dev/stderr
# Restart service
service slapd restart
# It can sometimes take a tiny bit to bind
sleep 1
# Create or update base object
if ldapsearch -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' -b '${suffix}' -s base 2>&1 > /dev/null; then
# Already exists, use ldapmodify
ldapmodify -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' <<EOF
dn: ${suffix}
changetype: modify
replace: objectClass
objectClass: top
objectClass: dcObject
objectClass: organization
-
replace: o
o: ${description}
-
replace: dc
dc: ${suffix_dc}
EOF
else
# Does not exist, use ldapadd
ldapadd -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' <<EOF
dn: ${suffix}
objectClass: top
objectClass: dcObject
objectClass: organization
o: ${description}
dc: ${suffix_dc}
EOF
fi
DONE

View file

@ -0,0 +1,212 @@
cdist-type__openldap_server(7)
==============================
NAME
----
cdist-type__openldap_server - Setup an openldap(4) server instance
DESCRIPTION
-----------
This type can be used to bootstrap an LDAP environment using openldap as slapd.
It bootstraps the LDAP server with sane defaults and creates and manages the
base DN defined by `suffix`.
REQUIRED PARAMETERS
-------------------
manager-dn
The rootdn to set up in the directory.
E.g. `cn=manager,dc=ungleich,dc=ch`. See `slapd.conf(5)`.
manager-password
The password for `manager-dn` in the directory.
This will be used to connect to the LDAP server on the first `slapd-url`
with the given `manager-dn`.
manager-password-hash
The password for `manager-dn` in the directory.
This should be valid for `slapd.conf` like `{SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTASMyr`.
Generate e.g. with: `slappasswd -s weneedgoodsecurity`.
See `slappasswd(8C)`, `slapd.conf(5)`.
TODO: implement this: http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
to derive from the manager-password parameter and ensure idempotency (care with salts).
At that point, manager-password-hash should be deprecated and ignored.
serverid
The server for the directory.
E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
suffix
The suffix for the directory.
E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
REQUIRED MULTIPLE PARAMETERS
----------------------------
slapd-url
A URL for slapd to listen on.
Pass once for each URL you want to support,
e.g.: `--slapd-url ldaps://my.fqdn/ --slapd-url ldap://my.fqdn/`.
The first instance that is passed will be used as the main URL to
connect to this LDAP server
See the `-h` flag in `slapd(8C)`.
OPTIONAL PARAMETERS
-------------------
syncrepl-credentials
Only has an effect if `replicate` is set; required in that case.
This secret is shared amongst the hosts that will replicate the directory.
Note that each replication server needs this secret and it is saved in
plain text in the directory.
syncrepl-searchbase
Only has an effect if `replicate` is set; required in that case.
The searchbase to use for replication.
E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
admin-email
Passed to `cdist-type__letsencrypt_cert`; has otherwise no use.
Required if using `__letsencrypt_cert`.
Where to send Let's Encrypt emails like "certificate needs renewal".
tls-cipher-suite
Setting for TLSCipherSuite.
Defaults to `NORMAL` in a Debian-like OS and `HIGH:MEDIUM:+SSLv2` on FreeBSD.
See `slapd.conf(5)`.
tls-cert
If defined, `__letsencrypt_cert` is not used and this must be the path in
the remote hosts to the PEM-encoded TLS certificate.
Requires: `tls-privkey` and `tls-ca`.
Permissions, existence and renewal of these files are left up to the
type's user.
tls-privkey
Required if `tls-cert` is defined.
Path in the remote hosts to the PEM-encoded private key file.
tls-ca
Required if `tls-cert` is defined.
Path in the remote hosts to the PEM-encoded CA certificate file.
OPTIONAL MULTIPLE PARAMETERS
----------------------------
syncrepl-host
Only has an effect if `replicate` is set; required in that case.
Set once per host that will replicate the directory.
module
LDAP module to load. See `slapd.conf(5)`.
Default value is OS-dependent, see manifest.
schema
Name of LDAP schema to load. Must be the name without extension of a
`.schema` file in slapd's schema directory (usually `/etc/slapd/schema` or
`/usr/local/etc/openldap/schema`).
Example value: `inetorgperson`
The type user must ensure that the schema file is deployed.
This defaults to a sensible subset, for details see the type definition.
description
The description of the base DN passed in the `suffix` parameter.
Defaults to `Managed by cdist, do not edit manually.`
BOOLEAN PARAMETERS
------------------
staging
Passed to `cdist-type__letsencrypt_cert`; has otherwise no use.
Obtain a test certificate from a staging server.
replicate
Whether to setup replication or not.
If present `syncrepl-credentials` and `syncrepl-host` are also required.
EXAMPLES
--------
.. code-block:: sh
# Example of a simple server with manual certificate management.
pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
__openldap_server \
--manager-dn 'cn=manager,dc=camilion,dc=cloud' \
--manager-password "foo" \
--manager-password-hash '{SSHA}foo' \
--serverid 0 \
--suffix 'dc=camilion,dc=cloud' \
--slapd-url 'ldaps://ldap.camilion.cloud' \
--tls-cert "${pki_prefix}/default.crt" \
--tls-privkey "${pki_prefix}/default.key" \
--tls-ca "${pki_prefix}/CA.crt"
# The created basedn looks as follows:
#
# dn: dc=camilion,dc=cloud
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: Managed by cdist, do not edit manually.
# dc: camilion
#
# Do not change it manually, the type will overwrite your changes.
#
# Changing to a replicated setup is a simple change to something like:
#
# Example for multiple servers with replication and automatic
# Let's Encrypt certificate management through certbot.
id=1
for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
echo "__ungleich_ldap \
--manager-dn 'cn=manager,dc=ungleich,dc=ch' \
--manager-psasword 'foo' \
--manager-password-hash '{SSHA}fooo' \
--serverid '${id}' \
--suffix 'dc=ungleich,dc=ch' \
--slapd-url ldap://${host} \
--searchbase 'dc=ungleich,dc=ch' \
--syncrepl-credentials 'fooo' \
--syncrepl-host 'ldap-test1.ungleich.ch' \
--syncrepl-host 'ldap-test2.ungleich.ch' \
--description 'Ungleich LDAP server'" \
--staging \
| cdist config -i - -v ${host}
id=$((id + 1))
done
# The created basedn looks as follows:
#
# dn: dc=ungleich,dc=ch
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: Ungleich LDAP server
# dc: ungleich
#
# Do not change it manually, the type will overwrite your changes.
SEE ALSO
--------
:strong:`cdist-type__letsencrypt_cert`\ (7)
AUTHORS
-------
ungleich <foss--@--ungleich.ch>
Evilham <contact--@--evilham.com>
COPYING
-------
Copyright \(C) 2020 ungleich glarus ag. You can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of the
License, or (at your option) any later version.

View file

@ -0,0 +1,263 @@
#!/bin/sh
name="${__target_host}"
manager_dn=$(cat "${__object}/parameter/manager-dn")
manager_password_hash=$(cat "${__object}/parameter/manager-password-hash")
serverid=$(cat "${__object}/parameter/serverid")
suffix=$(cat "${__object}/parameter/suffix")
slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
schemas=$(cat "${__object}/parameter/schema")
slapd_urls=$(cat "${__object}/parameter/slapd-url" | tr '\n' ' ')
tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
os="$(cat "${__global}/explorer/os")"
# Setup OS-dependent vars
CONF_OWNER="root"
CONF_GROUP="root"
case "${os}" in
freebsd)
PKGS="openldap-server"
ETC="/usr/local/etc"
SLAPD_DIR="/usr/local/etc/openldap"
SLAPD_DATA_DIR="/var/db/openldap-data"
SLAPD_RUN_DIR="/var/run/openldap"
SLAPD_MODULE_PATH="/usr/local/libexec/openldap"
if [ -z "${slapd_modules}" ]; then
# It looks like ppolicy and syncprov must be compiled
slapd_modules="back_mdb back_monitor"
fi
CONF_OWNER="ldap"
CONF_GROUP="ldap"
if [ -z "${tls_cipher_suite}" ]; then
# TODO: research default for FreeBSD. 'NORMAL' appears to not work
tls_cipher_suite="HIGH:MEDIUM:+SSLv2"
fi
;;
debian|ubuntu|devuan)
PKGS="slapd ldap-utils"
ETC="/etc"
SLAPD_DIR="/etc/ldap"
SLAPD_DATA_DIR="/var/lib/ldap"
SLAPD_RUN_DIR="/var/run/slapd"
SLAPD_MODULE_PATH="/usr/lib/ldap"
if [ -z "${slapd_modules}" ]; then
slapd_modules="back_mdb ppolicy syncprov back_monitor"
fi
if [ -z "${tls_cipher_suite}" ]; then
tls_cipher_suite="NORMAL"
fi
;;
*)
echo "Don't know the openldap defaults for: $os" >&2
exit 1
;;
esac
PKG_MAIN=$(echo ${PKGS} | awk '{print $1;}')
# Determine if __letsencrypt_cert is to be used and setup vars accordingly
if [ -f "${__object}/parameter/tls-cert" ]; then
tls_cert=$(cat "${__object}/parameter/tls-cert")
if [ ! -f "${__object}/parameter/tls-privkey" ]; then
echo "When tls-cert is defined, tls-privkey is also required." >&2
exit 1
fi
tls_privkey=$(cat "${__object}/parameter/tls-privkey")
if [ ! -f "${__object}/parameter/tls-ca" ]; then
echo "When tls-cert is defined, tls-ca is also required." >&2
exit 1
fi
tls_ca=$(cat "${__object}/parameter/tls-ca")
_skip_letsencrypt_cert="YES"
else
if [ ! -f "${__object}/parameter/admin-email" ]; then
echo "When using __letsencrypt_cert, admin-email is also required." >&2
exit 1
fi
admin_email=$(cat "${__object}/parameter/admin-email")
tls_cert="${SLAPD_DIR}/sasl2/cert.pem"
tls_privkey="${SLAPD_DIR}/sasl2/privkey.pem"
tls_ca="${SLAPD_DIR}/sasl2/chain.pem"
fi
mkdir "${__object}/files"
ldapconf="${__object}/files/ldapconf"
replication=""
if [ -f "${__object}/parameter/replicate" ]; then
replication=yes
if [ ! -f "${__object}/parameter/syncrepl-searchbase" ]; then
echo "Requiring the searchbase for replication" >&2
exit 1
fi
syncrepl_searchbase=$(cat "${__object}/parameter/syncrepl-searchbase")
if [ ! -f "${__object}/parameter/syncrepl-credentials" ]; then
echo "Requiring credentials for replication" >&2
exit 1
fi
syncrepl_credentials=$(cat "${__object}/parameter/syncrepl-credentials")
if [ ! -f "${__object}/parameter/syncrepl-host" ]; then
echo "Requiring host(s) for replication" >&2
exit 1
fi
syncrepl_hosts=$(cat "${__object}/parameter/syncrepl-host")
fi
# Install required packages
for pkg in ${PKGS}; do
__package ${pkg}
done
require="__package/${PKG_MAIN}" __start_on_boot slapd
# Setup -h flag for the listeners. See man slapd (-h flag).
case "${os}" in
freebsd)
require="__start_on_boot/slapd" __key_value \
--file "/etc/rc.conf" \
--key "slapd_flags" \
--value "\"-h '${slapd_urls}'\"" \
--delimiter "=" \
--comment "# LDAP Listener URLs" \
"${__target_host}__slapd_flags"
;;
debian|ubuntu|devuan)
require="__package/${PKG_MAIN}" __line rm_slapd_conf \
--file ${ETC}/default/slapd \
--regex 'SLAPD_CONF=.*' \
--state absent
require="__package/${PKG_MAIN}" __line rm_slapd_services \
--file ${ETC}/default/slapd \
--regex 'SLAPD_SERVICES=.*' \
--state absent
require="__line/rm_slapd_conf" __line add_slapd_conf \
--file ${ETC}/default/slapd \
--line 'SLAPD_CONF=${SLAPD_DIR}/slapd.conf' \
--state present
require="__line/rm_slapd_services" __line add_slapd_services \
--file ${ETC}/default/slapd \
--line "SLAPD_SERVICES=\"${slapd_urls}\"" \
--state present
;;
*)
# Nothing to do here, move on.
;;
esac
if [ -z "${_skip_letsencrypt_cert}" ]; then
if [ -f "${__object}/parameter/staging" ]; then
staging="--staging"
else
staging=""
fi
__letsencrypt_cert "${name}" --admin-email "${admin_email}" \
--renew-hook "cp ${ETC}/letsencrypt/live/${name}/*.pem ${SLAPD_DIR}/sasl2 && chown -R openldap:openldap ${SLAPD_DIR}/sasl2 && service slapd restart" \
--automatic-renewal ${staging}
fi
require="__package/${PKG_MAIN}" __directory ${SLAPD_DIR}/slapd.d --state absent
if [ -z "${_skip_letsencrypt_cert}" ]; then
require="__package/${PKG_MAIN} __letsencrypt_cert/${name}" \
__file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
--source "${ldapconf}"
else
require="__package/${PKG_MAIN}" \
__file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
--source "${ldapconf}"
fi
# Start slapd.conf
cat << EOF > "${ldapconf}"
pidfile ${SLAPD_RUN_DIR}/slapd.pid
argsfile ${SLAPD_RUN_DIR}/slapd.args
TLSCipherSuite ${tls_cipher_suite}
TLSCertificateFile ${tls_cert}
TLSCertificateKeyFile ${tls_privkey}
TLSCACertificateFile ${tls_ca}
disallow bind_anon
require bind
security tls=1
EOF
# Add specified schemas
for schema in ${schemas}; do
echo "include ${SLAPD_DIR}/schema/${schema}.schema" >> "${ldapconf}"
done
# Add specified modules
echo "modulepath ${SLAPD_MODULE_PATH}" >> "${ldapconf}"
for module in ${slapd_modules}; do
echo "moduleload ${module}.la" >> "${ldapconf}"
done
# Rest of the config
cat << EOF >> "${ldapconf}"
loglevel 1024
database mdb
maxsize 1073741824
suffix "${suffix}"
directory ${SLAPD_DATA_DIR}
rootdn "${manager_dn}"
rootpw "${manager_password_hash}"
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
serverid ${serverid}
EOF
# Setup replication
if [ "${replication}" ]; then
rid=1;
for syncrepl in ${syncrepl_hosts}; do
cat <<EOF >> "${ldapconf}"
syncrepl rid=${rid}
provider=ldap://${syncrepl}
bindmethod=simple
starttls=yes
binddn="${manager_dn}"
credentials=${syncrepl_credentials}
searchbase="${syncrepl_searchbase}"
type=refreshAndPersist
retry="5 + 5 +"
interval=00:00:00:05
EOF
rid=$((rid + 1))
done
cat <<EOF >> "${ldapconf}"
mirrormode true
overlay syncprov
syncprov-checkpoint 100 5
syncprov-sessionlog 100
database monitor
limits dn.exact="${manager_dn}" time=unlimited size=unlimited
EOF
fi

View file

@ -0,0 +1,2 @@
staging
replicate

View file

@ -0,0 +1 @@
Managed by cdist, do not edit manually.

View file

@ -0,0 +1,12 @@
corba
core
cosine
duaconf
dyngroup
inetorgperson
java
misc
nis
openldap
ppolicy
collective

View file

@ -0,0 +1,8 @@
description
syncrepl-credentials
syncrepl-searchbase
admin-email
tls-cipher-suite
tls-cert
tls-privkey
tls-ca

View file

@ -0,0 +1,3 @@
syncrepl-host
module
schema

View file

@ -0,0 +1,5 @@
manager-dn
manager-password
manager-password-hash
serverid
suffix

View file

@ -0,0 +1 @@
slapd-url