Merge branch 'evilham-openldap' into 'master'

[new-type] __openldap_server

See merge request ungleich-public/cdist!822

cdist/conf/type/__openldap_server/gencode-remote

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+manager_dn=$(cat "${__object}/parameter/manager-dn")
+manager_password=$(cat "${__object}/parameter/manager-password")
+description=$(cat "${__object}/parameter/description")
+suffix=$(cat "${__object}/parameter/suffix")
+suffix_dc=$(echo -n ${suffix} | awk -F',' '{print $1}' | awk -F'=' '{print $2}')
+
+SLAPD_IPC=$(cat "${__object}/parameter/slapd-url" | tr '\n' ' ' | awk '{ print $1}')
+
+cat <<DONE # | tee /dev/stderr
+# Restart service
+service slapd restart
+# It can sometimes take a tiny bit to bind
+sleep 1
+# Create or update base object
+if ldapsearch -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' -b '${suffix}' -s base 2>&1 > /dev/null; then
+    # Already exists, use ldapmodify
+    ldapmodify -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' <<EOF
+dn: ${suffix}
+changetype: modify
+replace: objectClass
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+-
+replace: o
+o: ${description}
+-
+replace: dc
+dc: ${suffix_dc}
+EOF
+else
+    # Does not exist, use ldapadd
+    ldapadd -xZ -D "${manager_dn}" -w "${manager_password}" -H '${SLAPD_IPC}' <<EOF
+dn: ${suffix}
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: ${description}
+dc: ${suffix_dc}
+EOF
+fi
+DONE

cdist/conf/type/__openldap_server/man.rst

@@ -0,0 +1,212 @@
+cdist-type__openldap_server(7)
+==============================
+
+NAME
+----
+cdist-type__openldap_server - Setup an openldap(4) server instance
+
+
+DESCRIPTION
+-----------
+This type can be used to bootstrap an LDAP environment using openldap as slapd.
+
+It bootstraps the LDAP server with sane defaults and creates and manages the
+base DN defined by `suffix`.
+
+
+REQUIRED PARAMETERS
+-------------------
+manager-dn
+    The rootdn to set up in the directory.
+    E.g. `cn=manager,dc=ungleich,dc=ch`. See `slapd.conf(5)`.
+
+manager-password
+    The password for `manager-dn` in the directory.
+    This will be used to connect to the LDAP server on the first `slapd-url`
+    with the given `manager-dn`.
+
+manager-password-hash
+    The password for `manager-dn` in the directory.
+    This should be valid for `slapd.conf` like `{SSHA}qV+mCs3u8Q2sCmUXT4Ybw7MebHTASMyr`.
+    Generate e.g. with: `slappasswd -s weneedgoodsecurity`.
+    See `slappasswd(8C)`, `slapd.conf(5)`.
+    TODO: implement this: http://blog.adamsbros.org/2015/06/09/openldap-ssha-salted-hashes-by-hand/
+      to derive from the manager-password parameter and ensure idempotency (care with salts).
+      At that point, manager-password-hash should be deprecated and ignored.
+
+serverid
+    The server for the directory.
+    E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
+
+suffix
+    The suffix for the directory.
+    E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
+
+
+REQUIRED MULTIPLE PARAMETERS
+----------------------------
+slapd-url
+    A URL for slapd to listen on.
+    Pass once for each URL you want to support,
+    e.g.: `--slapd-url ldaps://my.fqdn/ --slapd-url ldap://my.fqdn/`.
+    The first instance that is passed will be used as the main URL to
+    connect to this LDAP server
+    See the `-h` flag in `slapd(8C)`.
+
+
+OPTIONAL PARAMETERS
+-------------------
+syncrepl-credentials
+    Only has an effect if `replicate` is set; required in that case.
+    This secret is shared amongst the hosts that will replicate the directory.
+    Note that each replication server needs this secret and it is saved in
+    plain text in the directory.
+
+syncrepl-searchbase
+    Only has an effect if `replicate` is set; required in that case.
+    The searchbase to use for replication.
+    E.g. `dc=ungleich,dc=ch`. See `slapd.conf(5)`.
+
+admin-email
+    Passed to `cdist-type__letsencrypt_cert`; has otherwise no use.
+    Required if using `__letsencrypt_cert`.
+    Where to send Let's Encrypt emails like "certificate needs renewal".
+
+tls-cipher-suite
+    Setting for TLSCipherSuite.
+    Defaults to `NORMAL` in a Debian-like OS and `HIGH:MEDIUM:+SSLv2` on FreeBSD.
+    See `slapd.conf(5)`.
+
+tls-cert
+    If defined, `__letsencrypt_cert` is not used and this must be the path in
+    the remote hosts to the PEM-encoded TLS certificate.
+    Requires: `tls-privkey` and `tls-ca`.
+    Permissions, existence and renewal of these files are left up to the
+    type's user.
+
+tls-privkey
+    Required if `tls-cert` is defined.
+    Path in the remote hosts to the PEM-encoded private key file.
+
+tls-ca
+    Required if `tls-cert` is defined.
+    Path in the remote hosts to the PEM-encoded CA certificate file.
+
+
+OPTIONAL MULTIPLE PARAMETERS
+----------------------------
+syncrepl-host
+    Only has an effect if `replicate` is set; required in that case.
+    Set once per host that will replicate the directory.
+
+module
+    LDAP module to load. See `slapd.conf(5)`.
+    Default value is OS-dependent, see manifest.
+
+schema
+    Name of LDAP schema to load. Must be the name without extension of a
+    `.schema` file in slapd's schema directory (usually `/etc/slapd/schema` or
+    `/usr/local/etc/openldap/schema`).
+    Example value: `inetorgperson`
+    The type user must ensure that the schema file is deployed.
+    This defaults to a sensible subset, for details see the type definition.
+
+description
+    The description of the base DN passed in the `suffix` parameter.
+    Defaults to `Managed by cdist, do not edit manually.`
+
+
+BOOLEAN PARAMETERS
+------------------
+staging
+    Passed to `cdist-type__letsencrypt_cert`; has otherwise no use.
+    Obtain a test certificate from a staging server.
+
+replicate
+    Whether to setup replication or not.
+    If present `syncrepl-credentials` and `syncrepl-host` are also required.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Example of a simple server with manual certificate management.
+    pki_prefix="/usr/local/etc/pki/realms/ldap.camilion.cloud"
+    __openldap_server \
+        --manager-dn 'cn=manager,dc=camilion,dc=cloud' \
+        --manager-password "foo" \
+        --manager-password-hash '{SSHA}foo' \
+        --serverid 0 \
+        --suffix 'dc=camilion,dc=cloud' \
+        --slapd-url 'ldaps://ldap.camilion.cloud' \
+        --tls-cert "${pki_prefix}/default.crt" \
+        --tls-privkey "${pki_prefix}/default.key" \
+        --tls-ca "${pki_prefix}/CA.crt"
+
+    # The created basedn looks as follows:
+    #
+    # dn: dc=camilion,dc=cloud
+    # objectClass: top
+    # objectClass: dcObject
+    # objectClass: organization
+    # o: Managed by cdist, do not edit manually.
+    # dc: camilion
+    #
+    # Do not change it manually, the type will overwrite your changes.
+
+
+    #
+    # Changing to a replicated setup is a simple change to something like:
+    #
+    # Example for multiple servers with replication and automatic
+    # Let's Encrypt certificate management through certbot.
+    id=1
+    for host in ldap-test1.ungleich.ch ldap-test2.ungleich.ch; do
+        echo "__ungleich_ldap \
+            --manager-dn 'cn=manager,dc=ungleich,dc=ch' \
+            --manager-psasword 'foo' \
+            --manager-password-hash '{SSHA}fooo' \
+            --serverid '${id}' \
+            --suffix 'dc=ungleich,dc=ch' \
+            --slapd-url ldap://${host} \
+            --searchbase 'dc=ungleich,dc=ch' \
+            --syncrepl-credentials 'fooo' \
+            --syncrepl-host 'ldap-test1.ungleich.ch' \
+            --syncrepl-host 'ldap-test2.ungleich.ch' \
+            --description 'Ungleich LDAP server'" \
+            --staging \
+            | cdist config -i - -v ${host}
+        id=$((id + 1))
+    done
+
+    # The created basedn looks as follows:
+    #
+    # dn: dc=ungleich,dc=ch
+    # objectClass: top
+    # objectClass: dcObject
+    # objectClass: organization
+    # o: Ungleich LDAP server
+    # dc: ungleich
+    #
+    # Do not change it manually, the type will overwrite your changes.
+
+
+SEE ALSO
+--------
+:strong:`cdist-type__letsencrypt_cert`\ (7)
+
+
+AUTHORS
+-------
+ungleich <foss--@--ungleich.ch>
+Evilham <contact--@--evilham.com>
+
+
+COPYING
+-------
+Copyright \(C) 2020 ungleich glarus ag. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.

cdist/conf/type/__openldap_server/manifest

@@ -0,0 +1,263 @@
+#!/bin/sh
+
+name="${__target_host}"
+manager_dn=$(cat "${__object}/parameter/manager-dn")
+manager_password_hash=$(cat "${__object}/parameter/manager-password-hash")
+serverid=$(cat "${__object}/parameter/serverid")
+suffix=$(cat "${__object}/parameter/suffix")
+slapd_modules=$(cat "${__object}/parameter/module" 2>/dev/null || true)
+schemas=$(cat "${__object}/parameter/schema")
+slapd_urls=$(cat "${__object}/parameter/slapd-url" | tr '\n' ' ')
+tls_cipher_suite=$(cat "${__object}/parameter/tls-cipher-suite" 2>/dev/null || true)
+
+
+os="$(cat "${__global}/explorer/os")"
+
+# Setup OS-dependent vars
+CONF_OWNER="root"
+CONF_GROUP="root"
+case "${os}" in
+    freebsd)
+        PKGS="openldap-server"
+        ETC="/usr/local/etc"
+        SLAPD_DIR="/usr/local/etc/openldap"
+        SLAPD_DATA_DIR="/var/db/openldap-data"
+        SLAPD_RUN_DIR="/var/run/openldap"
+        SLAPD_MODULE_PATH="/usr/local/libexec/openldap"
+        if [ -z "${slapd_modules}" ]; then
+            # It looks like ppolicy and syncprov must be compiled
+            slapd_modules="back_mdb back_monitor"
+        fi
+        CONF_OWNER="ldap"
+        CONF_GROUP="ldap"
+        if [ -z "${tls_cipher_suite}" ]; then
+            # TODO: research default for FreeBSD. 'NORMAL' appears to not work
+            tls_cipher_suite="HIGH:MEDIUM:+SSLv2"
+        fi
+        ;;
+    debian|ubuntu|devuan)
+        PKGS="slapd ldap-utils"
+        ETC="/etc"
+        SLAPD_DIR="/etc/ldap"
+        SLAPD_DATA_DIR="/var/lib/ldap"
+        SLAPD_RUN_DIR="/var/run/slapd"
+        SLAPD_MODULE_PATH="/usr/lib/ldap"
+        if [ -z "${slapd_modules}" ]; then
+            slapd_modules="back_mdb ppolicy syncprov back_monitor"
+        fi
+        if [ -z "${tls_cipher_suite}" ]; then
+            tls_cipher_suite="NORMAL"
+        fi
+        ;;
+    *)
+        echo "Don't know the openldap defaults for: $os" >&2
+        exit 1
+        ;;
+esac
+
+PKG_MAIN=$(echo ${PKGS} | awk '{print $1;}')
+
+
+# Determine if __letsencrypt_cert is to be used and setup vars accordingly
+if [ -f "${__object}/parameter/tls-cert" ]; then
+    tls_cert=$(cat "${__object}/parameter/tls-cert")
+
+    if [ ! -f "${__object}/parameter/tls-privkey" ]; then
+        echo "When tls-cert is defined, tls-privkey is also required." >&2
+        exit 1
+    fi
+    tls_privkey=$(cat "${__object}/parameter/tls-privkey")
+
+    if [ ! -f "${__object}/parameter/tls-ca" ]; then
+        echo "When tls-cert is defined, tls-ca is also required." >&2
+        exit 1
+    fi
+    tls_ca=$(cat "${__object}/parameter/tls-ca")
+
+    _skip_letsencrypt_cert="YES"
+else
+    if [ ! -f "${__object}/parameter/admin-email" ]; then
+        echo "When using __letsencrypt_cert, admin-email is also required." >&2
+        exit 1
+    fi
+    admin_email=$(cat "${__object}/parameter/admin-email")
+
+    tls_cert="${SLAPD_DIR}/sasl2/cert.pem"
+    tls_privkey="${SLAPD_DIR}/sasl2/privkey.pem"
+    tls_ca="${SLAPD_DIR}/sasl2/chain.pem"
+fi
+
+mkdir "${__object}/files"
+ldapconf="${__object}/files/ldapconf"
+
+replication=""
+if [ -f "${__object}/parameter/replicate" ]; then
+    replication=yes
+
+    if [ ! -f "${__object}/parameter/syncrepl-searchbase" ]; then
+        echo "Requiring the searchbase for replication" >&2
+        exit 1
+    fi
+    syncrepl_searchbase=$(cat "${__object}/parameter/syncrepl-searchbase")
+
+    if [ ! -f "${__object}/parameter/syncrepl-credentials" ]; then
+        echo "Requiring credentials for replication" >&2
+        exit 1
+    fi
+
+    syncrepl_credentials=$(cat "${__object}/parameter/syncrepl-credentials")
+
+    if [ ! -f "${__object}/parameter/syncrepl-host" ]; then
+        echo "Requiring host(s) for replication" >&2
+        exit 1
+    fi
+    syncrepl_hosts=$(cat "${__object}/parameter/syncrepl-host")
+
+fi
+
+# Install required packages
+for pkg in ${PKGS}; do
+    __package ${pkg}
+done
+
+
+require="__package/${PKG_MAIN}" __start_on_boot slapd
+
+# Setup -h flag for the listeners. See man slapd (-h flag).
+case "${os}" in
+    freebsd)
+        require="__start_on_boot/slapd" __key_value \
+               --file "/etc/rc.conf" \
+               --key "slapd_flags" \
+               --value "\"-h '${slapd_urls}'\"" \
+               --delimiter "=" \
+               --comment "# LDAP Listener URLs" \
+               "${__target_host}__slapd_flags"
+        ;;
+    debian|ubuntu|devuan)
+        require="__package/${PKG_MAIN}" __line rm_slapd_conf \
+               --file ${ETC}/default/slapd \
+               --regex 'SLAPD_CONF=.*' \
+               --state absent
+
+        require="__package/${PKG_MAIN}" __line rm_slapd_services \
+               --file ${ETC}/default/slapd \
+               --regex 'SLAPD_SERVICES=.*' \
+               --state absent
+
+        require="__line/rm_slapd_conf" __line add_slapd_conf \
+               --file ${ETC}/default/slapd \
+               --line 'SLAPD_CONF=${SLAPD_DIR}/slapd.conf' \
+               --state present
+
+        require="__line/rm_slapd_services" __line add_slapd_services \
+               --file ${ETC}/default/slapd \
+               --line "SLAPD_SERVICES=\"${slapd_urls}\"" \
+               --state present
+        ;;
+    *)
+        # Nothing to do here, move on.
+        ;;
+esac
+
+
+if [ -z "${_skip_letsencrypt_cert}" ]; then
+    if [ -f "${__object}/parameter/staging" ]; then
+        staging="--staging"
+    else
+        staging=""
+    fi
+
+    __letsencrypt_cert "${name}" --admin-email "${admin_email}" \
+        --renew-hook "cp ${ETC}/letsencrypt/live/${name}/*.pem ${SLAPD_DIR}/sasl2 && chown -R openldap:openldap ${SLAPD_DIR}/sasl2 && service slapd restart" \
+        --automatic-renewal ${staging}
+fi
+
+require="__package/${PKG_MAIN}" __directory ${SLAPD_DIR}/slapd.d --state absent
+
+if [ -z "${_skip_letsencrypt_cert}" ]; then
+    require="__package/${PKG_MAIN} __letsencrypt_cert/${name}" \
+           __file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
+           --source "${ldapconf}"
+else
+    require="__package/${PKG_MAIN}" \
+           __file ${SLAPD_DIR}/slapd.conf --owner ${CONF_OWNER} --group ${CONF_GROUP} --mode 644 \
+           --source "${ldapconf}"
+fi
+
+# Start slapd.conf
+cat << EOF > "${ldapconf}"
+pidfile ${SLAPD_RUN_DIR}/slapd.pid
+argsfile ${SLAPD_RUN_DIR}/slapd.args
+
+TLSCipherSuite ${tls_cipher_suite}
+TLSCertificateFile ${tls_cert}
+TLSCertificateKeyFile ${tls_privkey}
+TLSCACertificateFile ${tls_ca}
+
+disallow bind_anon
+require bind
+security tls=1
+EOF
+
+# Add specified schemas
+for schema in ${schemas}; do
+    echo "include ${SLAPD_DIR}/schema/${schema}.schema" >> "${ldapconf}"
+done
+
+# Add specified modules
+echo "modulepath ${SLAPD_MODULE_PATH}" >> "${ldapconf}"
+for module in ${slapd_modules}; do
+    echo "moduleload ${module}.la" >> "${ldapconf}"
+done
+
+# Rest of the config
+cat << EOF >> "${ldapconf}"
+loglevel 1024
+
+database mdb
+maxsize 1073741824
+
+suffix "${suffix}"
+directory ${SLAPD_DATA_DIR}
+rootdn "${manager_dn}"
+rootpw "${manager_password_hash}"
+
+index objectClass eq,pres
+index ou,cn,mail,surname,givenname eq,pres,sub
+index uidNumber,gidNumber,loginShell eq,pres
+index uid,memberUid eq,pres,sub
+index nisMapName,nisMapEntry eq,pres,sub
+index entryCSN,entryUUID eq
+
+serverid ${serverid}
+EOF
+
+# Setup replication
+if [ "${replication}" ]; then
+    rid=1;
+    for syncrepl in ${syncrepl_hosts}; do
+    cat <<EOF >> "${ldapconf}"
+syncrepl rid=${rid}
+ provider=ldap://${syncrepl}
+ bindmethod=simple
+ starttls=yes
+ binddn="${manager_dn}"
+ credentials=${syncrepl_credentials}
+ searchbase="${syncrepl_searchbase}"
+ type=refreshAndPersist
+ retry="5 + 5 +"
+ interval=00:00:00:05
+EOF
+    rid=$((rid + 1))
+    done
+    cat <<EOF >> "${ldapconf}"
+mirrormode true
+overlay syncprov
+syncprov-checkpoint 100 5
+syncprov-sessionlog 100
+
+database monitor
+limits dn.exact="${manager_dn}" time=unlimited size=unlimited
+EOF
+fi

cdist/conf/type/__openldap_server/parameter/boolean

@@ -0,0 +1,2 @@
+staging
+replicate

cdist/conf/type/__openldap_server/parameter/default/description

@@ -0,0 +1 @@
+Managed by cdist, do not edit manually.

cdist/conf/type/__openldap_server/parameter/default/schema

@@ -0,0 +1,12 @@
+corba
+core
+cosine
+duaconf
+dyngroup
+inetorgperson
+java
+misc
+nis
+openldap
+ppolicy
+collective

cdist/conf/type/__openldap_server/parameter/optional

@@ -0,0 +1,8 @@
+description
+syncrepl-credentials
+syncrepl-searchbase
+admin-email
+tls-cipher-suite
+tls-cert
+tls-privkey
+tls-ca

cdist/conf/type/__openldap_server/parameter/optional_multiple

@@ -0,0 +1,3 @@
+syncrepl-host
+module
+schema

cdist/conf/type/__openldap_server/parameter/required

@@ -0,0 +1,5 @@
+manager-dn
+manager-password
+manager-password-hash
+serverid
+suffix

cdist/conf/type/__openldap_server/parameter/required_multiple

@@ -0,0 +1 @@
+slapd-url