unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: manage openldap

Browse Source 
- add modules, overlays, acccess rules, schemas
- manage syncrepl
- manage selinux
This commit is contained in:
Ben Vincent 2024-06-30 15:29:49 +10:00
parent e6f243ef60
commit 2924b7ad6f
6 changed files with 224 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
hieradata/roles/infra/auth/openldap.eyaml Normal file
View File

@ -0,0 +1,2 @@
---
profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]

15
hieradata/roles/infra/auth/openldap.yaml
View File

@ -5,3 +5,18 @@ profiles::pki::vault::alt_names:
- ldap.service.consul
- ldap.query.consul
- "ldap.service.%{facts.country}-%{facts.region}.consul"
openldap::server::manage_epel: false
profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
profiles::openldap::params::ldap_server:
- rid: 1
provider: ldap://ausyd1nxvm1044.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 2
provider: ldap://ausyd1nxvm1045.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"
- rid: 3
provider: ldap://ausyd1nxvm1046.main.unkin.net
searchbase: "%{hiera('profiles::openldap::params::database')}"

17
site/profiles/manifests/openldap/params.pp Normal file
View File

@ -0,0 +1,17 @@
# profiles::openldap::params
class profiles::openldap::params (
String $rootdn,
String $rootpw,
String $database = 'dc=domain,dc=tld',
Array[Hash] $syncrepl = [],
Boolean $multiprovider = true,
Stdlib::Absolutepath $data_path = '/opt/ldap',
Stdlib::Absolutepath $ssl_cert = '/etc/pki/tls/vault/certificate.crt',
Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key',
Stdlib::Absolutepath $ssl_ca = '/etc/pki/ca-trust/source/anchors/vaultcaroot.pem',
Stdlib::Absolutepath $db_config_path = "${data_path}/DB_CONFIG",
String $cache_size_gb = '1G',
String $log_buffer_size_mb = '8M',
String $log_max_size_mb = '100M',
Stdlib::Absolutepath $log_dir = '/var/lib/ldap/logs',
){}

183
site/profiles/manifests/openldap/server.pp Normal file
View File

@ -0,0 +1,183 @@
# profiles::openldap::init
class profiles::openldap::server (
$database = $profiles::openldap::params::database,
$syncrepl = $profiles::openldap::params::syncrepl,
$multiprovider = $profiles::openldap::params::multiprovider,
$data_path = $profiles::openldap::params::data_path,
$ssl_cert = $profiles::openldap::params::ssl_cert,
$ssl_key = $profiles::openldap::params::ssl_key,
$ssl_ca = $profiles::openldap::params::ssl_ca,
$rootdn = $profiles::openldap::params::rootdn,
$rootpw = $profiles::openldap::params::rootpw,
$db_config_path = $profiles::openldap::params::db_config_path,
$cache_size_gb = $profiles::openldap::params::cache_size_gb,
$log_dir = $profiles::openldap::params::log_dir,
$log_max_size_mb = $profiles::openldap::params::log_max_size_mb,
$log_buffer_size_mb = $profiles::openldap::params::log_buffer_size_mb,
) inherits profiles::openldap::params {
# ensure the path to $data_path exists
mkdir::p {$data_path:}
# if selinux is defined, manage it
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# set slapd_db_t to all files under the data_path
selinux::fcontext { $data_path:
ensure => 'present',
seltype => 'slapd_db_t',
pathspec => "${data_path}(/.*)?",
}
exec { "restorecon_${data_path}":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_path}",
refreshonly => true,
subscribe => Selinux::Fcontext[$data_path],
}
}
# manage the openldap server
class { 'openldap::server':
ldap_address => $facts['networking']['ip'],
ldaps_address => $facts['networking']['ip'],
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
ssl_ca => $ssl_ca,
subscribe => [
File[$ssl_key],
File[$ssl_ca],
],
}
openldap::server::database { $database:
ensure => present,
syncrepl => $syncrepl,
directory => $data_path,
rootdn => $rootdn,
rootpw => $rootpw,
mirrormode => true,
}
# manage modules
openldap::server::module { 'memberof':
ensure => present,
}
openldap::server::module { 'syncprov':
ensure => present,
}
# manage overlays
openldap::server::overlay { "memberof on ${database}":
ensure => present,
}
# Update after 10 changes or 1 minute.
# Ensure there's enough room for 1000 changes in the log.
openldap::server::overlay { "syncprov on ${database}":
ensure => present,
options => {
'olcSpCheckpoint' => '10 1',
'olcSpSessionlog' => '100'
},
require => [
Openldap::Server::Dbindex['entryCSN'],
Openldap::Server::Dbindex['entryUUID'],
Openldap::Server::Module['syncprov'],
],
}
# add schemas
openldap::server::schema { 'cosine':
ensure => present,
path => '/etc/openldap/schema/cosine.schema',
}
openldap::server::schema { 'inetorgperson':
ensure => present,
path => '/etc/openldap/schema/inetorgperson.schema',
require => Openldap::Server::Schema['cosine'],
}
openldap::server::schema { 'nis':
ensure => present,
path => '/etc/openldap/schema/nis.ldif',
require => Openldap::Server::Schema['inetorgperson'],
}
$acls = [
{
'to attrs=userPassword,shadowLastChange' => [
"by dn=\"${rootdn}\" write",
'by self write',
'by anonymous auth',
'by * none',
],
},
{
'to dn.base=""' => [
'by * read',
],
},
{
'to *' => [
"by dn=\"${rootdn}\" write",
'by self write',
'by users read',
'by anonymous auth',
'by * none',
],
},
]
openldap::server::access_wrapper { $database :
acl => $acls,
}
# manage dbindex
Openldap::Server::Dbindex {
suffix => $database,
}
openldap::server::dbindex {
'cn':
attribute => 'cn',
indices => 'eq,pres,sub';
'uid':
attribute => 'uid',
indices => 'eq,pres,sub';
'uidNumber':
attribute => 'uidNumber',
indices => 'eq,pres';
'gidNumber':
attribute => 'gidNumber',
indices => 'eq,pres';
'member':
attribute => 'member',
indices => 'eq,pres';
'memberUid':
attribute => 'memberUid',
indices => 'eq,pres';
'entryCSN':
attribute => 'entryCSN',
indices => 'eq,pres';
'entryUUID':
attribute => 'entryUUID',
indices => 'eq,pres';
}
# manage DB_CONFIG
file { $db_config_path:
ensure => file,
content => template('profiles/openldap/db_config.erb'),
owner => 'ldap',
group => 'ldap',
mode => '0644',
}
file { $log_dir:
ensure => directory,
owner => 'ldap',
group => 'ldap',
mode => '0755',
require => Class['openldap::server'],
}
}

5
site/profiles/templates/openldap/db_config.erb Normal file
View File

@ -0,0 +1,5 @@
set_cachesize <%= scope.lookupvar('openldap::db_config::cache_size_gb').to_i * 1024 %> 0 1
set_lg_bsize <%= scope.lookupvar('openldap::db_config::log_buffer_size_mb').to_i * 1024 %>
set_lg_max <%= scope.lookupvar('openldap::db_config::log_max_size_mb').to_i * 1024 %>
set_lg_dir <%= scope.lookupvar('openldap::db_config::log_dir') %>
set_flags DB_LOG_AUTOREMOVE

2
site/roles/manifests/infra/auth/openldap.pp
View File

@ -6,5 +6,7 @@ class roles::infra::auth::openldap {
}else{
include profiles::defaults
include profiles::base
include profiles::base::datavol
include profiles::openldap::server
}
}