From 2924b7ad6f2fd216679cf5fe82c31e7790894bcf Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 30 Jun 2024 15:29:49 +1000 Subject: [PATCH] feat: manage openldap - add modules, overlays, acccess rules, schemas - manage syncrepl - manage selinux --- hieradata/roles/infra/auth/openldap.eyaml | 2 + hieradata/roles/infra/auth/openldap.yaml | 15 ++ site/profiles/manifests/openldap/params.pp | 17 ++ site/profiles/manifests/openldap/server.pp | 183 ++++++++++++++++++ .../profiles/templates/openldap/db_config.erb | 5 + site/roles/manifests/infra/auth/openldap.pp | 2 + 6 files changed, 224 insertions(+) create mode 100644 hieradata/roles/infra/auth/openldap.eyaml create mode 100644 site/profiles/manifests/openldap/params.pp create mode 100644 site/profiles/manifests/openldap/server.pp create mode 100644 site/profiles/templates/openldap/db_config.erb diff --git a/hieradata/roles/infra/auth/openldap.eyaml b/hieradata/roles/infra/auth/openldap.eyaml new file mode 100644 index 0000000..427fa3b --- /dev/null +++ b/hieradata/roles/infra/auth/openldap.eyaml @@ -0,0 +1,2 @@ +--- +profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=] diff --git a/hieradata/roles/infra/auth/openldap.yaml b/hieradata/roles/infra/auth/openldap.yaml index 219e097..3cba2f6 100644 --- a/hieradata/roles/infra/auth/openldap.yaml +++ b/hieradata/roles/infra/auth/openldap.yaml @@ -5,3 +5,18 @@ profiles::pki::vault::alt_names: - ldap.service.consul - ldap.query.consul - "ldap.service.%{facts.country}-%{facts.region}.consul" + +openldap::server::manage_epel: false +profiles::openldap::params::data_path: '/data/ldap/main.unkin.net' +profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net' +profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}" +profiles::openldap::params::ldap_server: + - rid: 1 + provider: ldap://ausyd1nxvm1044.main.unkin.net + searchbase: "%{hiera('profiles::openldap::params::database')}" + - rid: 2 + provider: ldap://ausyd1nxvm1045.main.unkin.net + searchbase: "%{hiera('profiles::openldap::params::database')}" + - rid: 3 + provider: ldap://ausyd1nxvm1046.main.unkin.net + searchbase: "%{hiera('profiles::openldap::params::database')}" diff --git a/site/profiles/manifests/openldap/params.pp b/site/profiles/manifests/openldap/params.pp new file mode 100644 index 0000000..e935002 --- /dev/null +++ b/site/profiles/manifests/openldap/params.pp @@ -0,0 +1,17 @@ +# profiles::openldap::params +class profiles::openldap::params ( + String $rootdn, + String $rootpw, + String $database = 'dc=domain,dc=tld', + Array[Hash] $syncrepl = [], + Boolean $multiprovider = true, + Stdlib::Absolutepath $data_path = '/opt/ldap', + Stdlib::Absolutepath $ssl_cert = '/etc/pki/tls/vault/certificate.crt', + Stdlib::Absolutepath $ssl_key = '/etc/pki/tls/vault/private.key', + Stdlib::Absolutepath $ssl_ca = '/etc/pki/ca-trust/source/anchors/vaultcaroot.pem', + Stdlib::Absolutepath $db_config_path = "${data_path}/DB_CONFIG", + String $cache_size_gb = '1G', + String $log_buffer_size_mb = '8M', + String $log_max_size_mb = '100M', + Stdlib::Absolutepath $log_dir = '/var/lib/ldap/logs', +){} diff --git a/site/profiles/manifests/openldap/server.pp b/site/profiles/manifests/openldap/server.pp new file mode 100644 index 0000000..6065d7f --- /dev/null +++ b/site/profiles/manifests/openldap/server.pp @@ -0,0 +1,183 @@ +# profiles::openldap::init +class profiles::openldap::server ( + $database = $profiles::openldap::params::database, + $syncrepl = $profiles::openldap::params::syncrepl, + $multiprovider = $profiles::openldap::params::multiprovider, + $data_path = $profiles::openldap::params::data_path, + $ssl_cert = $profiles::openldap::params::ssl_cert, + $ssl_key = $profiles::openldap::params::ssl_key, + $ssl_ca = $profiles::openldap::params::ssl_ca, + $rootdn = $profiles::openldap::params::rootdn, + $rootpw = $profiles::openldap::params::rootpw, + $db_config_path = $profiles::openldap::params::db_config_path, + $cache_size_gb = $profiles::openldap::params::cache_size_gb, + $log_dir = $profiles::openldap::params::log_dir, + $log_max_size_mb = $profiles::openldap::params::log_max_size_mb, + $log_buffer_size_mb = $profiles::openldap::params::log_buffer_size_mb, +) inherits profiles::openldap::params { + + # ensure the path to $data_path exists + mkdir::p {$data_path:} + + # if selinux is defined, manage it + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # set slapd_db_t to all files under the data_path + selinux::fcontext { $data_path: + ensure => 'present', + seltype => 'slapd_db_t', + pathspec => "${data_path}(/.*)?", + } + + exec { "restorecon_${data_path}": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_path}", + refreshonly => true, + subscribe => Selinux::Fcontext[$data_path], + } + + } + + # manage the openldap server + class { 'openldap::server': + ldap_address => $facts['networking']['ip'], + ldaps_address => $facts['networking']['ip'], + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + ssl_ca => $ssl_ca, + subscribe => [ + File[$ssl_key], + File[$ssl_ca], + ], + } + + openldap::server::database { $database: + ensure => present, + syncrepl => $syncrepl, + directory => $data_path, + rootdn => $rootdn, + rootpw => $rootpw, + mirrormode => true, + } + + # manage modules + openldap::server::module { 'memberof': + ensure => present, + } + openldap::server::module { 'syncprov': + ensure => present, + } + + # manage overlays + openldap::server::overlay { "memberof on ${database}": + ensure => present, + } + + # Update after 10 changes or 1 minute. + # Ensure there's enough room for 1000 changes in the log. + openldap::server::overlay { "syncprov on ${database}": + ensure => present, + options => { + 'olcSpCheckpoint' => '10 1', + 'olcSpSessionlog' => '100' + }, + require => [ + Openldap::Server::Dbindex['entryCSN'], + Openldap::Server::Dbindex['entryUUID'], + Openldap::Server::Module['syncprov'], + ], + } + + # add schemas + openldap::server::schema { 'cosine': + ensure => present, + path => '/etc/openldap/schema/cosine.schema', + } + openldap::server::schema { 'inetorgperson': + ensure => present, + path => '/etc/openldap/schema/inetorgperson.schema', + require => Openldap::Server::Schema['cosine'], + } + openldap::server::schema { 'nis': + ensure => present, + path => '/etc/openldap/schema/nis.ldif', + require => Openldap::Server::Schema['inetorgperson'], + } + +$acls = [ + { + 'to attrs=userPassword,shadowLastChange' => [ + "by dn=\"${rootdn}\" write", + 'by self write', + 'by anonymous auth', + 'by * none', + ], + }, + { + 'to dn.base=""' => [ + 'by * read', + ], + }, + { + 'to *' => [ + "by dn=\"${rootdn}\" write", + 'by self write', + 'by users read', + 'by anonymous auth', + 'by * none', + ], + }, +] +openldap::server::access_wrapper { $database : + acl => $acls, +} + + # manage dbindex + Openldap::Server::Dbindex { + suffix => $database, + } + openldap::server::dbindex { + 'cn': + attribute => 'cn', + indices => 'eq,pres,sub'; + 'uid': + attribute => 'uid', + indices => 'eq,pres,sub'; + 'uidNumber': + attribute => 'uidNumber', + indices => 'eq,pres'; + 'gidNumber': + attribute => 'gidNumber', + indices => 'eq,pres'; + 'member': + attribute => 'member', + indices => 'eq,pres'; + 'memberUid': + attribute => 'memberUid', + indices => 'eq,pres'; + 'entryCSN': + attribute => 'entryCSN', + indices => 'eq,pres'; + 'entryUUID': + attribute => 'entryUUID', + indices => 'eq,pres'; + } + + # manage DB_CONFIG + file { $db_config_path: + ensure => file, + content => template('profiles/openldap/db_config.erb'), + owner => 'ldap', + group => 'ldap', + mode => '0644', + } + + file { $log_dir: + ensure => directory, + owner => 'ldap', + group => 'ldap', + mode => '0755', + require => Class['openldap::server'], + } + +} diff --git a/site/profiles/templates/openldap/db_config.erb b/site/profiles/templates/openldap/db_config.erb new file mode 100644 index 0000000..e6a5e4a --- /dev/null +++ b/site/profiles/templates/openldap/db_config.erb @@ -0,0 +1,5 @@ +set_cachesize <%= scope.lookupvar('openldap::db_config::cache_size_gb').to_i * 1024 %> 0 1 +set_lg_bsize <%= scope.lookupvar('openldap::db_config::log_buffer_size_mb').to_i * 1024 %> +set_lg_max <%= scope.lookupvar('openldap::db_config::log_max_size_mb').to_i * 1024 %> +set_lg_dir <%= scope.lookupvar('openldap::db_config::log_dir') %> +set_flags DB_LOG_AUTOREMOVE diff --git a/site/roles/manifests/infra/auth/openldap.pp b/site/roles/manifests/infra/auth/openldap.pp index b7e25aa..7e63aa4 100644 --- a/site/roles/manifests/infra/auth/openldap.pp +++ b/site/roles/manifests/infra/auth/openldap.pp @@ -6,5 +6,7 @@ class roles::infra::auth::openldap { }else{ include profiles::defaults include profiles::base + include profiles::base::datavol + include profiles::openldap::server } }