Linux-Help/cookbook-freeipa
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Code cleanup with search

Browse source
This commit is contained in:
Eric Renfro 2016-07-21 12:50:48 -04:00
parent 2336fcae1e
commit 33ef1f65c5
2 changed files with 315 additions and 319 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
recipes/client.rb
View file

@ -17,16 +17,18 @@
# limitations under the License. # limitations under the License.
# #
include_recipe 'chef-vault'
node.set["freeipa"]["client"] = true
# become aware servers # become aware servers
freeipa_servers = search("node", "freeipa_server:true") if Chef::Config[:solo]
freeipa_clients = search("node", "freeipa_client:true") Chef::Log.warn('This recipe uses search. Chef solo does not support search.')
freeipa_masters = search("node", "freeipa_master:true") else
include_recipe 'chef-vault'
node.normal["freeipa"]["client"] = true
unless freeipa_servers.empty? then freeipa_servers = search("node", "freeipa_server:true")
freeipa_clients = search("node", "freeipa_client:true")
freeipa_masters = search("node", "freeipa_master:true")
unless freeipa_servers.empty? then
package "ipa-client" package "ipa-client"
package "openldap-clients" package "openldap-clients"
package "dbus" package "dbus"
@ -66,18 +68,19 @@ unless freeipa_servers.empty? then
# submit csr # submit csr
# enable dbus # enable dbus
# get host cert? # get host cert?
# execute "requesting host principal certificate" do # execute "requesting host principal certificate" do
# cmd = "ipa-getcert request -r" # cmd = "ipa-getcert request -r"
# cmd += " -f /tmp/affs-server.crt" # cmd += " -f /tmp/affs-server.crt"
# cmd += " -k /tmp/affs-server.key" # cmd += " -k /tmp/affs-server.key"
# cmd += " -N CN= " + node[:fqdn] # cmd += " -N CN= " + node[:fqdn]
# cmd += " -K host/" + node[:fqdn] # cmd += " -K host/" + node[:fqdn]
# cmd += " -D " + node[:fqdn] # cmd += " -D " + node[:fqdn]
# cmd += " -U id-kp-serverAuth" # cmd += " -U id-kp-serverAuth"
# puts "DEBUG: #{cmd}" # puts "DEBUG: #{cmd}"
# command cmd # command cmd
# end # end
# get http cert? # get http cert?
end
end end

167
recipes/server.rb
View file

@ -22,57 +22,49 @@ include_recipe 'chef-vault'
node.normal["freeipa"]["server"] = true node.normal["freeipa"]["server"] = true
# become aware of clients and servers # become aware of clients and servers
freeipa_servers = search(:node, "freeipa_server:true") if Chef::Config[:solo]
freeipa_clients = search(:node, "freeipa_client:true") Chef::Log.warn('This recipe uses search. Chef solo does not support search.')
else
freeipa_servers = search(:node, "freeipa_server:true")
freeipa_clients = search(:node, "freeipa_client:true")
# gather data bag secrets # gather data bag secrets
#secret = Chef::EncryptedDataBagItem.load_secret("/home/psi-jack/.chef/encrypted_data_bag_secret") passwords = chef_vault_item("freeipa", 'passwords')
#passwords = Chef::EncryptedDataBagItem.load("secrets", "passwords", secret)
passwords = chef_vault_item("freeipa", 'passwords')
#ldap_server_admin_pwd = data_bag_item('secrets','ldap_server_admin_pwd')['value']
#kdc_database_master_key = data_bag_item('secrets','kdc_database_master_key')['value']
#ipa_user_pwd = data_bag_item('secrets','ipa_user_pwd')['value']
# packages # packages
#package "dbus" package 'ipa-server' do
#package "oddjob"
#package "ipa-client"
#package "ipa-server"
#package "rsync"
package 'ipa-server' do
case node["platform"] case node["platform"]
when 'redhat', 'centos' when 'redhat', 'centos'
package_name 'ipa-server' package_name 'ipa-server'
end end
action :install action :install
end end
##### Security considerations ##### Security considerations
# All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs # All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs
# That kind of sucks, but what are the real consequences? # That kind of sucks, but what are the real consequences?
# Since they are replicants of each other, this can be justified, since the data is already compromised. # Since they are replicants of each other, this can be justified, since the data is already compromised.
# Can selinux help mitigate this? # Can selinux help mitigate this?
#include_recipe "ohai" #include_recipe "ohai"
#include_recipe "sshroot2rootssh" #include_recipe "sshroot2rootssh"
##### Replication ##### Replication
# We're going to have to # We're going to have to
# a) detect any new freeipa_servers # a) detect any new freeipa_servers
# b) generate ipa-replica-prepare output for them # b) generate ipa-replica-prepare output for them
# c) copy the configs to them # c) copy the configs to them
### Behavor ### Behavor
# First node sets special attribute "master" # First node sets special attribute "master"
# First node configures itself with newly generated crypto # First node configures itself with newly generated crypto
# Subsequent nodes comes up # Subsequent nodes comes up
# Subsequent nodes try to to scp their fqdn's configuration from master # Subsequent nodes try to to scp their fqdn's configuration from master
# Subsequent nodes negotiate for master # Subsequent nodes negotiate for master
# negotiate for master # negotiate for master
freeipa_masters = search(:node, "freeipa_master:true") freeipa_masters = search(:node, "freeipa_master:true")
if freeipa_masters.empty? then if freeipa_masters.empty? then
##### Do master stuff ##### Do master stuff
# write better tests to see if freeipa is already set up. # write better tests to see if freeipa is already set up.
@ -145,10 +137,10 @@ if freeipa_masters.empty? then
node.normal["freeipa"]["master"] = true node.normal["freeipa"]["master"] = true
#elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then #elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then
#elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) && #elsif (node["freeipa"]["master"] && node["freeipa"]["master"].respond_to?(:value) && node["freeipa"]["master"] == false) &&
# (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then # (node["freeipa"]["replica"] && node["freeipa"]["replica"].respond_to?(:value) && node["freeipa"]["replica"] == false) then
elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) then
### Subsequent Replica Nodes ### Subsequent Replica Nodes
# check to see if slave is setup to replicat from master # check to see if slave is setup to replicat from master
@ -216,91 +208,92 @@ elsif(node["freeipa"]["master"] != true && node["freeipa"]["replica"] != true) t
end end
action :nothing action :nothing
end end
end end
### Admin Password for LWRP ### Admin Password for LWRP
# #
file '/etc/ipa/admin.password' do file '/etc/ipa/admin.password' do
content passwords['ipa_user_pwd'] content passwords['ipa_user_pwd']
owner 'root' owner 'root'
group 'root' group 'root'
mode '0600' mode '0600'
sensitive true sensitive true
end end
### SSH key for IPA server communications ### SSH key for IPA server communications
# #
directory "/root/.ssh" do directory "/root/.ssh" do
owner "root" owner "root"
group "root" group "root"
mode "0700" mode "0700"
action :create action :create
end end
file "/root/.ssh/id_rsa" do file "/root/.ssh/id_rsa" do
content passwords["ssh-pvt"] content passwords["ssh-pvt"]
owner "root" owner "root"
group "root" group "root"
mode "0600" mode "0600"
sensitive true sensitive true
end end
file "/root/.ssh/id_rsa.pub" do file "/root/.ssh/id_rsa.pub" do
content passwords["ssh-pub"] content passwords["ssh-pub"]
owner "root" owner "root"
group "root" group "root"
mode "0600" mode "0600"
sensitive true sensitive true
end end
ruby_block "add public key to authorized_keys" do ruby_block "add public key to authorized_keys" do
block do block do
file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys") file = Chef::Util::FileEdit.new("/root/.ssh/authorized_keys")
file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"]) file.insert_line_if_no_match(Regexp.new(Regexp.escape(passwords["ssh-pub"].delete("\n"))), passwords["ssh-pub"])
file.write_file file.write_file
end end
end end
##### services ##### services
# enable all the default services recommended by the freeipa docs # enable all the default services recommended by the freeipa docs
#service "dirsrv" do #service "dirsrv" do
# service_name "dirsrv@#{node[:domain].upcase.gsub(".", "-")}" # service_name "dirsrv@#{node[:domain].upcase.gsub(".", "-")}"
# action [:enable,:start] # action [:enable,:start]
#end #end
#service "krb5kdc" do #service "krb5kdc" do
# only_if service[:dirsrv] => running # only_if service[:dirsrv] => running
# action [:enable,:start] # action [:enable,:start]
#end #end
#template "/etc/httpd/conf.d/ipa.conf" do #template "/etc/httpd/conf.d/ipa.conf" do
# source "ipa.conf.erb" # source "ipa.conf.erb"
# mode 0644 # mode 0644
# notifies :restart, "service[httpd]" # notifies :restart, "service[httpd]"
#end #end
service "httpd" do service "httpd" do
action [:enable,:start] action [:enable,:start]
end end
#service "ipa_kpasswd" do #service "ipa_kpasswd" do
# action [:enable,:start] # action [:enable,:start]
#end #end
service "ipa" do service "ipa" do
action [:enable,:start] action [:enable,:start]
end
#service "messagebus" do
# action [:enable,:start]
#end
#
#service "oddjobd" do
# action [:enable,:start]
#end
end end
#service "messagebus" do
# action [:enable,:start]
#end
#
#service "oddjobd" do
# action [:enable,:start]
#end