From 7a3bab841af60dc5834283e9318bcd1800e3cf07 Mon Sep 17 00:00:00 2001 From: Eric Renfro Date: Sat, 16 Jul 2016 19:00:53 -0400 Subject: [PATCH] Successfully deployed functional freeipa-server --- Berksfile | 4 +++- recipes/server.rb | 55 +++++++++++++++++++++++++++-------------------- 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/Berksfile b/Berksfile index 065c05f..3187b76 100644 --- a/Berksfile +++ b/Berksfile @@ -4,4 +4,6 @@ metadata cookbook 'chef-vault' cookbook 'ohai' -cookbook 'sshroot2rootssh', path: '/home/psi-jack/Chef/cookbooks/sshroot2rootssh' +cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey' +cookbook 'sshroot2rootssh', path: '../sshroot2rootssh' + diff --git a/recipes/server.rb b/recipes/server.rb index a7ed6b8..327b7cf 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -37,16 +37,24 @@ passwords = chef_vault_item(:freeipa, 'passwords') #package "dbus" #package "oddjob" #package "ipa-client" -package "ipa-server" +#package "ipa-server" package "rsync" +package 'ipa-server' do + case node[:platform] + when 'redhat', 'centos' + package_name 'ipa-server' + end + action :install +end + ##### Security considerations # All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs # That kind of sucks, but what are the real consequences? # Since they are replicants of each other, this can be justified, since the data is already compromised. # Can selinux help mitigate this? #include_recipe "ohai" -#include_recipe "sshroot2rootssh" +include_recipe "sshroot2rootssh" ##### Replication # We're going to have to @@ -65,11 +73,11 @@ package "rsync" # negotiate for master freeipa_masters = search(:node, "freeipa_master:true") if freeipa_masters.empty? then - node.set[:freeipa][:master] = "true" -end + node.set[:freeipa][:master] = true +#end ##### Do master stuff -if node[:freeipa][:master] then +#if node[:freeipa][:master] then # write better tests to see if freeipa is already set up. ## Bootstrap FreeIPA @@ -87,33 +95,34 @@ if node[:freeipa][:master] then cmd += " -U " cmd += " --no-host-dns " command "#{cmd}" - notifies :start, "service[dirsrv]" + #notifies :start, "service[dirsrv]" end # Compare list of freeipa_servers with contents of /var/lib/ipa/ #configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split - configured_replicants =`ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split - configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" } + #configured_replicants = `ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split + #configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" } - freeipa_server_fqdns = Array.new - freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] } - freeipa_server_fqdns.compact! + #freeipa_server_fqdns = Array.new + #freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] } + #freeipa_server_fqdns.compact! - freeipa_server_fqdns.each do |f| - unless node[:fqdn] == f then - unless configured_replicants.include?( f ) then - execute "generating replica config for #{f}" do - not_if "ls /var/lib/ipa/replica-info-#{f}.gpg" - command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}" - end - end - end - end + #freeipa_server_fqdns.each do |f| + # unless node[:fqdn] == f then + # unless configured_replicants.include?( f ) then + # execute "generating replica config for #{f}" do + # not_if "ls /var/lib/ipa/replica-info-#{f}.gpg" + # command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}" + # end + # end + # end + #end -end +#end ### Subsequent nodes -unless node[:freeipa][:master] then +#unless node[:freeipa][:master] then +else # check to see if slave is setup to replicat from master #"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list"