Successfully deployed functional freeipa-server

This commit is contained in:
Eric Renfro 2016-07-16 19:00:53 -04:00
parent a709e8a652
commit 7a3bab841a
2 changed files with 35 additions and 24 deletions

View file

@ -4,4 +4,6 @@ metadata
cookbook 'chef-vault' cookbook 'chef-vault'
cookbook 'ohai' cookbook 'ohai'
cookbook 'sshroot2rootssh', path: '/home/psi-jack/Chef/cookbooks/sshroot2rootssh' cookbook 'ohai-rootsshkey', path: '../ohai-rootsshkey'
cookbook 'sshroot2rootssh', path: '../sshroot2rootssh'

View file

@ -37,16 +37,24 @@ passwords = chef_vault_item(:freeipa, 'passwords')
#package "dbus" #package "dbus"
#package "oddjob" #package "oddjob"
#package "ipa-client" #package "ipa-client"
package "ipa-server" #package "ipa-server"
package "rsync" package "rsync"
package 'ipa-server' do
case node[:platform]
when 'redhat', 'centos'
package_name 'ipa-server'
end
action :install
end
##### Security considerations ##### Security considerations
# All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs # All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs
# That kind of sucks, but what are the real consequences? # That kind of sucks, but what are the real consequences?
# Since they are replicants of each other, this can be justified, since the data is already compromised. # Since they are replicants of each other, this can be justified, since the data is already compromised.
# Can selinux help mitigate this? # Can selinux help mitigate this?
#include_recipe "ohai" #include_recipe "ohai"
#include_recipe "sshroot2rootssh" include_recipe "sshroot2rootssh"
##### Replication ##### Replication
# We're going to have to # We're going to have to
@ -65,11 +73,11 @@ package "rsync"
# negotiate for master # negotiate for master
freeipa_masters = search(:node, "freeipa_master:true") freeipa_masters = search(:node, "freeipa_master:true")
if freeipa_masters.empty? then if freeipa_masters.empty? then
node.set[:freeipa][:master] = "true" node.set[:freeipa][:master] = true
end #end
##### Do master stuff ##### Do master stuff
if node[:freeipa][:master] then #if node[:freeipa][:master] then
# write better tests to see if freeipa is already set up. # write better tests to see if freeipa is already set up.
## Bootstrap FreeIPA ## Bootstrap FreeIPA
@ -87,33 +95,34 @@ if node[:freeipa][:master] then
cmd += " -U " cmd += " -U "
cmd += " --no-host-dns " cmd += " --no-host-dns "
command "#{cmd}" command "#{cmd}"
notifies :start, "service[dirsrv]" #notifies :start, "service[dirsrv]"
end end
# Compare list of freeipa_servers with contents of /var/lib/ipa/ # Compare list of freeipa_servers with contents of /var/lib/ipa/
#configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split #configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split
configured_replicants =`ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split #configured_replicants = `ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split
configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" } #configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" }
freeipa_server_fqdns = Array.new #freeipa_server_fqdns = Array.new
freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] } #freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] }
freeipa_server_fqdns.compact! #freeipa_server_fqdns.compact!
freeipa_server_fqdns.each do |f| #freeipa_server_fqdns.each do |f|
unless node[:fqdn] == f then # unless node[:fqdn] == f then
unless configured_replicants.include?( f ) then # unless configured_replicants.include?( f ) then
execute "generating replica config for #{f}" do # execute "generating replica config for #{f}" do
not_if "ls /var/lib/ipa/replica-info-#{f}.gpg" # not_if "ls /var/lib/ipa/replica-info-#{f}.gpg"
command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}" # command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}"
end # end
end # end
end # end
end #end
end #end
### Subsequent nodes ### Subsequent nodes
unless node[:freeipa][:master] then #unless node[:freeipa][:master] then
else
# check to see if slave is setup to replicat from master # check to see if slave is setup to replicat from master
#"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list" #"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list"