Initial commit

.gitignore

@@ -0,0 +1,18 @@
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+pkg/
+
+# Berkshelf
+.vagrant
+/cookbooks
+Berksfile.lock
+
+# Bundler
+Gemfile.lock
+bin/*
+.bundle/*
+

.kitchen.yml

@@ -0,0 +1,15 @@
+---
+driver:
+  name: vagrant
+
+provisioner:
+  name: chef_solo
+
+platforms:
+  - name: ubuntu-14.04
+  - name: centos-7.1
+
+suites:
+  - name: default
+    run_list:
+    attributes:

Berksfile

@@ -0,0 +1,7 @@
+source "https://supermarket.chef.io"
+
+metadata
+
+cookbook 'chef-vault'
+cookbook 'ohai'
+cookbook 'sshroot2rootssh', path: '/home/psi-jack/Chef/cookbooks/sshroot2rootssh'

CHANGELOG.md

@@ -0,0 +1,3 @@
+# 0.1.0
+
+Initial release of freeipa

Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+

LICENSE

@@ -0,0 +1,3 @@
+Copyright (C) 2016 YOUR_NAME
+
+All rights reserved - Do Not Redistribute

README.md

@@ -0,0 +1,42 @@
+# freeipa-cookbook
+
+TODO: Enter the cookbook description here.
+
+## Supported Platforms
+
+TODO: List your supported platforms.
+
+## Attributes
+
+<table>
+  <tr>
+    <th>Key</th>
+    <th>Type</th>
+    <th>Description</th>
+    <th>Default</th>
+  </tr>
+  <tr>
+    <td><tt>['freeipa']['bacon']</tt></td>
+    <td>Boolean</td>
+    <td>whether to include bacon</td>
+    <td><tt>true</tt></td>
+  </tr>
+</table>
+
+## Usage
+
+### freeipa::default
+
+Include `freeipa` in your node's `run_list`:
+
+```json
+{
+  "run_list": [
+    "recipe[freeipa::default]"
+  ]
+}
+```
+
+## License and Authors
+
+Author:: YOUR_NAME (<YOUR_EMAIL>)

Thorfile

@@ -0,0 +1,5 @@
+# encoding: utf-8
+
+require 'bundler'
+require 'bundler/setup'
+require 'berkshelf/thor'

chefignore

@@ -0,0 +1,94 @@
+# Put files/directories that should be ignored in this file when uploading
+# or sharing to the community site.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+Icon?
+nohup.out
+ehthumbs.db
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+\#*
+.#*
+*~
+*.sw[a-z]
+*.bak
+REVISION
+TAGS*
+tmtags
+*_flymake.*
+*_flymake
+*.tmproj
+.project
+.settings
+mkmf.log
+
+## COMPILED ##
+##############
+a.out
+*.o
+*.pyc
+*.so
+*.com
+*.class
+*.dll
+*.exe
+*/rdoc/
+
+# Testing #
+###########
+.watchr
+.rspec
+spec/*
+spec/fixtures/*
+test/*
+features/*
+Guardfile
+Procfile
+
+# SCM #
+#######
+.git
+*/.git
+.gitignore
+.gitmodules
+.gitconfig
+.gitattributes
+.svn
+*/.bzr/*
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+cookbooks/*
+tmp
+
+# Cookbooks #
+#############
+CONTRIBUTING
+CHANGELOG*
+
+# Strainer #
+############
+Colanderfile
+Strainerfile
+.colander
+.strainer
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile
+
+# Travis #
+##########
+.travis.yml

metadata.rb

@@ -0,0 +1,11 @@
+name             'freeipa'
+maintainer       'Eric Renfro'
+maintainer_email 'psi-jack@linux-help.org'
+license          'GPLv3'
+description      'Installs/Configures freeipa'
+long_description 'Installs/Configures freeipa'
+version          '0.1.0'
+
+depends 'ohai'
+depends 'chef-vault'
+depends 'sshroot2rootssh'

recipes/client.rb

@@ -0,0 +1,76 @@
+#
+# Cookbook Name:: freeipa
+# Recipe:: client
+#
+# Copyright 2011, afistfulofservers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+node.set[:freeipa][:client] = true
+
+# become aware servers
+freeipa_servers = search(:node, "freeipa_server:true")
+freeipa_clients = search(:node, "freeipa_client:true")
+freeipa_masters = search(:node, "freeipa_master:true")
+
+unless freeipa_servers.empty? then
+  package "ipa-client"
+  package "openldap-clients"
+  package "dbus"
+  package "certmonger"
+
+  puts "DEBUG: got here!"
+  service "messagebus" do
+    action [:enable,:start]
+  end
+  service "certmonger" do
+    action [:enable,:start]
+  end
+
+  #### Join node to freeipa 'domain'
+  # configures kerberos client to point to kdc on freeipa::server
+  # configures ldap to look up posix information via sssd/nss
+  execute "joining freeipa client to domain" do
+    not_if "ls /var/lib/ipa-client/sysrestore/sysrestore.index"
+    cmd = "ipa-client-install -U"
+    cmd += " --server " + freeipa_masters[0][:fqdn]
+    cmd += " --domain " + node[:domain]
+    cmd += " --realm " + node[:domain].upcase
+    command cmd
+    ignore_failure true
+  end
+
+
+  #### pki enrollment
+  # gotta wait for ipav2 apparently
+  #
+  # generate csr
+  # submit csr
+  # enable dbus
+  # get host cert?
+#  execute "requesting host principal certificate" do 
+#    cmd = "ipa-getcert request -r"
+#    cmd += " -f /tmp/affs-server.crt"
+#    cmd += " -k /tmp/affs-server.key"
+#    cmd += " -N CN= " + node[:fqdn]
+#    cmd += " -K host/" + node[:fqdn]
+#    cmd += " -D " + node[:fqdn]
+#    cmd += " -U id-kp-serverAuth"
+#    puts "DEBUG: #{cmd}"
+#    command cmd
+#  end
+
+  # get http cert?
+end
+

recipes/default.rb

@@ -0,0 +1,8 @@
+#
+# Cookbook Name:: freeipa
+# Recipe:: default
+#
+# Copyright (C) 2016 YOUR_NAME
+#
+# All rights reserved - Do Not Redistribute
+#

recipes/server.rb

@@ -0,0 +1,203 @@
+#
+# Cookbook Name:: freeipa
+# Recipe:: server
+#
+# Copyright 2011, afistfulofservers
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe 'chef-vault'
+
+node.set[:freeipa][:server] = true
+
+# become aware of clients and servers
+freeipa_servers = search(:node, "freeipa_server:true")
+freeipa_clients = search(:node, "freeipa_client:true")
+
+# gather data bag secrets
+#secret = Chef::EncryptedDataBagItem.load_secret("/home/psi-jack/.chef/encrypted_data_bag_secret")
+#passwords = Chef::EncryptedDataBagItem.load("secrets", "passwords", secret)
+passwords = chef_vault_item(:freeipa, 'passwords')
+#ldap_server_admin_pwd = data_bag_item('secrets','ldap_server_admin_pwd')['value']
+#kdc_database_master_key = data_bag_item('secrets','kdc_database_master_key')['value']
+#ipa_user_pwd = data_bag_item('secrets','ipa_user_pwd')['value']
+
+# packages
+#package "dbus"
+#package "oddjob"
+#package "ipa-client"
+package "ipa-server"
+package "rsync"
+
+##### Security considerations
+# All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs
+# That kind of sucks, but what are the real consequences?
+# Since they are replicants of each other, this can be justified, since the data is already compromised.
+# Can selinux help mitigate this?
+#include_recipe "ohai"
+#include_recipe "sshroot2rootssh" 
+
+##### Replication
+# We're going to have to 
+# a) detect any new freeipa_servers
+# b) generate ipa-replica-prepare output for them
+# c) copy the configs to them
+
+### Behavor
+# First node sets special attribute "master"
+# First node configures itself with newly generated crypto
+
+# Subsequent nodes comes up
+# Subsequent nodes try to to scp their fqdn's configuration from master
+# Subsequent nodes negotiate for master
+
+# negotiate for master
+freeipa_masters = search(:node, "freeipa_master:true")
+if freeipa_masters.empty? then
+  node.set[:freeipa][:master] = "true"
+end
+
+##### Do master stuff
+if node[:freeipa][:master] then
+
+  # write better tests to see if freeipa is already set up.
+  ## Bootstrap FreeIPA
+  execute "initializing freeipa-server" do
+    not_if "ls /var/lib/ipa/sysrestore/sysrestore.state"
+    cmd = "ipa-server-install"
+    cmd += " --hostname " + node[:fqdn]
+    #cmd += " -u " + "ipaadmin"
+    cmd += " -r " + node[:domain].upcase
+    cmd += " -n " + node[:domain]
+    cmd += " -p " + passwords['ldap_server_admin_pwd']
+    cmd += " -P " + passwords['kdc_database_master_key']
+    cmd += " -a " + passwords['ipa_user_pwd']
+    cmd += " -N "
+    cmd += " -U "
+    cmd += " --no-host-dns "
+    command "#{cmd}"
+    notifies :start, "service[dirsrv]"
+  end
+
+  # Compare list of freeipa_servers with contents of /var/lib/ipa/
+  #configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split
+  configured_replicants =`ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split
+  configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" }
+
+  freeipa_server_fqdns  = Array.new
+  freeipa_servers.each { |n|  freeipa_server_fqdns << n[:fqdn] }
+  freeipa_server_fqdns.compact!
+
+  freeipa_server_fqdns.each do |f|
+    unless node[:fqdn] == f then
+      unless configured_replicants.include?( f ) then
+        execute "generating replica config for #{f}" do
+          not_if "ls /var/lib/ipa/replica-info-#{f}.gpg"
+          command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}"
+        end
+      end
+    end
+  end
+
+end
+
+### Subsequent nodes 
+unless node[:freeipa][:master] then
+
+  # check to see if slave is setup to replicat from master
+  #"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list"
+
+  # Check for replication config
+  # Attempt to copy config from master.
+  # Fail gracefully if not found.
+  execute "rsyncing freeipa replication data" do
+    #only_if "ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
+    cmd = "rsync -a -e \"ssh "
+    cmd += " -o StrictHostKeyChecking=yes"
+    cmd += " -o PasswordAuthentication=no\""
+    cmd += " root@"
+    cmd += "#{freeipa_masters[0][:fqdn]}:"
+    cmd += "/var/lib/ipa/replica-info*"
+    cmd += " /var/lib/ipa"
+    command cmd
+    ignore_failure true
+  end
+
+  execute "joining freeipa cluster" do
+    not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
+    only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
+    cmd = "ipa-replica-install"
+    cmd += " -p " + passwords['ldap_server_admin_pwd']
+    cmd +=" /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
+    command cmd
+  end
+
+  # copy CA private key 
+  # /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt
+  execute "copying CA private key" do 
+    only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
+    only_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/"
+    not_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12"
+    cmd = "rsync -a -e \"ssh "
+    cmd += " -o StrictHostKeyChecking=yes"
+    cmd += " -o PasswordAuthentication=no\""
+    cmd += " root@"
+    cmd += "#{freeipa_masters[0][:fqdn]}:"
+    cmd += "/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12"
+    cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/"
+    #puts "DEBUG: #{cmd}"
+    command cmd
+    ignore_failure true
+  end
+
+end
+
+##### services
+# enable all the default services recommended by the freeipa docs
+
+#service "dirsrv" do
+#  action [:enable,:start]
+#end
+
+#service "krb5kdc" do
+#  only_if service[:dirsrv] => running
+#  action [:enable,:start]
+#end
+
+#template "/etc/httpd/conf.d/ipa.conf" do
+#  source "ipa.conf.erb"
+#  mode 0644
+#  notifies :restart, "service[httpd]"
+#end
+
+#service "httpd" do
+#  action [:enable,:start]
+#end
+
+#service "ipa_kpasswd" do
+#  action [:enable,:start]
+#end
+
+#service "ipa" do
+#  action [:enable,:start]
+#end
+#
+#service "messagebus" do
+#  action [:enable,:start]
+#end
+#
+#service "oddjobd" do
+#  action [:enable,:start]
+#end
+

templates/default/ipa.conf.erb

@@ -0,0 +1,61 @@
+ProxyRequests Off
+AddType application/java-archive        jar
+<ProxyMatch ^.*/ipa/ui.*$>
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate off
+  KrbMethodK5Passwd on
+  KrbServiceName HTTP
+  KrbAuthRealms DEV.US-EAST-1.AWS.AFISTFULOFSERVERS.NET
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /ipa/errors/unauthorized.html
+  RewriteEngine on
+  Order deny,allow
+  Allow from all
+  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
+  # RequestHeader unset Authorization
+</ProxyMatch>
+ProxyPass /ipa/ui http://localhost:8080/ipa/ui
+ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui
+Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC"
+Alias /ipa/errors "/usr/share/ipa/html"
+Alias /ipa/config "/usr/share/ipa/html"
+<Directory "/usr/share/ipa/ipaserver">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms DEV.US-EAST-1.AWS.AFISTFULOFSERVERS.NET
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /ipa/errors/unauthorized.html
+  SetHandler mod_python
+  PythonHandler ipaxmlrpc
+  
+  PythonDebug Off
+  PythonOption IPADebug Off
+  # this is pointless to use since it would just reload ipaxmlrpc.py
+  PythonAutoReload Off
+</Directory>
+<Directory "/usr/share/ipa/html">
+  AllowOverride None
+  Satisfy Any
+  Allow from all
+</Directory>
+<Directory /var/www/cgi-bin>
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms DEV.US-EAST-1.AWS.AFISTFULOFSERVERS.NET
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /ipa/errors/unauthorized.html
+</Directory>
+

templates/default/ssh_known_hosts.erb

@@ -0,0 +1,4 @@
+# maintained by chef
+<% @freeipa_servers.each do |freeipa_server| -%>
+<%= freeipa_server['fqdn'] %>,<%= freeipa_server['ipaddress'] %> ssh-rsa <%= freeipa_server[:keys][:ssh][:host_rsa_public] %>
+<% end -%>