Initial commit

This commit is contained in:
Eric Renfro 2016-07-15 09:46:51 -04:00
commit a709e8a652
15 changed files with 552 additions and 0 deletions

18
.gitignore vendored Normal file
View file

@ -0,0 +1,18 @@
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
pkg/
# Berkshelf
.vagrant
/cookbooks
Berksfile.lock
# Bundler
Gemfile.lock
bin/*
.bundle/*

15
.kitchen.yml Normal file
View file

@ -0,0 +1,15 @@
---
driver:
name: vagrant
provisioner:
name: chef_solo
platforms:
- name: ubuntu-14.04
- name: centos-7.1
suites:
- name: default
run_list:
attributes:

7
Berksfile Normal file
View file

@ -0,0 +1,7 @@
source "https://supermarket.chef.io"
metadata
cookbook 'chef-vault'
cookbook 'ohai'
cookbook 'sshroot2rootssh', path: '/home/psi-jack/Chef/cookbooks/sshroot2rootssh'

3
CHANGELOG.md Normal file
View file

@ -0,0 +1,3 @@
# 0.1.0
Initial release of freeipa

2
Gemfile Normal file
View file

@ -0,0 +1,2 @@
source 'https://rubygems.org'

3
LICENSE Normal file
View file

@ -0,0 +1,3 @@
Copyright (C) 2016 YOUR_NAME
All rights reserved - Do Not Redistribute

42
README.md Normal file
View file

@ -0,0 +1,42 @@
# freeipa-cookbook
TODO: Enter the cookbook description here.
## Supported Platforms
TODO: List your supported platforms.
## Attributes
<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
</tr>
<tr>
<td><tt>['freeipa']['bacon']</tt></td>
<td>Boolean</td>
<td>whether to include bacon</td>
<td><tt>true</tt></td>
</tr>
</table>
## Usage
### freeipa::default
Include `freeipa` in your node's `run_list`:
```json
{
"run_list": [
"recipe[freeipa::default]"
]
}
```
## License and Authors
Author:: YOUR_NAME (<YOUR_EMAIL>)

5
Thorfile Normal file
View file

@ -0,0 +1,5 @@
# encoding: utf-8
require 'bundler'
require 'bundler/setup'
require 'berkshelf/thor'

94
chefignore Normal file
View file

@ -0,0 +1,94 @@
# Put files/directories that should be ignored in this file when uploading
# or sharing to the community site.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
Icon?
nohup.out
ehthumbs.db
Thumbs.db
# SASS #
########
.sass-cache
# EDITORS #
###########
\#*
.#*
*~
*.sw[a-z]
*.bak
REVISION
TAGS*
tmtags
*_flymake.*
*_flymake
*.tmproj
.project
.settings
mkmf.log
## COMPILED ##
##############
a.out
*.o
*.pyc
*.so
*.com
*.class
*.dll
*.exe
*/rdoc/
# Testing #
###########
.watchr
.rspec
spec/*
spec/fixtures/*
test/*
features/*
Guardfile
Procfile
# SCM #
#######
.git
*/.git
.gitignore
.gitmodules
.gitconfig
.gitattributes
.svn
*/.bzr/*
*/.hg/*
*/.svn/*
# Berkshelf #
#############
cookbooks/*
tmp
# Cookbooks #
#############
CONTRIBUTING
CHANGELOG*
# Strainer #
############
Colanderfile
Strainerfile
.colander
.strainer
# Vagrant #
###########
.vagrant
Vagrantfile
# Travis #
##########
.travis.yml

11
metadata.rb Normal file
View file

@ -0,0 +1,11 @@
name 'freeipa'
maintainer 'Eric Renfro'
maintainer_email 'psi-jack@linux-help.org'
license 'GPLv3'
description 'Installs/Configures freeipa'
long_description 'Installs/Configures freeipa'
version '0.1.0'
depends 'ohai'
depends 'chef-vault'
depends 'sshroot2rootssh'

76
recipes/client.rb Normal file
View file

@ -0,0 +1,76 @@
#
# Cookbook Name:: freeipa
# Recipe:: client
#
# Copyright 2011, afistfulofservers
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
node.set[:freeipa][:client] = true
# become aware servers
freeipa_servers = search(:node, "freeipa_server:true")
freeipa_clients = search(:node, "freeipa_client:true")
freeipa_masters = search(:node, "freeipa_master:true")
unless freeipa_servers.empty? then
package "ipa-client"
package "openldap-clients"
package "dbus"
package "certmonger"
puts "DEBUG: got here!"
service "messagebus" do
action [:enable,:start]
end
service "certmonger" do
action [:enable,:start]
end
#### Join node to freeipa 'domain'
# configures kerberos client to point to kdc on freeipa::server
# configures ldap to look up posix information via sssd/nss
execute "joining freeipa client to domain" do
not_if "ls /var/lib/ipa-client/sysrestore/sysrestore.index"
cmd = "ipa-client-install -U"
cmd += " --server " + freeipa_masters[0][:fqdn]
cmd += " --domain " + node[:domain]
cmd += " --realm " + node[:domain].upcase
command cmd
ignore_failure true
end
#### pki enrollment
# gotta wait for ipav2 apparently
#
# generate csr
# submit csr
# enable dbus
# get host cert?
# execute "requesting host principal certificate" do
# cmd = "ipa-getcert request -r"
# cmd += " -f /tmp/affs-server.crt"
# cmd += " -k /tmp/affs-server.key"
# cmd += " -N CN= " + node[:fqdn]
# cmd += " -K host/" + node[:fqdn]
# cmd += " -D " + node[:fqdn]
# cmd += " -U id-kp-serverAuth"
# puts "DEBUG: #{cmd}"
# command cmd
# end
# get http cert?
end

8
recipes/default.rb Normal file
View file

@ -0,0 +1,8 @@
#
# Cookbook Name:: freeipa
# Recipe:: default
#
# Copyright (C) 2016 YOUR_NAME
#
# All rights reserved - Do Not Redistribute
#

203
recipes/server.rb Normal file
View file

@ -0,0 +1,203 @@
#
# Cookbook Name:: freeipa
# Recipe:: server
#
# Copyright 2011, afistfulofservers
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
include_recipe 'chef-vault'
node.set[:freeipa][:server] = true
# become aware of clients and servers
freeipa_servers = search(:node, "freeipa_server:true")
freeipa_clients = search(:node, "freeipa_client:true")
# gather data bag secrets
#secret = Chef::EncryptedDataBagItem.load_secret("/home/psi-jack/.chef/encrypted_data_bag_secret")
#passwords = Chef::EncryptedDataBagItem.load("secrets", "passwords", secret)
passwords = chef_vault_item(:freeipa, 'passwords')
#ldap_server_admin_pwd = data_bag_item('secrets','ldap_server_admin_pwd')['value']
#kdc_database_master_key = data_bag_item('secrets','kdc_database_master_key')['value']
#ipa_user_pwd = data_bag_item('secrets','ipa_user_pwd')['value']
# packages
#package "dbus"
#package "oddjob"
#package "ipa-client"
package "ipa-server"
package "rsync"
##### Security considerations
# All FreeIPA server hosts need to be able to ssh to each other as root to copy replication configs
# That kind of sucks, but what are the real consequences?
# Since they are replicants of each other, this can be justified, since the data is already compromised.
# Can selinux help mitigate this?
#include_recipe "ohai"
#include_recipe "sshroot2rootssh"
##### Replication
# We're going to have to
# a) detect any new freeipa_servers
# b) generate ipa-replica-prepare output for them
# c) copy the configs to them
### Behavor
# First node sets special attribute "master"
# First node configures itself with newly generated crypto
# Subsequent nodes comes up
# Subsequent nodes try to to scp their fqdn's configuration from master
# Subsequent nodes negotiate for master
# negotiate for master
freeipa_masters = search(:node, "freeipa_master:true")
if freeipa_masters.empty? then
node.set[:freeipa][:master] = "true"
end
##### Do master stuff
if node[:freeipa][:master] then
# write better tests to see if freeipa is already set up.
## Bootstrap FreeIPA
execute "initializing freeipa-server" do
not_if "ls /var/lib/ipa/sysrestore/sysrestore.state"
cmd = "ipa-server-install"
cmd += " --hostname " + node[:fqdn]
#cmd += " -u " + "ipaadmin"
cmd += " -r " + node[:domain].upcase
cmd += " -n " + node[:domain]
cmd += " -p " + passwords['ldap_server_admin_pwd']
cmd += " -P " + passwords['kdc_database_master_key']
cmd += " -a " + passwords['ipa_user_pwd']
cmd += " -N "
cmd += " -U "
cmd += " --no-host-dns "
command "#{cmd}"
notifies :start, "service[dirsrv]"
end
# Compare list of freeipa_servers with contents of /var/lib/ipa/
#configured_replicants =`ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{node[:fqdn]} list`.split
configured_replicants =`ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{node[:fqdn]} list`.split
configured_replicants.each { |r| puts "DEBUG: configured_replicant: #{r}" }
freeipa_server_fqdns = Array.new
freeipa_servers.each { |n| freeipa_server_fqdns << n[:fqdn] }
freeipa_server_fqdns.compact!
freeipa_server_fqdns.each do |f|
unless node[:fqdn] == f then
unless configured_replicants.include?( f ) then
execute "generating replica config for #{f}" do
not_if "ls /var/lib/ipa/replica-info-#{f}.gpg"
command "ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']} #{f}"
end
end
end
end
end
### Subsequent nodes
unless node[:freeipa][:master] then
# check to see if slave is setup to replicat from master
#"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list"
# Check for replication config
# Attempt to copy config from master.
# Fail gracefully if not found.
execute "rsyncing freeipa replication data" do
#only_if "ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
cmd = "rsync -a -e \"ssh "
cmd += " -o StrictHostKeyChecking=yes"
cmd += " -o PasswordAuthentication=no\""
cmd += " root@"
cmd += "#{freeipa_masters[0][:fqdn]}:"
cmd += "/var/lib/ipa/replica-info*"
cmd += " /var/lib/ipa"
command cmd
ignore_failure true
end
execute "joining freeipa cluster" do
not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
cmd = "ipa-replica-install"
cmd += " -p " + passwords['ldap_server_admin_pwd']
cmd +=" /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg"
command cmd
end
# copy CA private key
# /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt
execute "copying CA private key" do
only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}"
only_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/"
not_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12"
cmd = "rsync -a -e \"ssh "
cmd += " -o StrictHostKeyChecking=yes"
cmd += " -o PasswordAuthentication=no\""
cmd += " root@"
cmd += "#{freeipa_masters[0][:fqdn]}:"
cmd += "/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12"
cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/"
#puts "DEBUG: #{cmd}"
command cmd
ignore_failure true
end
end
##### services
# enable all the default services recommended by the freeipa docs
#service "dirsrv" do
# action [:enable,:start]
#end
#service "krb5kdc" do
# only_if service[:dirsrv] => running
# action [:enable,:start]
#end
#template "/etc/httpd/conf.d/ipa.conf" do
# source "ipa.conf.erb"
# mode 0644
# notifies :restart, "service[httpd]"
#end
#service "httpd" do
# action [:enable,:start]
#end
#service "ipa_kpasswd" do
# action [:enable,:start]
#end
#service "ipa" do
# action [:enable,:start]
#end
#
#service "messagebus" do
# action [:enable,:start]
#end
#
#service "oddjobd" do
# action [:enable,:start]
#end

View file

@ -0,0 +1,61 @@
ProxyRequests Off
AddType application/java-archive jar
<ProxyMatch ^.*/ipa/ui.*$>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate off
KrbMethodK5Passwd on
KrbServiceName HTTP
KrbAuthRealms DEV.US-EAST-1.AWS.AFISTFULOFSERVERS.NET
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
RewriteEngine on
Order deny,allow
Allow from all
RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
# RequestHeader unset Authorization
</ProxyMatch>
ProxyPass /ipa/ui http://localhost:8080/ipa/ui
ProxyPassReverse /ipa/ui http://localhost:8080/ipa/ui
Alias /ipa/xml "/usr/share/ipa/ipaserver/XMLRPC"
Alias /ipa/errors "/usr/share/ipa/html"
Alias /ipa/config "/usr/share/ipa/html"
<Directory "/usr/share/ipa/ipaserver">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms DEV.US-EAST-1.AWS.AFISTFULOFSERVERS.NET
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
SetHandler mod_python
PythonHandler ipaxmlrpc
PythonDebug Off
PythonOption IPADebug Off
# this is pointless to use since it would just reload ipaxmlrpc.py
PythonAutoReload Off
</Directory>
<Directory "/usr/share/ipa/html">
AllowOverride None
Satisfy Any
Allow from all
</Directory>
<Directory /var/www/cgi-bin>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms DEV.US-EAST-1.AWS.AFISTFULOFSERVERS.NET
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Directory>

View file

@ -0,0 +1,4 @@
# maintained by chef
<% @freeipa_servers.each do |freeipa_server| -%>
<%= freeipa_server['fqdn'] %>,<%= freeipa_server['ipaddress'] %> ssh-rsa <%= freeipa_server[:keys][:ssh][:host_rsa_public] %>
<% end -%>