diff --git a/metadata.rb b/metadata.rb index 79e4f9d..fe92800 100644 --- a/metadata.rb +++ b/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'psi-jack@linux-help.org' license 'GPLv3' description 'Installs/Configures freeipa' long_description 'Installs/Configures freeipa' -version '0.1.1' +version '0.1.2' depends 'ohai' depends 'chef-vault' diff --git a/recipes/server.rb b/recipes/server.rb index 55b2d21..5b96a14 100644 --- a/recipes/server.rb +++ b/recipes/server.rb @@ -38,14 +38,14 @@ passwords = chef_vault_item(:freeipa, 'passwords') #package "oddjob" #package "ipa-client" #package "ipa-server" -package "rsync" +#package "rsync" package 'ipa-server' do case node[:platform] when 'redhat', 'centos' package_name 'ipa-server' end - action :install + action :install end ##### Security considerations @@ -73,28 +73,24 @@ include_recipe "sshroot2rootssh" # negotiate for master freeipa_masters = search(:node, "freeipa_master:true") if freeipa_masters.empty? then - node.set[:freeipa][:master] = true -#end - -##### Do master stuff -#if node[:freeipa][:master] then + ##### Do master stuff # write better tests to see if freeipa is already set up. ## Bootstrap FreeIPA execute "initializing freeipa-server" do - not_if "ls /var/lib/ipa/sysrestore/sysrestore.state" - cmd = "ipa-server-install" - cmd += " --hostname " + node[:fqdn] - #cmd += " -u " + "ipaadmin" - cmd += " -r " + node[:domain].upcase - cmd += " -n " + node[:domain] - cmd += " -p " + passwords['ldap_server_admin_pwd'] - cmd += " -P " + passwords['kdc_database_master_key'] - cmd += " -a " + passwords['ipa_user_pwd'] - cmd += " -N " - cmd += " -U " - cmd += " --no-host-dns " - command "#{cmd}" + not_if { File.exist?('/var/liv/ipa/sysrestore/sysrestore.state') } + cmd = "ipa-server-install" + cmd += " --hostname " + node[:fqdn] + #cmd += " -u " + "ipaadmin" + cmd += " -r " + node[:domain].upcase + cmd += " -n " + node[:domain] + cmd += " -p " + passwords['ldap_server_admin_pwd'] + cmd += " -P " + passwords['kdc_database_master_key'] + cmd += " -a " + passwords['ipa_user_pwd'] + cmd += " -N " + cmd += " -U " + cmd += " --no-host-dns --mkhomedir" + command cmd #notifies :start, "service[dirsrv]" end @@ -118,61 +114,78 @@ if freeipa_masters.empty? then # end #end -#end + node.set[:freeipa][:master] = true -### Subsequent nodes -#unless node[:freeipa][:master] then -else +elsif (node[:freeipa][:master].nil? && node[:freeipa][:master] == false) && (node[:freeipa][:replica].nil? && node[:freeipa][:replica] == false) then + ### Subsequent Replica Nodes # check to see if slave is setup to replicat from master #"ipa-replica-manage -p 0123456789 -H authentication-1.dev.us-east-1.aws.afistfulofservers.net list" + ssh_noauth = "-o StrictHostKeyChecking=yes -o PasswordAuthentication=no" + + execute "prepare replica from master" do + cmd = "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} ipa-replica-prepare -p #{passwords['ldap_server_admin_pwd']}" + command cmd + not_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + #notifies :run, 'execute[rsyncing freeipa replication data]', :immediately + end # Check for replication config # Attempt to copy config from master. # Fail gracefully if not found. - execute "rsyncing freeipa replication data" do - #only_if "ipa-replica-manage -p #{ldap_server_admin_pwd} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" - cmd = "rsync -a -e \"ssh " - cmd += " -o StrictHostKeyChecking=yes" - cmd += " -o PasswordAuthentication=no\"" - cmd += " root@" - cmd += "#{freeipa_masters[0][:fqdn]}:" - cmd += "/var/lib/ipa/replica-info*" - cmd += " /var/lib/ipa" - command cmd - ignore_failure true + execute "scping freeipa replication data" do + #only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" + only_if "ssh #{ssh_noauth} root@#{freeipa_masters[0][:fqdn]} test -f /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + not_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") } + #cmd = "rsync -a -e \"ssh " + ssh_noauth + cmd = "scp " + ssh_noauth + cmd += " root@" + freeipa_masters[0][:fqdn] + cmd += ":/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + cmd += " /var/lib/ipa/" + command cmd + notifies :run, 'execute[joining freeipa cluster]', :immediately end execute "joining freeipa cluster" do - not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" - only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" - cmd = "ipa-replica-install" - cmd += " -p " + passwords['ldap_server_admin_pwd'] - cmd +=" /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" - command cmd + not_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" + #only_if "ls /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + only_if { File.exist?("/var/lib/ipa/replica-info-#{node[:fqdn]}.gpg") } + cmd = "ipa-replica-install" + cmd += " -p " + passwords['ldap_server_admin_pwd'] + cmd += " --unattended --mkhomedir --skip-conncheck" + cmd += " /var/lib/ipa/replica-info-#{node[:fqdn]}.gpg" + command cmd + sensitive true + action :nothing + notifies :run, 'execute[copying CA private key]', :immediately end # copy CA private key # /etc/dirsrv/slapd-DEV-US-EAST-1-AWS-AFISTFULOFSERVERS-NET/pwdfile.txt execute "copying CA private key" do - only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" - only_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/" - not_if "ls /etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" - cmd = "rsync -a -e \"ssh " - cmd += " -o StrictHostKeyChecking=yes" - cmd += " -o PasswordAuthentication=no\"" - cmd += " root@" - cmd += "#{freeipa_masters[0][:fqdn]}:" - cmd += "/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" - cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/" - #puts "DEBUG: #{cmd}" - command cmd + only_if "ipa-replica-manage -p #{passwords['ldap_server_admin_pwd']} -H #{freeipa_masters[0][:fqdn]} list | grep #{node[:fqdn]}" + only_if { File.exist?("/etc/dirsrv/slapd-#{node[:domain].upcase}/") } + not_if { File.exist?("/etc/dirsrv/slaved-#{node[:domain].upcase}/cacert.p12") } + cmd = "scp " + ssh_noauth + cmd += " root@" + freeipa_masters[0][:fqdn] + cmd += ":/etc/dirsrv/slapd-#{node[:domain].upcase}/cacert.p12" + cmd += " /etc/dirsrv/slapd-#{node[:domain].upcase}/" + command cmd ignore_failure true + action :nothing + notifies :run, 'ruby_block[set node as replica]', :immediately + end + + ruby_block "set node as replica" do + block do + node.set[:freeipa][:replica] = true + end + action :nothing end end file '/etc/ipa/admin.password' do - content "#{passwords['ipa_user_pwd']}" + content passwords['ipa_user_pwd'] owner 'root' group 'root' mode '0600' @@ -183,12 +196,13 @@ end # enable all the default services recommended by the freeipa docs #service "dirsrv" do -# action [:enable,:start] +# service_name "dirsrv@#{node[:domain].upcase.gsub(".", "-")}" +# action [:enable,:start] #end #service "krb5kdc" do -# only_if service[:dirsrv] => running -# action [:enable,:start] +# only_if service[:dirsrv] => running +# action [:enable,:start] #end #template "/etc/httpd/conf.d/ipa.conf" do @@ -197,18 +211,18 @@ end # notifies :restart, "service[httpd]" #end -#service "httpd" do -# action [:enable,:start] -#end +service "httpd" do + action [:enable,:start] +end #service "ipa_kpasswd" do # action [:enable,:start] #end -#service "ipa" do -# action [:enable,:start] -#end -# +service "ipa" do + action [:enable,:start] +end + #service "messagebus" do # action [:enable,:start] #end