-
-
Save WalterS/cfc281f53a33fd617b757caf8898dde7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Recipe: my-ldap | |
# Attribute file: default | |
# Get Cloud hostname | |
hostname = '' | |
begin | |
Timeout.timeout(5) do | |
TCPSocket.new('169.254.169.254', 80).close | |
hostname = open('http://169.254.169.254/latest/meta-data/public-hostname').read.split('.').first | |
end | |
rescue Timeout::Error, Errno::ECONNREFUSED, Errno::EHOSTUNREACH | |
hostname = node['hostname'] | |
end | |
# Set register type | |
if (node['platform'] == 'redhat' && node['platform_version'].to_f >= 7.0) || (node['platform'] == 'suse' && node['platform_version'].to_f >= 11.3) | |
node.default['my-ldap']['reg'] = 'sssd' | |
else | |
node.default['my-ldap']['reg'] = 'ldap' | |
end | |
# Set special attributes in etc/ldap.conf | |
if (node['platform'] == 'redhat' && node['platform_version'].to_f >= 7.0) || (node['platform'] == 'suse' && node['platform_version'].to_f >= 12.0) | |
node.default['my-ldap']['etc_ldap_special'] = false | |
else | |
node.default['my-ldap']['etc_ldap_special'] = true | |
end | |
# Set automount. sles 11.3 and 11.4 use ldap for automount | |
node.default['my-ldap']['automount'] = node['my-ldap']['reg'].chomp('d') | |
if node['platform'] == 'suse' && node['platform_version'].to_f >= 11.3 && node['platform_version'].to_f < 12.0 | |
node.default['my-ldap']['automount'] = 'ldap' | |
end | |
# Check for cloud platform region | |
region = if defined?(node['openstack']['placement_availability_zone']) && !node['openstack']['placement_availability_zone'].empty? | |
node['openstack']['placement_availability_zone'] | |
elsif defined?(node['baz']['instances'][hostname]['region']) | |
node['baz']['instances'][hostname]['region'] | |
end | |
node.default['my-ldap']['region'] = region | |
# Reset attribute if region is US | |
node.default['my-ldap']['automount'] = '' if region =~ /us|na/ | |
# Set specific services | |
node.default['my-ldap']['services']['common'] = %w[autofs] | |
node.default['my-ldap']['services']['sssd'] = %w[sssd] | |
node.default['my-ldap']['services']['ldap'] = %w[nslcd] | |
node.default['my-ldap']['services']['stop_services'] = %w[nscd] | |
# Specific entries for /etc/mount.map | |
node.default['my-ldap']['mount_map_node.default'] = %w[+auto.linux] | |
node.default['my-ldap']['mount_map_entries'] = [] | |
# Set network zone | |
if node['fqdn'] =~ /dmz/ | |
node.default['my-ldap']['network'] = 'dmz' | |
url_particle = 'dmz' | |
else | |
node.default['my-ldap']['network'] = 'int' | |
url_particle = '' | |
end | |
# Set DC for LDAP configuration according to network zone | |
node.default['my-ldap']['dc'] = url_particle + 'bar' | |
# Get availability zone | |
zone = if defined?(node['baz']['instances'][hostname]) && node['baz']['instances'][hostname].attribute?('availability_zone') | |
node['baz']['instances'][hostname]['availability_zone'].split('_')[0] || 'bar' | |
elsif defined?(node['openstack']['placement_availability_zone']) && !node['openstack']['placement_availability_zone'].empty? | |
node['openstack']['placement_availability_zone'].split('-')[0] || 'eu' | |
else | |
'' | |
end | |
zone = case zone | |
when /rot|walldorf|bar|eu/i | |
'bar' | |
when /dublin/i | |
'dub' | |
when /phl|na/i | |
'phl' | |
else | |
'bar' | |
end | |
node.default['my-ldap']['zone'] = zone | |
# Set LDAP servers according to availability zone and network type | |
# Example LDAP server: ldaps://smmdmzslap1.dmzbar.foo.corp | |
if node['my-ldap']['network'] == 'dmz' && zone == 'bar' | |
ldap_proto = 'ldaps' | |
node.default['my-ldap']['ldapport'] = 636 | |
node.default['my-ldap']['ldapssl'] = 'on' | |
node.default['my-ldap']['tls_checkpeer'] = 'never' | |
node.default['my-ldap']['tls_reqcert'] = 'never' | |
else | |
ldap_proto = 'ldap' | |
node.default['my-ldap']['ldapport'] = 389 | |
node.default['my-ldap']['ldapssl'] = 'start_tls' | |
node.default['my-ldap']['tls_checkpeer'] = 'allow' | |
node.default['my-ldap']['tls_reqcert'] = 'allow' | |
end | |
if node['my-ldap']['network'] == 'dmz' | |
node.default['my-ldap']['ldap_id_use_start_tls'] = 'false' | |
node.default['my-ldap']['autofs_usetls'] = 'no' | |
node.default['my-ldap']['autofs_tlsrequired'] = 'no' | |
else | |
node.default['my-ldap']['ldap_id_use_start_tls'] = 'true' | |
node.default['my-ldap']['autofs_usetls'] = 'yes' | |
node.default['my-ldap']['autofs_tlsrequired'] = 'yes' | |
end | |
case zone | |
when 'bar' | |
node.default['my-ldap']['ldapserver'] = "#{ldap_proto}://smm#{node['my-ldap']['network']}slap1." \ | |
"#{url_particle}bar.foo.corp #{ldap_proto}://smm#{node.default['my-ldap']['network']}slap2." \ | |
"#{url_particle}bar.foo.corp" | |
when 'phl' | |
node.default['my-ldap']['ldapserver'] = "#{ldap_proto}://smm#{node['my-ldap']['network']}slap3." \ | |
"#{url_particle}mo.foo.corp #{ldap_proto}://smm#{node.default['my-ldap']['network']}slap4." \ | |
"#{url_particle}mo.foo.corp" | |
when 'dub' | |
node.default['my-ldap']['ldapserver'] = "#{ldap_proto}://smm#{node['my-ldap']['network']}slap5." \ | |
"#{url_particle}mo.foo.corp #{ldap_proto}://smm#{node.default['my-ldap']['network']}slap6." \ | |
"#{url_particle}mo.foo.corp" | |
end | |
node.default['my-ldap']['searchdomain'] = "#{url_particle}bar.foo.corp" | |
# Templates LDAP | |
node.default['my-ldap']['templates']['redhat']['ldap'] = [ | |
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' }, | |
{ 'source' => 'etc_ldap_conf.erb', 'target' => '/etc/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' }, | |
{ 'source' => 'etc_nslcd_conf.erb', 'target' => '/etc/nslcd.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_pamldap_conf.erb', 'target' => '/etc/pam_ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_sudo_ldap_conf.erb', 'target' => '/etc/sudo-ldap.conf', 'mode' => '0644' } | |
] | |
node.default['my-ldap']['templates']['suse']['ldap'] = [ | |
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' }, | |
{ 'source' => 'etc_ldap_conf.erb', 'target' => '/etc/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' }, | |
{ 'source' => 'etc_sysconfig_ldap.erb', 'target' => '/etc/sysconfig/ldap', 'mode' => '0644' } | |
] | |
# Templates SSSD | |
node.default['my-ldap']['templates']['redhat']['sssd'] = [ | |
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' }, | |
{ 'source' => 'etc_autofs_ldap_auth_conf.erb', 'target' => '/etc/autofs_ldap_auth.conf', 'mode' => '0600' }, | |
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_logrotate_d_sssd.erb', 'target' => '/etc/logrotate.d/sssd', 'mode' => '0644' }, | |
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_sssd_sssd_conf.erb', 'target' => '/etc/sssd/sssd.conf', 'mode' => '0600' }, | |
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' } | |
] | |
node.default['my-ldap']['templates']['suse']['sssd'] = [ | |
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' }, | |
{ 'source' => 'etc_autofs_ldap_auth_conf.erb', 'target' => '/etc/autofs_ldap_auth.conf', 'mode' => '0600' }, | |
{ 'source' => 'etc_ldap_conf.erb', 'target' => '/etc/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_logrotate_d_sssd.erb', 'target' => '/etc/logrotate.d/sssd', 'mode' => '0644' }, | |
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' }, | |
{ 'source' => 'etc_sssd_sssd_conf.erb', 'target' => '/etc/sssd/sssd.conf', 'mode' => '0600' }, | |
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' }, | |
{ 'source' => 'etc_sysconfig_ldap.erb', 'target' => '/etc/sysconfig/ldap', 'mode' => '0644' } | |
] | |
# Software packages | |
node.default['my-ldap']['packages']['node.default'] = %w[autofs rpcbind sudosh2 tcsh] | |
node.default['my-ldap']['packages']['redhat']['ldap'] = %w[authconfig-gtk nfs-utils nss-pam-ldapd openldap-clients openssh-ldap pam_ldap] | |
node.default['my-ldap']['packages']['redhat']['sssd'] = %w[authconfig nfs-utils openssh-ldap sssd] | |
node.default['my-ldap']['packages']['suse']['ldap'] = %w[nfs-client nfs-kernel-server nss_ldap nss_ldap-32bit pam_ldap pam_ldap-32bit] | |
node.default['my-ldap']['packages']['suse']['sssd'] = %w[nfs-client openldap2-client sssd] | |
# add special or missing packages per distribution | |
if node['platform'] == 'suse' && node['platform_version'].to_f == 11.4 | |
node.default['my-ldap']['packages']['suse']['sssd'] += %w[openssh-helpers] | |
end | |
if node['platform'] == 'suse' && node['platform_version'].to_f >= 12.0 | |
node.default['my-ldap']['packages']['suse']['sssd'] += %w[libsss_sudo] | |
end | |
if node['platform'] == 'redhat' && node['platform_version'].to_f >= 7.0 | |
node.default['my-ldap']['packages']['redhat']['sssd'] += %w[openldap-clients] | |
end | |
# Configuration parameters for DMZ | |
node.default['my-ldap']['cacertdir'] = '/etc/openldap/cert' | |
node.default['my-ldap']['cacertfile'] = 'ldap-server-dmz.crt' | |
# AuthorizedKeysCommand for sshd_config | |
node.default['my-ldap']['ldap-wrapper']['redhat']['ldap'] = '/usr/libexec/openssh/ssh-ldap-wrapper' | |
node.default['my-ldap']['ldap-wrapper']['redhat']['sssd'] = '/usr/bin/sss_ssh_authorizedkeys' | |
node.default['my-ldap']['ldap-wrapper']['suse']['ldap'] = '/usr/lib64/ssh/ssh-ldap-wrapper' | |
node.default['my-ldap']['ldap-wrapper']['suse']['sssd'] = '/usr/bin/sss_ssh_authorizedkeys' | |
# Allowed groups | |
node.default['my-ldap']['custom_allowgroups'] = '' | |
node.default['my-ldap']['sshd_allowgroups']['redhat'] = 'smm_profile_baz_allow root lroot ccloud sysadmin baz' | |
node.default['my-ldap']['sshd_allowgroups']['suse'] = 'smm_profile_baz_allow root ccloud sysadmin baz' | |
# AuthorizedKeysCommandUser for ssh according to OpenSSH version | |
node.default['my-ldap']['sshd_runas'] = if Mixlib::ShellOut.new('rpm -q --queryformat "%{VERSION}" openssh').run_command.stdout.slice(/^.*\.[0-9]/).to_f >= 6.2 | |
'AuthorizedKeysCommandUser' | |
else | |
'AuthorizedKeysCommandRunAs' | |
end | |
# Symbolic links for home directories | |
node.default['my-ldap']['foomnt_homes'] = { '/foomnt/HOME' => '/net/foomnt.HOME', '/foomnt/home' => '/net/foomnt.home' } | |
# sssd configuration parameters | |
node.default['my-ldap']['sssd_conf']['ldap_autofs_search_base'] = "ou=automount,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp" | |
node.default['my-ldap']['sssd_conf']['ldap_group_search_base'] = "ou=groups,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp" | |
node.default['my-ldap']['sssd_conf']['ldap_search_base'] = "dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp" | |
node.default['my-ldap']['sssd_conf']['ldap_sudo_search_base'] = "ou=sudoers,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp" | |
node.default['my-ldap']['sssd_conf']['ldap_service_search_base'] = "ou=services,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment