Skip to content

Instantly share code, notes, and snippets.

@WalterS

WalterS/default.rb Secret

Created January 25, 2018 14:51
Show Gist options
  • Save WalterS/cfc281f53a33fd617b757caf8898dde7 to your computer and use it in GitHub Desktop.
Save WalterS/cfc281f53a33fd617b757caf8898dde7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
default.rb
# Recipe: my-ldap
# Attribute file: default
# Get Cloud hostname
hostname = ''
begin
Timeout.timeout(5) do
TCPSocket.new('169.254.169.254', 80).close
hostname = open('http://169.254.169.254/latest/meta-data/public-hostname').read.split('.').first
end
rescue Timeout::Error, Errno::ECONNREFUSED, Errno::EHOSTUNREACH
hostname = node['hostname']
end
# Set register type
if (node['platform'] == 'redhat' && node['platform_version'].to_f >= 7.0) || (node['platform'] == 'suse' && node['platform_version'].to_f >= 11.3)
node.default['my-ldap']['reg'] = 'sssd'
else
node.default['my-ldap']['reg'] = 'ldap'
end
# Set special attributes in etc/ldap.conf
if (node['platform'] == 'redhat' && node['platform_version'].to_f >= 7.0) || (node['platform'] == 'suse' && node['platform_version'].to_f >= 12.0)
node.default['my-ldap']['etc_ldap_special'] = false
else
node.default['my-ldap']['etc_ldap_special'] = true
end
# Set automount. sles 11.3 and 11.4 use ldap for automount
node.default['my-ldap']['automount'] = node['my-ldap']['reg'].chomp('d')
if node['platform'] == 'suse' && node['platform_version'].to_f >= 11.3 && node['platform_version'].to_f < 12.0
node.default['my-ldap']['automount'] = 'ldap'
end
# Check for cloud platform region
region = if defined?(node['openstack']['placement_availability_zone']) && !node['openstack']['placement_availability_zone'].empty?
node['openstack']['placement_availability_zone']
elsif defined?(node['baz']['instances'][hostname]['region'])
node['baz']['instances'][hostname]['region']
end
node.default['my-ldap']['region'] = region
# Reset attribute if region is US
node.default['my-ldap']['automount'] = '' if region =~ /us|na/
# Set specific services
node.default['my-ldap']['services']['common'] = %w[autofs]
node.default['my-ldap']['services']['sssd'] = %w[sssd]
node.default['my-ldap']['services']['ldap'] = %w[nslcd]
node.default['my-ldap']['services']['stop_services'] = %w[nscd]
# Specific entries for /etc/mount.map
node.default['my-ldap']['mount_map_node.default'] = %w[+auto.linux]
node.default['my-ldap']['mount_map_entries'] = []
# Set network zone
if node['fqdn'] =~ /dmz/
node.default['my-ldap']['network'] = 'dmz'
url_particle = 'dmz'
else
node.default['my-ldap']['network'] = 'int'
url_particle = ''
end
# Set DC for LDAP configuration according to network zone
node.default['my-ldap']['dc'] = url_particle + 'bar'
# Get availability zone
zone = if defined?(node['baz']['instances'][hostname]) && node['baz']['instances'][hostname].attribute?('availability_zone')
node['baz']['instances'][hostname]['availability_zone'].split('_')[0] || 'bar'
elsif defined?(node['openstack']['placement_availability_zone']) && !node['openstack']['placement_availability_zone'].empty?
node['openstack']['placement_availability_zone'].split('-')[0] || 'eu'
else
''
end
zone = case zone
when /rot|walldorf|bar|eu/i
'bar'
when /dublin/i
'dub'
when /phl|na/i
'phl'
else
'bar'
end
node.default['my-ldap']['zone'] = zone
# Set LDAP servers according to availability zone and network type
# Example LDAP server: ldaps://smmdmzslap1.dmzbar.foo.corp
if node['my-ldap']['network'] == 'dmz' && zone == 'bar'
ldap_proto = 'ldaps'
node.default['my-ldap']['ldapport'] = 636
node.default['my-ldap']['ldapssl'] = 'on'
node.default['my-ldap']['tls_checkpeer'] = 'never'
node.default['my-ldap']['tls_reqcert'] = 'never'
else
ldap_proto = 'ldap'
node.default['my-ldap']['ldapport'] = 389
node.default['my-ldap']['ldapssl'] = 'start_tls'
node.default['my-ldap']['tls_checkpeer'] = 'allow'
node.default['my-ldap']['tls_reqcert'] = 'allow'
end
if node['my-ldap']['network'] == 'dmz'
node.default['my-ldap']['ldap_id_use_start_tls'] = 'false'
node.default['my-ldap']['autofs_usetls'] = 'no'
node.default['my-ldap']['autofs_tlsrequired'] = 'no'
else
node.default['my-ldap']['ldap_id_use_start_tls'] = 'true'
node.default['my-ldap']['autofs_usetls'] = 'yes'
node.default['my-ldap']['autofs_tlsrequired'] = 'yes'
end
case zone
when 'bar'
node.default['my-ldap']['ldapserver'] = "#{ldap_proto}://smm#{node['my-ldap']['network']}slap1." \
"#{url_particle}bar.foo.corp #{ldap_proto}://smm#{node.default['my-ldap']['network']}slap2." \
"#{url_particle}bar.foo.corp"
when 'phl'
node.default['my-ldap']['ldapserver'] = "#{ldap_proto}://smm#{node['my-ldap']['network']}slap3." \
"#{url_particle}mo.foo.corp #{ldap_proto}://smm#{node.default['my-ldap']['network']}slap4." \
"#{url_particle}mo.foo.corp"
when 'dub'
node.default['my-ldap']['ldapserver'] = "#{ldap_proto}://smm#{node['my-ldap']['network']}slap5." \
"#{url_particle}mo.foo.corp #{ldap_proto}://smm#{node.default['my-ldap']['network']}slap6." \
"#{url_particle}mo.foo.corp"
end
node.default['my-ldap']['searchdomain'] = "#{url_particle}bar.foo.corp"
# Templates LDAP
node.default['my-ldap']['templates']['redhat']['ldap'] = [
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' },
{ 'source' => 'etc_ldap_conf.erb', 'target' => '/etc/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' },
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' },
{ 'source' => 'etc_nslcd_conf.erb', 'target' => '/etc/nslcd.conf', 'mode' => '0644' },
{ 'source' => 'etc_pamldap_conf.erb', 'target' => '/etc/pam_ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_sudo_ldap_conf.erb', 'target' => '/etc/sudo-ldap.conf', 'mode' => '0644' }
]
node.default['my-ldap']['templates']['suse']['ldap'] = [
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' },
{ 'source' => 'etc_ldap_conf.erb', 'target' => '/etc/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' },
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' },
{ 'source' => 'etc_sysconfig_ldap.erb', 'target' => '/etc/sysconfig/ldap', 'mode' => '0644' }
]
# Templates SSSD
node.default['my-ldap']['templates']['redhat']['sssd'] = [
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' },
{ 'source' => 'etc_autofs_ldap_auth_conf.erb', 'target' => '/etc/autofs_ldap_auth.conf', 'mode' => '0600' },
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' },
{ 'source' => 'etc_logrotate_d_sssd.erb', 'target' => '/etc/logrotate.d/sssd', 'mode' => '0644' },
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_sssd_sssd_conf.erb', 'target' => '/etc/sssd/sssd.conf', 'mode' => '0600' },
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' }
]
node.default['my-ldap']['templates']['suse']['sssd'] = [
{ 'source' => 'etc_auto_master.erb', 'target' => '/etc/auto.master', 'mode' => '0644' },
{ 'source' => 'etc_autofs_ldap_auth_conf.erb', 'target' => '/etc/autofs_ldap_auth.conf', 'mode' => '0600' },
{ 'source' => 'etc_ldap_conf.erb', 'target' => '/etc/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_nsswitch_conf.erb', 'target' => '/etc/nsswitch.conf', 'mode' => '0644' },
{ 'source' => 'etc_logrotate_d_sssd.erb', 'target' => '/etc/logrotate.d/sssd', 'mode' => '0644' },
{ 'source' => 'etc_openldap_ldap_conf.erb', 'target' => '/etc/openldap/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_ssh_ldap_conf.erb', 'target' => '/etc/ssh/ldap.conf', 'mode' => '0644' },
{ 'source' => 'etc_sssd_sssd_conf.erb', 'target' => '/etc/sssd/sssd.conf', 'mode' => '0600' },
{ 'source' => 'etc_sysconfig_autofs.erb', 'target' => '/etc/sysconfig/autofs', 'mode' => '0644' },
{ 'source' => 'etc_sysconfig_ldap.erb', 'target' => '/etc/sysconfig/ldap', 'mode' => '0644' }
]
# Software packages
node.default['my-ldap']['packages']['node.default'] = %w[autofs rpcbind sudosh2 tcsh]
node.default['my-ldap']['packages']['redhat']['ldap'] = %w[authconfig-gtk nfs-utils nss-pam-ldapd openldap-clients openssh-ldap pam_ldap]
node.default['my-ldap']['packages']['redhat']['sssd'] = %w[authconfig nfs-utils openssh-ldap sssd]
node.default['my-ldap']['packages']['suse']['ldap'] = %w[nfs-client nfs-kernel-server nss_ldap nss_ldap-32bit pam_ldap pam_ldap-32bit]
node.default['my-ldap']['packages']['suse']['sssd'] = %w[nfs-client openldap2-client sssd]
# add special or missing packages per distribution
if node['platform'] == 'suse' && node['platform_version'].to_f == 11.4
node.default['my-ldap']['packages']['suse']['sssd'] += %w[openssh-helpers]
end
if node['platform'] == 'suse' && node['platform_version'].to_f >= 12.0
node.default['my-ldap']['packages']['suse']['sssd'] += %w[libsss_sudo]
end
if node['platform'] == 'redhat' && node['platform_version'].to_f >= 7.0
node.default['my-ldap']['packages']['redhat']['sssd'] += %w[openldap-clients]
end
# Configuration parameters for DMZ
node.default['my-ldap']['cacertdir'] = '/etc/openldap/cert'
node.default['my-ldap']['cacertfile'] = 'ldap-server-dmz.crt'
# AuthorizedKeysCommand for sshd_config
node.default['my-ldap']['ldap-wrapper']['redhat']['ldap'] = '/usr/libexec/openssh/ssh-ldap-wrapper'
node.default['my-ldap']['ldap-wrapper']['redhat']['sssd'] = '/usr/bin/sss_ssh_authorizedkeys'
node.default['my-ldap']['ldap-wrapper']['suse']['ldap'] = '/usr/lib64/ssh/ssh-ldap-wrapper'
node.default['my-ldap']['ldap-wrapper']['suse']['sssd'] = '/usr/bin/sss_ssh_authorizedkeys'
# Allowed groups
node.default['my-ldap']['custom_allowgroups'] = ''
node.default['my-ldap']['sshd_allowgroups']['redhat'] = 'smm_profile_baz_allow root lroot ccloud sysadmin baz'
node.default['my-ldap']['sshd_allowgroups']['suse'] = 'smm_profile_baz_allow root ccloud sysadmin baz'
# AuthorizedKeysCommandUser for ssh according to OpenSSH version
node.default['my-ldap']['sshd_runas'] = if Mixlib::ShellOut.new('rpm -q --queryformat "%{VERSION}" openssh').run_command.stdout.slice(/^.*\.[0-9]/).to_f >= 6.2
'AuthorizedKeysCommandUser'
else
'AuthorizedKeysCommandRunAs'
end
# Symbolic links for home directories
node.default['my-ldap']['foomnt_homes'] = { '/foomnt/HOME' => '/net/foomnt.HOME', '/foomnt/home' => '/net/foomnt.home' }
# sssd configuration parameters
node.default['my-ldap']['sssd_conf']['ldap_autofs_search_base'] = "ou=automount,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp"
node.default['my-ldap']['sssd_conf']['ldap_group_search_base'] = "ou=groups,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp"
node.default['my-ldap']['sssd_conf']['ldap_search_base'] = "dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp"
node.default['my-ldap']['sssd_conf']['ldap_sudo_search_base'] = "ou=sudoers,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp"
node.default['my-ldap']['sssd_conf']['ldap_service_search_base'] = "ou=services,dc=ldap,dc=#{node['my-ldap']['dc']},dc=foo,dc=corp"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment