Last active
August 22, 2020 00:07
-
-
Save cnewcome/1aaa3c3b3298f803b4b9919b92e2bcc0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
juju bootstrap --debug --config bootstrap-series=bionic --config agent-stream=devel localhost lxd-controller | |
juju add-model test | |
juju deploy cs:~openstack-charmers/ldap-test-fixture-4 | |
unit="0" | |
ldap_ip=$(juju run --unit=ldap-test-fixture/${unit} 'unit-get private-address') | |
ldapsearch -h $ldap_ip -x -w crapper -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com -s sub '(objectclass=*)' cn sn | |
juju ssh ldap-test-fixture/${unit} | |
sudo reboot | |
juju ssh ldap-test-fixture/${unit} | |
sudo -i | |
######################### Create new LDAP users for MAAS testing - user1 through user5 in group maas password crapper | |
cat <<EOF > $HOME/new_users_groups.ldif | |
# Entry 10: cn=user1,ou=users,dc=test,dc=com | |
dn: cn=user1,ou=users,dc=test,dc=com | |
cn: user1 | |
gidnumber: 502 | |
givenname: user1 | |
homedirectory: /home/users/user1 | |
objectclass: inetOrgPerson | |
objectclass: posixAccount | |
objectclass: top | |
sn: user1 Doe | |
uid: user1 | |
mail: user1@test.com | |
uidnumber: 1001 | |
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g== | |
# Entry 11: cn=user2,ou=users,dc=test,dc=com | |
dn: cn=user2,ou=users,dc=test,dc=com | |
cn: user2 | |
gidnumber: 502 | |
givenname: user2 | |
homedirectory: /home/users/user2 | |
objectclass: inetOrgPerson | |
objectclass: posixAccount | |
objectclass: top | |
sn: user2 Doe | |
uid: user2 | |
mail: user2@test.com | |
uidnumber: 1002 | |
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g== | |
# Entry 12: cn=user3,ou=users,dc=test,dc=com | |
dn: cn=user3,ou=users,dc=test,dc=com | |
cn: user3 | |
gidnumber: 502 | |
givenname: user3 | |
homedirectory: /home/users/user3 | |
objectclass: inetOrgPerson | |
objectclass: posixAccount | |
objectclass: top | |
sn: user3 Doe | |
uid: user3 | |
mail: user3@test.com | |
uidnumber: 1003 | |
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g== | |
# Entry 13: cn=user4,ou=users,dc=test,dc=com | |
dn: cn=user4,ou=users,dc=test,dc=com | |
cn: user4 | |
gidnumber: 502 | |
givenname: user4 | |
homedirectory: /home/users/user4 | |
objectclass: inetOrgPerson | |
objectclass: posixAccount | |
objectclass: top | |
sn: user4 Doe | |
uid: user4 | |
mail: user4@test.com | |
uidnumber: 1004 | |
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g== | |
# Entry 14: cn=user5,ou=users,dc=test,dc=com | |
dn: cn=user5,ou=users,dc=test,dc=com | |
cn: user5 | |
gidnumber: 502 | |
givenname: user5 | |
homedirectory: /home/users/user5 | |
objectclass: inetOrgPerson | |
objectclass: posixAccount | |
objectclass: top | |
sn: user5 Doe | |
uid: user5 | |
mail: user5@test.com | |
uidnumber: 1005 | |
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g== | |
# password is crapper | |
# Entry 15: cn=maas,ou=groups,dc=test,dc=com | |
dn: cn=maas,ou=groups,dc=test,dc=com | |
cn: maas | |
gidnumber: 502 | |
memberuid: user1 | |
memberUid: user2 | |
memberUid: user3 | |
memberUid: user4 | |
memberUid: user5 | |
objectClass: top | |
objectClass: posixGroup | |
# Entry 16: cn=johndoe,ou=users,dc=test,dc=com | |
dn: cn=johndoe,ou=users,dc=test,dc=com | |
changetype: modify | |
add: mail | |
mail: johndoe@test.com | |
# Entry 17: cn=janedoe,ou=users,dc=test,dc=com | |
dn: cn=janedoe,ou=users,dc=test,dc=com | |
changetype: modify | |
add: mail | |
mail: janedoe@test.com | |
EOF | |
ldapadd -x -D "cn=admin,dc=test,dc=com" -w crapper -f new_users_groups.ldif | |
######################### | |
name=$(hostname -f) | |
cert_dir="$HOME/certs" | |
easyrsa_dir="$HOME/easy-rsa" | |
easyrsa="$easyrsa_dir/easyrsa3/easyrsa" | |
pkidir="$HOME/pki" | |
git clone https://github.com/OpenVPN/easy-rsa.git | |
$easyrsa init-pki | |
$easyrsa build-ca nopass <<EOF | |
EOF | |
$easyrsa gen-req "$name" nopass <<EOF | |
EOF | |
$easyrsa sign-req server "$name" <<EOF | |
yes | |
EOF | |
mkdir -p "$cert_dir" | |
cp "$pkidir/ca.crt" "$pkidir/issued/$name.crt" "$pkidir/private/$name.key" "$cert_dir" | |
cp "$cert_dir/$name.crt" "$cert_dir/$name.crt.orig" ### I used cp here to preserve file permissions | |
tail +67 "$cert_dir/$name.crt.orig" > "$cert_dir/$name.crt" | |
##### LDAP StartTLS configuration ####### | |
cp $HOME/certs/ca.crt $HOME/certs/$name.crt $HOME/certs/$name.key /etc/ldap/sasl2 | |
chown openldap:openldap /etc/ldap/sasl2/* | |
chmod 600 /etc/ldap/sasl2/${name}.key | |
cat <<EOF > $HOME/modify_ssl.ldif | |
# create new | |
dn: cn=config | |
changetype: modify | |
add: olcTLSCACertificateFile | |
olcTLSCACertificateFile: /etc/ldap/sasl2/ca.crt | |
- | |
replace: olcTLSCertificateFile | |
olcTLSCertificateFile: /etc/ldap/sasl2/${name}.crt | |
- | |
replace: olcTLSCertificateKeyFile | |
olcTLSCertificateKeyFile: /etc/ldap/sasl2/${name}.key | |
EOF | |
ldapmodify -Y EXTERNAL -H ldapi:/// -f $HOME/modify_ssl.ldif | |
systemctl restart slapd | |
######################### | |
sed -i.orig "s/^TLS_CACERT.*/TLS_CACERT\t\/root\/certs\/ca.crt/" /etc/ldap/ldap.conf | |
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 226C2BB5A7AB3CF5 | |
### Change USER and PASSWORD variables before running this command ### | |
cat <<EOF > /etc/apt/auth.conf.d/90-canonical-rbac | |
# Configure authentication for Canonical-RBAC PPA | |
machine private-ppa.launchpad.net/crbs/stable/ubuntu login $USER password $PASSWORD | |
EOF | |
add-apt-repository 'deb https://private-ppa.launchpad.net/crbs/stable/ubuntu bionic main' | |
apt install canonical-rbac -y | |
if [[ $? -ne 0 ]]; then printf "\t\tINSTALLATION FAILURE\n\nPlease check the status of the newly installed packages/snaps\n\n"; fi | |
cp /var/snap/candid/current/config.yaml /var/snap/candid/current/config.yaml.orig | |
head -16 /var/snap/candid/current/config.yaml.orig | sed -e "s/^location.*/location\: \"https\:\/\/${name}\:8081\"/" > /var/snap/candid/current/config.yaml | |
echo "tls-cert: |" >> /var/snap/candid/current/config.yaml | |
sed -e 's/^/ /' $cert_dir/$name.crt >> /var/snap/candid/current/config.yaml | |
sed -e 's/^/ /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml | |
echo "tls-key: |" >> /var/snap/candid/current/config.yaml | |
sed -e 's/^/ /' $cert_dir/$name.key >> /var/snap/candid/current/config.yaml | |
cat <<EOF >> /var/snap/candid/current/config.yaml | |
identity-providers: | |
- type: ldap | |
name: ldap | |
url: ldap://${name}/dc=test,dc=com | |
dn: cn=admin,dc=test,dc=com | |
password: crapper | |
EOF | |
echo " ca-cert: |" >> /var/snap/candid/current/config.yaml | |
sed -e 's/^/ /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml | |
cat <<EOF >> /var/snap/candid/current/config.yaml | |
user-query-filter: (objectClass=*) | |
user-query-attrs: | |
id: uid | |
email: mail | |
display-name: uid | |
user_id_attribute: uid | |
user_name_attribute: uid | |
user_objectclass: posixAccount | |
group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}})) | |
EOF | |
snap restart candid | |
snap logs candid | |
sed -i.orig "s/\"url\".*/\"url\"\: \"https\:\/\/${name}\:8081\",/" /var/snap/candid/current/admin.keys | |
cp /var/snap/candid/current/admin.keys /root | |
export CANDID_CA_CERTS=$cert_dir/ca.crt | |
/snap/bin/candid -a /root/admin.keys create-agent -f /root/maas.agent | |
maas_agent_user=$(grep username /root/maas.agent | awk -F: '{print $2}' | sed -e 's/[ \"]//g') | |
echo $maas_agent_user | |
/snap/bin/candid -a /root/admin.keys acl grant read-user-groups $maas_agent_user | |
/snap/bin/candid -a /root/admin.keys acl grant read-user $maas_agent_user | |
snap set canonical-rbac ssl.ca="$(cat $cert_dir/ca.crt)" | |
snap set canonical-rbac ssl.cert="$(cat $cert_dir/$name.crt && cat $cert_dir/ca.crt)" | |
snap set canonical-rbac ssl.key="$(cat $cert_dir/$name.key)" | |
/snap/bin/canonical-rbac create-candid-agent /root/admin.keys --service-agent-file /root/rbac.agent | |
/snap/bin/canonical-rbac config --candid-agent-file /root/rbac.agent | |
/snap/bin/canonical-rbac config --service-url https://${name}:5000 | |
/snap/bin/canonical-rbac create-admin | |
######## Open URL in a browser that can handle self-signed certificates (not Chrome) and log in as | |
######## johndoe:crapper | |
######## MAAS Config: Maas server | |
######## Copy the ca.crt file to $HOME on this server | |
######## Set the LDAP variable to the FQDN of the LDAP server | |
sudo -i | |
mkdir /usr/share/ca-certificates/extras | |
cp $HOME/ca.crt /usr/share/ca-certificates/extras/ldap.crt | |
dpkg-reconfigure ca-certificates ##### Select Yes to first question and then select extras/ldap.crt in the next screen and it will add the CA | |
## Output should say: 1 added, 0 removed; done. | |
maas configauth --rbac-url https://$LDAP:5000/ --rbac-service-name maastest | |
#### Now open a URL to the MAAS server and log in with <user1:crapper> | |
#### It will fail the first time with a URL error, this is because the user isn't authorized. | |
#### Pull up the RBAC GUI: https://${name}:5000/ and log in with <johndoe:crapper>, select the box to the right of user1, in the ADMIN column. | |
#### This will give that user permission to log in to MAAS now, repeat the procedure and it will allow that user in. | |
#### Log out that user, close the browser and open a new one to the MAAS URL, except log in this time with <user2:crapper> | |
#### You will have to authorize that user, just like you did for user1. Once that is done, try logging in as user2 again. | |
#### It will fail with a 409 error. | |
#### Using the maas group doesn't really work right now. I believe it is something wrong with the group-query-filter setting in Candid's config.yaml | |
#### group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}})) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment