Skip to content

Instantly share code, notes, and snippets.

@cnewcome
Last active August 22, 2020 00:07
Show Gist options
  • Save cnewcome/1aaa3c3b3298f803b4b9919b92e2bcc0 to your computer and use it in GitHub Desktop.
Save cnewcome/1aaa3c3b3298f803b4b9919b92e2bcc0 to your computer and use it in GitHub Desktop.
juju bootstrap --debug --config bootstrap-series=bionic --config agent-stream=devel localhost lxd-controller
juju add-model test
juju deploy cs:~openstack-charmers/ldap-test-fixture-4
unit="0"
ldap_ip=$(juju run --unit=ldap-test-fixture/${unit} 'unit-get private-address')
ldapsearch -h $ldap_ip -x -w crapper -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com -s sub '(objectclass=*)' cn sn
juju ssh ldap-test-fixture/${unit}
sudo reboot
juju ssh ldap-test-fixture/${unit}
sudo -i
######################### Create new LDAP users for MAAS testing - user1 through user5 in group maas password crapper
cat <<EOF > $HOME/new_users_groups.ldif
# Entry 10: cn=user1,ou=users,dc=test,dc=com
dn: cn=user1,ou=users,dc=test,dc=com
cn: user1
gidnumber: 502
givenname: user1
homedirectory: /home/users/user1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user1 Doe
uid: user1
mail: user1@test.com
uidnumber: 1001
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# Entry 11: cn=user2,ou=users,dc=test,dc=com
dn: cn=user2,ou=users,dc=test,dc=com
cn: user2
gidnumber: 502
givenname: user2
homedirectory: /home/users/user2
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user2 Doe
uid: user2
mail: user2@test.com
uidnumber: 1002
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# Entry 12: cn=user3,ou=users,dc=test,dc=com
dn: cn=user3,ou=users,dc=test,dc=com
cn: user3
gidnumber: 502
givenname: user3
homedirectory: /home/users/user3
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user3 Doe
uid: user3
mail: user3@test.com
uidnumber: 1003
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# Entry 13: cn=user4,ou=users,dc=test,dc=com
dn: cn=user4,ou=users,dc=test,dc=com
cn: user4
gidnumber: 502
givenname: user4
homedirectory: /home/users/user4
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user4 Doe
uid: user4
mail: user4@test.com
uidnumber: 1004
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# Entry 14: cn=user5,ou=users,dc=test,dc=com
dn: cn=user5,ou=users,dc=test,dc=com
cn: user5
gidnumber: 502
givenname: user5
homedirectory: /home/users/user5
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user5 Doe
uid: user5
mail: user5@test.com
uidnumber: 1005
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# password is crapper
# Entry 15: cn=maas,ou=groups,dc=test,dc=com
dn: cn=maas,ou=groups,dc=test,dc=com
cn: maas
gidnumber: 502
memberuid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: user5
objectClass: top
objectClass: posixGroup
# Entry 16: cn=johndoe,ou=users,dc=test,dc=com
dn: cn=johndoe,ou=users,dc=test,dc=com
changetype: modify
add: mail
mail: johndoe@test.com
# Entry 17: cn=janedoe,ou=users,dc=test,dc=com
dn: cn=janedoe,ou=users,dc=test,dc=com
changetype: modify
add: mail
mail: janedoe@test.com
EOF
ldapadd -x -D "cn=admin,dc=test,dc=com" -w crapper -f new_users_groups.ldif
#########################
name=$(hostname -f)
cert_dir="$HOME/certs"
easyrsa_dir="$HOME/easy-rsa"
easyrsa="$easyrsa_dir/easyrsa3/easyrsa"
pkidir="$HOME/pki"
git clone https://github.com/OpenVPN/easy-rsa.git
$easyrsa init-pki
$easyrsa build-ca nopass <<EOF
EOF
$easyrsa gen-req "$name" nopass <<EOF
EOF
$easyrsa sign-req server "$name" <<EOF
yes
EOF
mkdir -p "$cert_dir"
cp "$pkidir/ca.crt" "$pkidir/issued/$name.crt" "$pkidir/private/$name.key" "$cert_dir"
cp "$cert_dir/$name.crt" "$cert_dir/$name.crt.orig" ### I used cp here to preserve file permissions
tail +67 "$cert_dir/$name.crt.orig" > "$cert_dir/$name.crt"
##### LDAP StartTLS configuration #######
cp $HOME/certs/ca.crt $HOME/certs/$name.crt $HOME/certs/$name.key /etc/ldap/sasl2
chown openldap:openldap /etc/ldap/sasl2/*
chmod 600 /etc/ldap/sasl2/${name}.key
cat <<EOF > $HOME/modify_ssl.ldif
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/${name}.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/${name}.key
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f $HOME/modify_ssl.ldif
systemctl restart slapd
#########################
sed -i.orig "s/^TLS_CACERT.*/TLS_CACERT\t\/root\/certs\/ca.crt/" /etc/ldap/ldap.conf
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 226C2BB5A7AB3CF5
### Change USER and PASSWORD variables before running this command ###
cat <<EOF > /etc/apt/auth.conf.d/90-canonical-rbac
# Configure authentication for Canonical-RBAC PPA
machine private-ppa.launchpad.net/crbs/stable/ubuntu login $USER password $PASSWORD
EOF
add-apt-repository 'deb https://private-ppa.launchpad.net/crbs/stable/ubuntu bionic main'
apt install canonical-rbac -y
if [[ $? -ne 0 ]]; then printf "\t\tINSTALLATION FAILURE\n\nPlease check the status of the newly installed packages/snaps\n\n"; fi
cp /var/snap/candid/current/config.yaml /var/snap/candid/current/config.yaml.orig
head -16 /var/snap/candid/current/config.yaml.orig | sed -e "s/^location.*/location\: \"https\:\/\/${name}\:8081\"/" > /var/snap/candid/current/config.yaml
echo "tls-cert: |" >> /var/snap/candid/current/config.yaml
sed -e 's/^/ /' $cert_dir/$name.crt >> /var/snap/candid/current/config.yaml
sed -e 's/^/ /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml
echo "tls-key: |" >> /var/snap/candid/current/config.yaml
sed -e 's/^/ /' $cert_dir/$name.key >> /var/snap/candid/current/config.yaml
cat <<EOF >> /var/snap/candid/current/config.yaml
identity-providers:
- type: ldap
name: ldap
url: ldap://${name}/dc=test,dc=com
dn: cn=admin,dc=test,dc=com
password: crapper
EOF
echo " ca-cert: |" >> /var/snap/candid/current/config.yaml
sed -e 's/^/ /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml
cat <<EOF >> /var/snap/candid/current/config.yaml
user-query-filter: (objectClass=*)
user-query-attrs:
id: uid
email: mail
display-name: uid
user_id_attribute: uid
user_name_attribute: uid
user_objectclass: posixAccount
group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}}))
EOF
snap restart candid
snap logs candid
sed -i.orig "s/\"url\".*/\"url\"\: \"https\:\/\/${name}\:8081\",/" /var/snap/candid/current/admin.keys
cp /var/snap/candid/current/admin.keys /root
export CANDID_CA_CERTS=$cert_dir/ca.crt
/snap/bin/candid -a /root/admin.keys create-agent -f /root/maas.agent
maas_agent_user=$(grep username /root/maas.agent | awk -F: '{print $2}' | sed -e 's/[ \"]//g')
echo $maas_agent_user
/snap/bin/candid -a /root/admin.keys acl grant read-user-groups $maas_agent_user
/snap/bin/candid -a /root/admin.keys acl grant read-user $maas_agent_user
snap set canonical-rbac ssl.ca="$(cat $cert_dir/ca.crt)"
snap set canonical-rbac ssl.cert="$(cat $cert_dir/$name.crt && cat $cert_dir/ca.crt)"
snap set canonical-rbac ssl.key="$(cat $cert_dir/$name.key)"
/snap/bin/canonical-rbac create-candid-agent /root/admin.keys --service-agent-file /root/rbac.agent
/snap/bin/canonical-rbac config --candid-agent-file /root/rbac.agent
/snap/bin/canonical-rbac config --service-url https://${name}:5000
/snap/bin/canonical-rbac create-admin
######## Open URL in a browser that can handle self-signed certificates (not Chrome) and log in as
######## johndoe:crapper
######## MAAS Config: Maas server
######## Copy the ca.crt file to $HOME on this server
######## Set the LDAP variable to the FQDN of the LDAP server
sudo -i
mkdir /usr/share/ca-certificates/extras
cp $HOME/ca.crt /usr/share/ca-certificates/extras/ldap.crt
dpkg-reconfigure ca-certificates ##### Select Yes to first question and then select extras/ldap.crt in the next screen and it will add the CA
## Output should say: 1 added, 0 removed; done.
maas configauth --rbac-url https://$LDAP:5000/ --rbac-service-name maastest
#### Now open a URL to the MAAS server and log in with <user1:crapper>
#### It will fail the first time with a URL error, this is because the user isn't authorized.
#### Pull up the RBAC GUI: https://${name}:5000/ and log in with <johndoe:crapper>, select the box to the right of user1, in the ADMIN column.
#### This will give that user permission to log in to MAAS now, repeat the procedure and it will allow that user in.
#### Log out that user, close the browser and open a new one to the MAAS URL, except log in this time with <user2:crapper>
#### You will have to authorize that user, just like you did for user1. Once that is done, try logging in as user2 again.
#### It will fail with a 409 error.
#### Using the maas group doesn't really work right now. I believe it is something wrong with the group-query-filter setting in Candid's config.yaml
#### group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}}))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment