cnewcome/rbac_fixed.txt

## rbac_fixed.txt
juju bootstrap --debug --config bootstrap-series=bionic --config agent-stream=devel localhost lxd-controller
juju add-model test

juju deploy cs:~openstack-charmers/ldap-test-fixture-4
unit="0"
ldap_ip=$(juju run --unit=ldap-test-fixture/${unit} 'unit-get private-address')
ldapsearch -h $ldap_ip -x -w crapper -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com -s sub '(objectclass=*)' cn sn
juju ssh ldap-test-fixture/${unit}

sudo reboot

juju ssh ldap-test-fixture/${unit}

sudo -i

######################### Create new LDAP users for MAAS testing - user1 through user5 in group maas password crapper
cat <<EOF > $HOME/new_users_groups.ldif
# Entry 10: cn=user1,ou=users,dc=test,dc=com
dn: cn=user1,ou=users,dc=test,dc=com
cn: user1
gidnumber: 502
givenname: user1
homedirectory: /home/users/user1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user1 Doe
uid: user1
mail: user1@test.com
uidnumber: 1001
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

# Entry 11: cn=user2,ou=users,dc=test,dc=com
dn: cn=user2,ou=users,dc=test,dc=com
cn: user2
gidnumber: 502
givenname: user2
homedirectory: /home/users/user2
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user2 Doe
uid: user2
mail: user2@test.com
uidnumber: 1002
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

# Entry 12: cn=user3,ou=users,dc=test,dc=com
dn: cn=user3,ou=users,dc=test,dc=com
cn: user3
gidnumber: 502
givenname: user3
homedirectory: /home/users/user3
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user3 Doe
uid: user3
mail: user3@test.com
uidnumber: 1003
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

# Entry 13: cn=user4,ou=users,dc=test,dc=com
dn: cn=user4,ou=users,dc=test,dc=com
cn: user4
gidnumber: 502
givenname: user4
homedirectory: /home/users/user4
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user4 Doe
uid: user4
mail: user4@test.com
uidnumber: 1004
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

# Entry 14: cn=user5,ou=users,dc=test,dc=com
dn: cn=user5,ou=users,dc=test,dc=com
cn: user5
gidnumber: 502
givenname: user5
homedirectory: /home/users/user5
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user5 Doe
uid: user5
mail: user5@test.com
uidnumber: 1005
userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
# password is crapper

# Entry 15: cn=maas,ou=groups,dc=test,dc=com
dn: cn=maas,ou=groups,dc=test,dc=com
cn: maas
gidnumber: 502
memberuid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: user5
objectClass: top
objectClass: posixGroup

# Entry 16: cn=johndoe,ou=users,dc=test,dc=com
dn: cn=johndoe,ou=users,dc=test,dc=com
changetype: modify
add: mail
mail: johndoe@test.com

# Entry 17: cn=janedoe,ou=users,dc=test,dc=com
dn: cn=janedoe,ou=users,dc=test,dc=com
changetype: modify
add: mail
mail: janedoe@test.com

EOF
ldapadd -x -D "cn=admin,dc=test,dc=com" -w crapper -f new_users_groups.ldif
#########################

name=$(hostname -f)
cert_dir="$HOME/certs"
easyrsa_dir="$HOME/easy-rsa"
easyrsa="$easyrsa_dir/easyrsa3/easyrsa"
pkidir="$HOME/pki"
git clone https://github.com/OpenVPN/easy-rsa.git

$easyrsa init-pki
$easyrsa build-ca nopass <<EOF

EOF

$easyrsa gen-req "$name" nopass <<EOF

EOF

$easyrsa sign-req server "$name" <<EOF
yes
EOF

mkdir -p "$cert_dir"
cp "$pkidir/ca.crt" "$pkidir/issued/$name.crt" "$pkidir/private/$name.key" "$cert_dir"
cp "$cert_dir/$name.crt" "$cert_dir/$name.crt.orig" ### I used cp here to preserve file permissions
tail +67 "$cert_dir/$name.crt.orig" > "$cert_dir/$name.crt"

##### LDAP StartTLS configuration #######
cp $HOME/certs/ca.crt $HOME/certs/$name.crt $HOME/certs/$name.key /etc/ldap/sasl2
chown openldap:openldap /etc/ldap/sasl2/*
chmod 600 /etc/ldap/sasl2/${name}.key

cat <<EOF > $HOME/modify_ssl.ldif
# create new
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/sasl2/ca.crt
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/sasl2/${name}.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/sasl2/${name}.key
EOF

ldapmodify -Y EXTERNAL -H ldapi:/// -f $HOME/modify_ssl.ldif

systemctl restart slapd
#########################

sed -i.orig "s/^TLS_CACERT.*/TLS_CACERT\t\/root\/certs\/ca.crt/" /etc/ldap/ldap.conf

apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 226C2BB5A7AB3CF5

### Change USER and PASSWORD variables before running this command ###
cat <<EOF > /etc/apt/auth.conf.d/90-canonical-rbac
# Configure authentication for Canonical-RBAC PPA
machine private-ppa.launchpad.net/crbs/stable/ubuntu login $USER password $PASSWORD
EOF

add-apt-repository 'deb https://private-ppa.launchpad.net/crbs/stable/ubuntu bionic main'
apt install canonical-rbac -y

if [[ $? -ne 0 ]]; then printf "\t\tINSTALLATION FAILURE\n\nPlease check the status of the newly installed packages/snaps\n\n"; fi

cp /var/snap/candid/current/config.yaml /var/snap/candid/current/config.yaml.orig
head -16 /var/snap/candid/current/config.yaml.orig | sed -e "s/^location.*/location\: \"https\:\/\/${name}\:8081\"/" > /var/snap/candid/current/config.yaml
echo "tls-cert: |" >> /var/snap/candid/current/config.yaml
sed -e 's/^/  /' $cert_dir/$name.crt >> /var/snap/candid/current/config.yaml
sed -e 's/^/  /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml
echo "tls-key: |" >> /var/snap/candid/current/config.yaml
sed -e 's/^/  /' $cert_dir/$name.key >> /var/snap/candid/current/config.yaml
cat <<EOF >> /var/snap/candid/current/config.yaml
identity-providers:
- type: ldap
  name: ldap
  url: ldap://${name}/dc=test,dc=com
  dn: cn=admin,dc=test,dc=com
  password: crapper
EOF
echo "  ca-cert: |" >> /var/snap/candid/current/config.yaml
sed -e 's/^/    /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml
cat <<EOF >> /var/snap/candid/current/config.yaml
  user-query-filter: (objectClass=*)
  user-query-attrs:
    id: uid
    email: mail
    display-name: uid
    user_id_attribute: uid
    user_name_attribute: uid
    user_objectclass: posixAccount
  group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}}))
EOF

snap restart candid
snap logs candid

sed -i.orig "s/\"url\".*/\"url\"\: \"https\:\/\/${name}\:8081\",/" /var/snap/candid/current/admin.keys
cp /var/snap/candid/current/admin.keys /root
export CANDID_CA_CERTS=$cert_dir/ca.crt
/snap/bin/candid -a /root/admin.keys create-agent -f /root/maas.agent
maas_agent_user=$(grep username /root/maas.agent | awk -F: '{print $2}' | sed -e 's/[ \"]//g')
echo $maas_agent_user
/snap/bin/candid -a /root/admin.keys acl grant read-user-groups $maas_agent_user
/snap/bin/candid -a /root/admin.keys acl grant read-user $maas_agent_user
snap set canonical-rbac ssl.ca="$(cat $cert_dir/ca.crt)"
snap set canonical-rbac ssl.cert="$(cat $cert_dir/$name.crt && cat $cert_dir/ca.crt)"
snap set canonical-rbac ssl.key="$(cat $cert_dir/$name.key)"
/snap/bin/canonical-rbac create-candid-agent /root/admin.keys --service-agent-file /root/rbac.agent
/snap/bin/canonical-rbac config --candid-agent-file /root/rbac.agent
/snap/bin/canonical-rbac config --service-url https://${name}:5000
/snap/bin/canonical-rbac create-admin

######## Open URL in a browser that can handle self-signed certificates (not Chrome) and log in as
######## johndoe:crapper


######## MAAS Config: Maas server
######## Copy the ca.crt file to $HOME on this server
######## Set the LDAP variable to the FQDN of the LDAP server
sudo -i
mkdir /usr/share/ca-certificates/extras
cp $HOME/ca.crt /usr/share/ca-certificates/extras/ldap.crt
dpkg-reconfigure ca-certificates ##### Select Yes to first question and then select extras/ldap.crt in the next screen and it will add the CA
## Output should say: 1 added, 0 removed; done.

maas configauth --rbac-url https://$LDAP:5000/ --rbac-service-name maastest

#### Now open a URL to the MAAS server and log in with <user1:crapper>
#### It will fail the first time with a URL error, this is because the user isn't authorized.
#### Pull up the RBAC GUI: https://${name}:5000/ and log in with <johndoe:crapper>, select the box to the right of user1, in the ADMIN column.
#### This will give that user permission to log in to MAAS now, repeat the procedure and it will allow that user in.
#### Log out that user, close the browser and open a new one to the MAAS URL, except log in this time with <user2:crapper>
#### You will have to authorize that user, just like you did for user1. Once that is done, try logging in as user2 again.

#### It will fail with a 409 error.

#### Using the maas group doesn't really work right now. I believe it is something wrong with the group-query-filter setting in Candid's config.yaml
####   group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}}))
	juju bootstrap --debug --config bootstrap-series=bionic --config agent-stream=devel localhost lxd-controller
	juju add-model test

	juju deploy cs:~openstack-charmers/ldap-test-fixture-4
	unit="0"
	ldap_ip=$(juju run --unit=ldap-test-fixture/${unit} 'unit-get private-address')
	ldapsearch -h $ldap_ip -x -w crapper -D"cn=admin,dc=test,dc=com" -b dc=test,dc=com -s sub '(objectclass=*)' cn sn
	juju ssh ldap-test-fixture/${unit}

	sudo reboot

	juju ssh ldap-test-fixture/${unit}

	sudo -i

	######################### Create new LDAP users for MAAS testing - user1 through user5 in group maas password crapper
	cat <<EOF > $HOME/new_users_groups.ldif
	# Entry 10: cn=user1,ou=users,dc=test,dc=com
	dn: cn=user1,ou=users,dc=test,dc=com
	cn: user1
	gidnumber: 502
	givenname: user1
	homedirectory: /home/users/user1
	objectclass: inetOrgPerson
	objectclass: posixAccount
	objectclass: top
	sn: user1 Doe
	uid: user1
	mail: user1@test.com
	uidnumber: 1001
	userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

	# Entry 11: cn=user2,ou=users,dc=test,dc=com
	dn: cn=user2,ou=users,dc=test,dc=com
	cn: user2
	gidnumber: 502
	givenname: user2
	homedirectory: /home/users/user2
	objectclass: inetOrgPerson
	objectclass: posixAccount
	objectclass: top
	sn: user2 Doe
	uid: user2
	mail: user2@test.com
	uidnumber: 1002
	userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

	# Entry 12: cn=user3,ou=users,dc=test,dc=com
	dn: cn=user3,ou=users,dc=test,dc=com
	cn: user3
	gidnumber: 502
	givenname: user3
	homedirectory: /home/users/user3
	objectclass: inetOrgPerson
	objectclass: posixAccount
	objectclass: top
	sn: user3 Doe
	uid: user3
	mail: user3@test.com
	uidnumber: 1003
	userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

	# Entry 13: cn=user4,ou=users,dc=test,dc=com
	dn: cn=user4,ou=users,dc=test,dc=com
	cn: user4
	gidnumber: 502
	givenname: user4
	homedirectory: /home/users/user4
	objectclass: inetOrgPerson
	objectclass: posixAccount
	objectclass: top
	sn: user4 Doe
	uid: user4
	mail: user4@test.com
	uidnumber: 1004
	userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==

	# Entry 14: cn=user5,ou=users,dc=test,dc=com
	dn: cn=user5,ou=users,dc=test,dc=com
	cn: user5
	gidnumber: 502
	givenname: user5
	homedirectory: /home/users/user5
	objectclass: inetOrgPerson
	objectclass: posixAccount
	objectclass: top
	sn: user5 Doe
	uid: user5
	mail: user5@test.com
	uidnumber: 1005
	userpassword: {MD5}HOMR4pM15t3gYd8WUxMG8g==
	# password is crapper

	# Entry 15: cn=maas,ou=groups,dc=test,dc=com
	dn: cn=maas,ou=groups,dc=test,dc=com
	cn: maas
	gidnumber: 502
	memberuid: user1
	memberUid: user2
	memberUid: user3
	memberUid: user4
	memberUid: user5
	objectClass: top
	objectClass: posixGroup

	# Entry 16: cn=johndoe,ou=users,dc=test,dc=com
	dn: cn=johndoe,ou=users,dc=test,dc=com
	changetype: modify
	add: mail
	mail: johndoe@test.com

	# Entry 17: cn=janedoe,ou=users,dc=test,dc=com
	dn: cn=janedoe,ou=users,dc=test,dc=com
	changetype: modify
	add: mail
	mail: janedoe@test.com

	EOF
	ldapadd -x -D "cn=admin,dc=test,dc=com" -w crapper -f new_users_groups.ldif
	#########################

	name=$(hostname -f)
	cert_dir="$HOME/certs"
	easyrsa_dir="$HOME/easy-rsa"
	easyrsa="$easyrsa_dir/easyrsa3/easyrsa"
	pkidir="$HOME/pki"
	git clone https://github.com/OpenVPN/easy-rsa.git

	$easyrsa init-pki
	$easyrsa build-ca nopass <<EOF

	EOF

	$easyrsa gen-req "$name" nopass <<EOF

	EOF

	$easyrsa sign-req server "$name" <<EOF
	yes
	EOF

	mkdir -p "$cert_dir"
	cp "$pkidir/ca.crt" "$pkidir/issued/$name.crt" "$pkidir/private/$name.key" "$cert_dir"
	cp "$cert_dir/$name.crt" "$cert_dir/$name.crt.orig" ### I used cp here to preserve file permissions
	tail +67 "$cert_dir/$name.crt.orig" > "$cert_dir/$name.crt"

	##### LDAP StartTLS configuration #######
	cp $HOME/certs/ca.crt $HOME/certs/$name.crt $HOME/certs/$name.key /etc/ldap/sasl2
	chown openldap:openldap /etc/ldap/sasl2/*
	chmod 600 /etc/ldap/sasl2/${name}.key

	cat <<EOF > $HOME/modify_ssl.ldif
	# create new
	dn: cn=config
	changetype: modify
	add: olcTLSCACertificateFile
	olcTLSCACertificateFile: /etc/ldap/sasl2/ca.crt
	-
	replace: olcTLSCertificateFile
	olcTLSCertificateFile: /etc/ldap/sasl2/${name}.crt
	-
	replace: olcTLSCertificateKeyFile
	olcTLSCertificateKeyFile: /etc/ldap/sasl2/${name}.key
	EOF

	ldapmodify -Y EXTERNAL -H ldapi:/// -f $HOME/modify_ssl.ldif

	systemctl restart slapd
	#########################

	sed -i.orig "s/^TLS_CACERT.*/TLS_CACERT\t\/root\/certs\/ca.crt/" /etc/ldap/ldap.conf

	apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 226C2BB5A7AB3CF5

	### Change USER and PASSWORD variables before running this command ###
	cat <<EOF > /etc/apt/auth.conf.d/90-canonical-rbac
	# Configure authentication for Canonical-RBAC PPA
	machine private-ppa.launchpad.net/crbs/stable/ubuntu login $USER password $PASSWORD
	EOF

	add-apt-repository 'deb https://private-ppa.launchpad.net/crbs/stable/ubuntu bionic main'
	apt install canonical-rbac -y

	if [[ $? -ne 0 ]]; then printf "\t\tINSTALLATION FAILURE\n\nPlease check the status of the newly installed packages/snaps\n\n"; fi

	cp /var/snap/candid/current/config.yaml /var/snap/candid/current/config.yaml.orig
	head -16 /var/snap/candid/current/config.yaml.orig \| sed -e "s/^location.*/location\: \"https\:\/\/${name}\:8081\"/" > /var/snap/candid/current/config.yaml
	echo "tls-cert: \|" >> /var/snap/candid/current/config.yaml
	sed -e 's/^/ /' $cert_dir/$name.crt >> /var/snap/candid/current/config.yaml
	sed -e 's/^/ /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml
	echo "tls-key: \|" >> /var/snap/candid/current/config.yaml
	sed -e 's/^/ /' $cert_dir/$name.key >> /var/snap/candid/current/config.yaml
	cat <<EOF >> /var/snap/candid/current/config.yaml
	identity-providers:
	- type: ldap
	name: ldap
	url: ldap://${name}/dc=test,dc=com
	dn: cn=admin,dc=test,dc=com
	password: crapper
	EOF
	echo " ca-cert: \|" >> /var/snap/candid/current/config.yaml
	sed -e 's/^/ /' $cert_dir/ca.crt >> /var/snap/candid/current/config.yaml
	cat <<EOF >> /var/snap/candid/current/config.yaml
	user-query-filter: (objectClass=*)
	user-query-attrs:
	id: uid
	email: mail
	display-name: uid
	user_id_attribute: uid
	user_name_attribute: uid
	user_objectclass: posixAccount
	group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}}))
	EOF

	snap restart candid
	snap logs candid

	sed -i.orig "s/\"url\".*/\"url\"\: \"https\:\/\/${name}\:8081\",/" /var/snap/candid/current/admin.keys
	cp /var/snap/candid/current/admin.keys /root
	export CANDID_CA_CERTS=$cert_dir/ca.crt
	/snap/bin/candid -a /root/admin.keys create-agent -f /root/maas.agent
	maas_agent_user=$(grep username /root/maas.agent \| awk -F: '{print $2}' \| sed -e 's/[ \"]//g')
	echo $maas_agent_user
	/snap/bin/candid -a /root/admin.keys acl grant read-user-groups $maas_agent_user
	/snap/bin/candid -a /root/admin.keys acl grant read-user $maas_agent_user
	snap set canonical-rbac ssl.ca="$(cat $cert_dir/ca.crt)"
	snap set canonical-rbac ssl.cert="$(cat $cert_dir/$name.crt && cat $cert_dir/ca.crt)"
	snap set canonical-rbac ssl.key="$(cat $cert_dir/$name.key)"
	/snap/bin/canonical-rbac create-candid-agent /root/admin.keys --service-agent-file /root/rbac.agent
	/snap/bin/canonical-rbac config --candid-agent-file /root/rbac.agent
	/snap/bin/canonical-rbac config --service-url https://${name}:5000
	/snap/bin/canonical-rbac create-admin

	######## Open URL in a browser that can handle self-signed certificates (not Chrome) and log in as
	######## johndoe:crapper


	######## MAAS Config: Maas server
	######## Copy the ca.crt file to $HOME on this server
	######## Set the LDAP variable to the FQDN of the LDAP server
	sudo -i
	mkdir /usr/share/ca-certificates/extras
	cp $HOME/ca.crt /usr/share/ca-certificates/extras/ldap.crt
	dpkg-reconfigure ca-certificates ##### Select Yes to first question and then select extras/ldap.crt in the next screen and it will add the CA
	## Output should say: 1 added, 0 removed; done.

	maas configauth --rbac-url https://$LDAP:5000/ --rbac-service-name maastest

	#### Now open a URL to the MAAS server and log in with <user1:crapper>
	#### It will fail the first time with a URL error, this is because the user isn't authorized.
	#### Pull up the RBAC GUI: https://${name}:5000/ and log in with <johndoe:crapper>, select the box to the right of user1, in the ADMIN column.
	#### This will give that user permission to log in to MAAS now, repeat the procedure and it will allow that user in.
	#### Log out that user, close the browser and open a new one to the MAAS URL, except log in this time with <user2:crapper>
	#### You will have to authorize that user, just like you did for user1. Once that is done, try logging in as user2 again.

	#### It will fail with a 409 error.

	#### Using the maas group doesn't really work right now. I believe it is something wrong with the group-query-filter setting in Candid's config.yaml
	#### group-query-filter: (&(objectClass=posixGroup)(memberuid={{.User}}))