Merge pull request 'Move LDAP server to new VM' (#426) from chore/new_ldap_vm into master

Reviewed-on: #426
2022-08-23 13:01:30 +00:00 · 2022-08-23 13:01:30 +00:00 · 2360ad2ac0
parent 607466b1d2 e4d4aa45f7
commit 2360ad2ac0
5 changed files with 103 additions and 6 deletions
--- a/clients/ldap-3.json
+++ b/clients/ldap-3.json
@ -0,0 +1,4 @@
+{
+  "name": "ldap-3",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLndVZtKubbJf2izx6vN\ntU0gwZUhcCz4Dq+Ilu9D8tPVEWUqKp9RyPkSO8iIxdLXJ8ZjtG3oBVPFGka/fW1a\n/SSf4Yn6ArkNhP9dmDKzrOYOuoPF+h+Fa9Jecy2PtNzhGdBdynIK4ezJIdq5vPEG\nAsJf/Ad9EIU8D4Aj/nhNUwfUwsFTTE++LL9yCzRiDHg6pjNToM75V/+fFPk0UL1/\neLcaJzqi5WeXhfq7DbjMtqnt/+vUxO2YAk9MDb3U15hnH4xkxtDfRth1UGkpR/PK\naLn/RTS9sqk3oMZVzDSioXO0TGp00sWDmvpBvEBwlYgWnx1o8JQnkClvn2OSo6va\nzQIDAQAB\n-----END PUBLIC KEY-----\n"
+}
--- a/nodes/ldap-3.kosmos.org.json
+++ b/nodes/ldap-3.kosmos.org.json
@ -0,0 +1,64 @@
+{
+  "name": "ldap-3.kosmos.org",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.6"
+    }
+  },
+  "automatic": {
+    "fqdn": "ldap-3.kosmos.org",
+    "os": "linux",
+    "os_version": "5.4.0-1073-kvm",
+    "hostname": "ldap-3",
+    "ipaddress": "192.168.122.34",
+    "roles": [
+      "kvm_guest",
+      "dirsrv_primary"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos-dirsrv",
+      "kosmos-dirsrv::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos-dirsrv::hostsfile",
+      "kosmos-dirsrv::firewall",
+      "backup::default",
+      "logrotate::default",
+      "ulimit::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[kvm_guest]",
+    "role[dirsrv_primary]"
+  ]
+}
--- a/site-cookbooks/kosmos-dirsrv/files/acis.ldif
+++ b/site-cookbooks/kosmos-dirsrv/files/acis.ldif
@ -1,5 +1,6 @@
+# LDAPv3                                                                                                                                                                                                                                                                                                                                                                               [0/223]
+# kosmos.org
 dn: dc=kosmos,dc=org
 changetype: modify
 replace: aci
-aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
-aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)
+aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
--- a/site-cookbooks/kosmos-dirsrv/files/users.ldif
+++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif
@ -1,4 +1,32 @@
-dn: ou=users,dc=kosmos,dc=org
+# users, kosmos.org
+dn: cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalRole
+cn: users
+
+# kosmos.org, users, kosmos.org
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
 objectClass: top
 objectClass: organizationalUnit
-ou: users
+description: Kosmos
+ou: kosmos.org
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
+
+# 5apps.com, users, kosmos.org
+dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalUnit
+description: 5apps
+ou: 5apps.com
+aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-5apps-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
+
+# admin role
+dn: cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: LDAPsubentry
+objectClass: nsRoleDefinition
+objectClass: nsComplexRoleDefinition
+objectClass: nsFilteredRoleDefinition
+cn: admin_role
+nsRoleFilter: (&(objectclass=person)(admin=true))
+description: filtered role for admins
--- a/site-cookbooks/kosmos_kvm/attributes/default.rb
+++ b/site-cookbooks/kosmos_kvm/attributes/default.rb
@ -1,7 +1,7 @@
-ubuntu_server_cloud_image_release = "20220530"
+ubuntu_server_cloud_image_release = "20220810"

 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
  "url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
-  "checksum" => "0295bee0539924774327d5267aa8e2eeac315b9efea7136c83643fce454529b8",
+  "checksum" => "6db74917f85146569cb6ae89e1d163ac6d1e488a7f32bc74761ec6d1869c714f",
  "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
 }