Switch the ejabberd LDAP setup to a new application account
Needs the new directory structure: ``` dn: cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalRole cn: users dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: kosmos.org dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit description: 5apps ou: 5apps.com dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: wiki userPassword: [snip] dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] ``` And the new ACIs: ``` dn: ou=5apps.com,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) ``` Refs #140
This commit is contained in:
parent
f34513220e
commit
6fa89b3c25
@ -4,7 +4,7 @@ maintainer_email 'ops@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures kosmos-ejabberd'
|
||||
long_description 'Installs/Configures kosmos-ejabberd'
|
||||
version '0.2.0'
|
||||
version '0.2.1'
|
||||
chef_version '>= 12.14' if respond_to?(:chef_version)
|
||||
|
||||
# The `issues_url` points to the location where issues for this cookbook are
|
||||
|
@ -112,6 +112,8 @@ ldap_base = "cn=users,dc=kosmos,dc=org"
|
||||
admin_users = ejabberd_credentials['admins']
|
||||
|
||||
hosts.each do |host|
|
||||
ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
|
||||
|
||||
postgresql_database host[:sql_database] do
|
||||
owner 'ejabberd'
|
||||
action :create
|
||||
@ -134,6 +136,7 @@ hosts.each do |host|
|
||||
host: host,
|
||||
ldap_base: ldap_base,
|
||||
ldap_server: ldap_domain,
|
||||
ldap_rootdn: ldap_rootdn,
|
||||
ldap_encryption_type: ldap_encryption_type
|
||||
notifies :run, "execute[ejabberdctl reload_config]", :delayed
|
||||
end
|
||||
|
@ -14,12 +14,12 @@ host_config:
|
||||
<% if @host[:ldap_enabled] -%>
|
||||
auth_method: ldap
|
||||
ldap_servers: ["<%= @ldap_server %>"]
|
||||
ldap_rootdn: "cn=xmpp,ou=<%= @host[:name] %>,<%= @ldap_base %>"
|
||||
ldap_rootdn: "<%= @ldap_rootdn %>"
|
||||
ldap_password: "<%= @host[:ldap_password] %>"
|
||||
ldap_encrypt: <%= @ldap_encryption_type %>
|
||||
ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
|
||||
ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
|
||||
ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= @host[:name] %>,<%= @ldap_base %>)"
|
||||
ldap_filter: "(objectClass=person)"
|
||||
<% end -%>
|
||||
|
||||
append_host_config:
|
||||
|
Loading…
x
Reference in New Issue
Block a user