From 6fa89b3c25515f193fae0f3725133447800e7921 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 21 Feb 2020 17:58:16 +0100 Subject: [PATCH] Switch the ejabberd LDAP setup to a new application account Needs the new directory structure: ``` dn: cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalRole cn: users dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit ou: kosmos.org dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit description: 5apps ou: 5apps.com dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: wiki userPassword: [snip] dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org objectClass: simpleSecurityObject objectClass: account uid: xmpp userPassword: [snip] ``` And the new ACIs: ``` dn: ou=5apps.com,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";) dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org changetype: modify replace: aci aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";) ``` Refs #140 --- site-cookbooks/kosmos-ejabberd/metadata.rb | 2 +- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 3 +++ site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 5e56bce..c300d2c 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'ops@kosmos.org' license 'MIT' description 'Installs/Configures kosmos-ejabberd' long_description 'Installs/Configures kosmos-ejabberd' -version '0.2.0' +version '0.2.1' chef_version '>= 12.14' if respond_to?(:chef_version) # The `issues_url` points to the location where issues for this cookbook are diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 25e30c5..e2d0065 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -112,6 +112,8 @@ ldap_base = "cn=users,dc=kosmos,dc=org" admin_users = ejabberd_credentials['admins'] hosts.each do |host| + ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org" + postgresql_database host[:sql_database] do owner 'ejabberd' action :create @@ -134,6 +136,7 @@ hosts.each do |host| host: host, ldap_base: ldap_base, ldap_server: ldap_domain, + ldap_rootdn: ldap_rootdn, ldap_encryption_type: ldap_encryption_type notifies :run, "execute[ejabberdctl reload_config]", :delayed end diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb index 875af76..32c064d 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb @@ -14,12 +14,12 @@ host_config: <% if @host[:ldap_enabled] -%> auth_method: ldap ldap_servers: ["<%= @ldap_server %>"] - ldap_rootdn: "cn=xmpp,ou=<%= @host[:name] %>,<%= @ldap_base %>" + ldap_rootdn: "<%= @ldap_rootdn %>" ldap_password: "<%= @host[:ldap_password] %>" ldap_encrypt: <%= @ldap_encryption_type %> ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>" - ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= @host[:name] %>,<%= @ldap_base %>)" + ldap_filter: "(objectClass=person)" <% end -%> append_host_config: