kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 28 Pull Requests 3 Projects 2 Activity

Fix the invalid ACIs on initial creation (for real)

Browse Source 
Follow-up to #156

I found another issue with the initial ACI creation, while creating a
fresh VM. I thought I had fixed it in #156 but I was wrong. This time
the ACIs are really set and the code runs successfully.

The ACIs are set on the suffix, so modifying it is needed

This won't be executed on a server that is already running, this is only
done on the initial setup
This commit is contained in:
Greg Karékinian 2020-05-15 14:05:35 +02:00
parent bf60f9fca8
commit b4209fa294
3 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
site-cookbooks/kosmos-dirsrv/files/acis.ldif Normal file
View File

@ -0,0 +1,5 @@
dn: dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)

8
site-cookbooks/kosmos-dirsrv/files/users.ldif
View File

@ -1,11 +1,3 @@
# kosmos.org
dn: dc=kosmos,dc=org
objectClass: top
objectClass: domain
dc: kosmos
aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)
dn: ou=users,dc=kosmos,dc=org dn: ou=users,dc=kosmos,dc=org
objectClass: top objectClass: top
objectClass: organizationalUnit objectClass: organizationalUnit

13
site-cookbooks/kosmos-dirsrv/resources/instance.rb
View File

@ -50,6 +50,7 @@ action :create do
subscribes :run, "template[#{setup_config}]", :immediately subscribes :run, "template[#{setup_config}]", :immediately
notifies :restart, "service[#{service_name}]", :immediately notifies :restart, "service[#{service_name}]", :immediately
notifies :delete, "template[#{setup_config}]", :immediately notifies :delete, "template[#{setup_config}]", :immediately
notifies :run, "execute[set base acis]", :delayed
notifies :run, "execute[add users group]", :delayed notifies :run, "execute[add users group]", :delayed
notifies :run, "execute[disable anonymous access]", :delayed notifies :run, "execute[disable anonymous access]", :delayed
end end
@ -59,6 +60,18 @@ action :create do
action [:enable, :start] action [:enable, :start]
end end
cookbook_file "#{Chef::Config[:file_cache_path]}/acis.ldif" do
source "acis.ldif"
owner "root"
group "root"
end
execute "set base acis" do
command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/acis.ldif' -p #{new_resource.port} -h localhost"
sensitive true
action :nothing
end
cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do
source "users.ldif" source "users.ldif"
owner "root" owner "root"