From b4209fa29431026ed54601f5613b315f9ffcd213 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 15 May 2020 14:05:35 +0200 Subject: [PATCH] Fix the invalid ACIs on initial creation (for real) Follow-up to #156 I found another issue with the initial ACI creation, while creating a fresh VM. I thought I had fixed it in #156 but I was wrong. This time the ACIs are really set and the code runs successfully. The ACIs are set on the suffix, so modifying it is needed This won't be executed on a server that is already running, this is only done on the initial setup --- site-cookbooks/kosmos-dirsrv/files/acis.ldif | 5 +++++ site-cookbooks/kosmos-dirsrv/files/users.ldif | 8 -------- site-cookbooks/kosmos-dirsrv/resources/instance.rb | 13 +++++++++++++ 3 files changed, 18 insertions(+), 8 deletions(-) create mode 100644 site-cookbooks/kosmos-dirsrv/files/acis.ldif diff --git a/site-cookbooks/kosmos-dirsrv/files/acis.ldif b/site-cookbooks/kosmos-dirsrv/files/acis.ldif new file mode 100644 index 0000000..f882afc --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/files/acis.ldif @@ -0,0 +1,5 @@ +dn: dc=kosmos,dc=org +changetype: modify +replace: aci +aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";) +aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";) diff --git a/site-cookbooks/kosmos-dirsrv/files/users.ldif b/site-cookbooks/kosmos-dirsrv/files/users.ldif index 3ae1306..5055e99 100644 --- a/site-cookbooks/kosmos-dirsrv/files/users.ldif +++ b/site-cookbooks/kosmos-dirsrv/files/users.ldif @@ -1,11 +1,3 @@ -# kosmos.org -dn: dc=kosmos,dc=org -objectClass: top -objectClass: domain -dc: kosmos -aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";) -aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";) - dn: ou=users,dc=kosmos,dc=org objectClass: top objectClass: organizationalUnit diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb index de6b6fd..3d66111 100644 --- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb +++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb @@ -50,6 +50,7 @@ action :create do subscribes :run, "template[#{setup_config}]", :immediately notifies :restart, "service[#{service_name}]", :immediately notifies :delete, "template[#{setup_config}]", :immediately + notifies :run, "execute[set base acis]", :delayed notifies :run, "execute[add users group]", :delayed notifies :run, "execute[disable anonymous access]", :delayed end @@ -59,6 +60,18 @@ action :create do action [:enable, :start] end + cookbook_file "#{Chef::Config[:file_cache_path]}/acis.ldif" do + source "acis.ldif" + owner "root" + group "root" + end + + execute "set base acis" do + command "ldapmodify -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/acis.ldif' -p #{new_resource.port} -h localhost" + sensitive true + action :nothing + end + cookbook_file "#{Chef::Config[:file_cache_path]}/users.ldif" do source "users.ldif" owner "root"