Râu Cao
2958ba4b81
Use *.kosmos.local hostnames for LDAP nodes
2022-11-26 16:47:28 +01:00
Râu Cao
991458208d
Use a role for configuring LDAP hostname on clients
...
This way it's also easy to converge all LDAP clients at once.
2022-11-26 16:45:45 +01:00
Râu Cao
8d4db7290e
Rename dirsrv_primary role
...
The term used in 389 docs is "supplier" instead (ex "master")
2022-11-26 16:44:05 +01:00
Greg
85abfd4e5e
Create the required groups and ACIs
2022-08-22 16:15:02 +02:00
Greg
5c00e2d28a
Add an attribute containing the LDAP server's address
2022-05-11 15:37:36 +02:00
Basti
590366639e
Fix fresh dirsrv installs on Ubuntu 20.04
2022-04-26 20:10:51 +02:00
Basti
da3a70ef4c
WIP dirsrv changes
2021-12-02 13:56:23 -06:00
Greg
685deea920
Simplify dirsrv setup
...
Connecting directly using zerotier, no more nginx
2021-12-02 19:08:27 +01:00
Greg
346b6540d1
Fix an undefined variable
2021-03-30 12:14:40 +02:00
Greg
456639bdf8
Fix a syntax error in certbot dirsrv hook
...
The newline was not escaped and rendered as an actual newline
Fixes #272
2020-12-31 11:38:49 +01:00
Greg
e6b7794e20
Extract firewall definitions to their own recipe
...
This allows us to use them for KVM hosts as well. Until now we had set
up ufw rules manually on the two KVM hosts (draco and centaurus)
Refs #244
2020-12-04 16:27:42 +01:00
Greg
23ca3552d2
Remove the absolute path of certbot to use the new package
2020-11-25 16:36:07 +01:00
Basti
ac49430521
Install lib389
...
Fixes 389 CLIs not working (e.g. `dsctl`).
2020-11-08 17:23:24 +01:00
Greg
5062392c71
Fix the undefined variable in the instance resource
2020-10-20 19:53:11 +02:00
Greg
d2126f6153
Use the right variable for the TLS cert's domain
...
`domain` was undefined. `new_resource.hostname` is ldap.kosmos.org and
is what we need
Fixes #193
2020-07-22 15:59:27 +02:00
Greg
210c76c479
Fix the name of the Let's Encrypt cert execute resource
...
The resource in the notification was invalid, missing the type of
resource (execute)
Fixes #171
2020-05-26 14:10:47 +02:00
Greg
57f46c6c61
Merge branch 'master' into bugfix/enable_dirsrv
2020-05-15 17:24:04 +02:00
Greg
b4209fa294
Fix the invalid ACIs on initial creation (for real)
...
Follow-up to #156
I found another issue with the initial ACI creation, while creating a
fresh VM. I thought I had fixed it in #156 but I was wrong. This time
the ACIs are really set and the code runs successfully.
The ACIs are set on the suffix, so modifying it is needed
This won't be executed on a server that is already running, this is only
done on the initial setup
2020-05-15 14:05:35 +02:00
Greg
10f0460fd5
Fix startup of the dirsrv@master Systemd unit on boot
...
The symlink created by Chef's service resource was wrong. Creating the
correct symlink fixes the automatic startup on boot
2020-05-15 13:54:34 +02:00
Greg
53d53f2375
Merge branch 'bugfix/152-remove_encryption_keys_tls' of kosmos/chef into master
2020-04-30 15:50:26 +00:00
Greg
1c920a8cb2
Remove the encryption keys after TLS cert renewal
...
This is done with awk, this was the best way I found to perform the
multi-line deletion. It deletes both the AES AND 3DES sections
The keys will be recreated on service restart
https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption
Closes #152
2020-04-20 19:11:34 +02:00
Greg
5e3c8066f9
Add the missing certbot command to generate the LDAP TLS cert
...
This had been done manually on barnard. This will not be executed on
barnard again since the cert exists
2020-04-20 19:10:15 +02:00
Greg
d01c9a4d0a
Fix the name of the deploy certbot hook
2020-04-20 19:09:43 +02:00
Greg
3ca8ab45da
Fix the invalid ACIs on initial creation
...
This is only executed on initial creation of the instance, the
production one is using these fixed ACIs, this was only an issue with
the setup
The issue was the ACI was set at the wrong level
2020-04-20 19:00:28 +02:00
Greg
e56faab5b1
Set the ACIs on the base DN
...
Allow users to change their own password, but nothing else (no search,
no read, no write)
This will only run when setting up the 389-dirsrv instance for the first
time, this has been applied on barnard by editing the dn (see
#128 (comment) )
Closes #128
2020-02-12 16:13:45 +01:00
Greg
a69192a863
Enable LDAP support on mediawiki
...
Users can log in using their LDAP account (in the
ou=users,dc=kosmos,dc=org group and with the wiki attribute set to
enabled)
Add an attribute for the ldap master server, so it can be overridden in
the development environment
Refs #107
2020-01-24 13:45:17 +01:00
Greg
9828b867ba
Disable anonymous binds
...
See https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/configuring-special-binds.html#disabling-anonymous-binds
2019-12-20 16:46:03 +01:00
Greg
1240ed9da8
Move the dirsrv cert generation to a certbot deploy hook
2019-12-05 15:47:10 +01:00
Greg
0d192f536f
Add the empty nginx vhost template
2019-12-05 15:05:37 +01:00
Greg
0dbf350540
Restart the server after importing the TLS cert
2019-12-04 17:40:27 +01:00
Greg
4e7d453942
Move the firewall and backup recipes outside of the custom resource
...
See the comment for more details
2019-12-04 17:33:41 +01:00
Greg
e24cd01287
Add an empty template because the nginx_certbot_site resource needs one
2019-12-04 17:33:13 +01:00
Greg
632cb38aab
Pass an empty passphrase on the command line for the p12 cert
2019-12-04 17:32:40 +01:00
Greg
9d9493af0d
Add a missing dependency on the kosmos-nginx cookbook
2019-12-04 17:32:03 +01:00
Greg
dc91128eca
Use a custom resource to create a 389 Directory Server instance
...
This replaces the default recipe and will make it much easier to create
other types of instances, for example for replication
2019-11-29 14:34:52 +01:00
Greg
9e4685a743
Initial version of the kosmos-dirsrv cookbook
...
It sets up 389 Directory Server, including a TLS cert acquired using
Let's Encrypt in production (that requires ldap.kosmos.org pointing to
the server's IP)
2019-11-15 15:41:30 +01:00