Use FQDN for hostname, add LDAP server

nodes/ldap-3.kosmos.org.json

@@ -1,22 +1,26 @@
 {
-  "name": "ldap-3",
+  "name": "ldap-3.kosmos.org",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.6"
     }
   },
   "automatic": {
-    "fqdn": "ldap-3",
+    "fqdn": "ldap-3.kosmos.org",
     "os": "linux",
     "os_version": "5.4.0-1073-kvm",
     "hostname": "ldap-3",
     "ipaddress": "192.168.122.34",
     "roles": [
-
+      "kvm_guest",
+      "dirsrv_primary"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos-dirsrv",
+      "kosmos-dirsrv::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -30,7 +34,12 @@
       "postfix::_common",
       "postfix::_attributes",
       "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "kosmos-dirsrv::hostsfile",
+      "kosmos-dirsrv::firewall",
+      "backup::default",
+      "logrotate::default",
+      "ulimit::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -49,6 +58,7 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "role[kvm_guest]"
+    "role[kvm_guest]",
+    "role[dirsrv_primary]"
   ]
 }

site-cookbooks/kosmos-dirsrv/files/acis.ldif

@@ -1,5 +1,6 @@
+# LDAPv3                                                                                                                                                                                                                                                                                                                                                                               [0/223]
+# kosmos.org
 dn: dc=kosmos,dc=org
 changetype: modify
 replace: aci
-aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
+aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="*") (version 3.0; acl "user-read-search-own-attributes"; allow (read,search) userdn="ldap:///self";)
-aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)

site-cookbooks/kosmos-dirsrv/files/users.ldif

@@ -1,4 +1,32 @@
-dn: ou=users,dc=kosmos,dc=org
+# users, kosmos.org
+dn: cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalRole
+cn: users
+
+# kosmos.org, users, kosmos.org
+dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
 objectClass: top
 objectClass: organizationalUnit
-ou: users
+description: Kosmos
+ou: kosmos.org
+aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
+
+# 5apps.com, users, kosmos.org
+dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: organizationalUnit
+description: 5apps
+ou: 5apps.com
+aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "service-5apps-read-search"; allow (read,search) userdn="ldap:///uid=service,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
+
+# admin role
+dn: cn=admin_role,ou=kosmos.org,cn=users,dc=kosmos,dc=org
+objectClass: top
+objectClass: LDAPsubentry
+objectClass: nsRoleDefinition
+objectClass: nsComplexRoleDefinition
+objectClass: nsFilteredRoleDefinition
+cn: admin_role
+nsRoleFilter: (&(objectclass=person)(admin=true))
+description: filtered role for admins