Cookbook to deploy a LDAP server (389 Directory Server) #115
No reviewers
Labels
No Label
service
accounts
service
discourse
service
drone-ci
service
email
service
garage
service
gitea
service
ipfs
service
mastodon
service
postgres
service
remotestorage
service
wiki
service
xmpp
bug
design
dev environment
docs
duplicate
enhancement
feature
good first issue
idea
invalid
kredits-1
kredits-2
kredits-3
on hold
ops
question
release
major
release
minor
release
patch
security
ui/ux
wontfix
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: kosmos/chef#115
Loading…
Reference in New Issue
No description provided.
Delete Branch "feature/107-ldap_server"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Initial version of the kosmos-dirsrv cookbook
It sets up 389 Directory Server, including a TLS cert acquired using Let's Encrypt in production (that requires ldap.kosmos.org pointing to the server's IP).
Extracted from #112 (I have removed the commits adding LDAP support to our services, this will be a separate PR)
LGTM. A few questions:
ldap2.kosmos.org
for example.I haven't deployed it yet. I think we could start by running it on barnard, dirsrv doesn't take a lot of RAM (each instance takes around 30MB in my VM)
I got replication to work in my VM by using the Red Hat docs, I'm going to turn this into recipes, that's a lot of different LDIF files
Ok, sounds good.
Why would we need this from the start? Is it really that important? It was just a general question to learn if it's on the radar and if it's possible at all.
Cookbook to deploy a LDAP server (389 Directory Server)to WIP: Cookbook to deploy a LDAP server (389 Directory Server)I ran into a couple issues (see the commits from today), but this is now running on barnard as ldap.kosmos.org, with a TLS cert.
Example usage:
I have just discovered this is missing the certbot hooks for cert renewal, I'm pushing that and then we can merge this one
WIP: Cookbook to deploy a LDAP server (389 Directory Server)to Cookbook to deploy a LDAP server (389 Directory Server)This should be good to merge now
I get the same result without having a password stored in that variable. Is that intended?
Also, where can I find the documentation for how it's set up in terms of admin accounts, where to find the passwords, etc.? I did a quick search through the changed files, but there doesn't seem to be anything in
doc/
.The same result, meaning successful search results without a password? I can't reproduce that
I have added
doc/ldap.md
with the instructions to get the admin password from the encrypted data bagYes, just the exact same output that you posted with the 2 search results. I used the empty $password variable, by just copying the bash command without defining $password first.
Get you some easy kredits for updating this one, too: https://wiki.kosmos.org/Infrastructure
@raucao I don't understand how you can get search results without the correct admin password. With an incorrect password I get
ldap_bind: Invalid credentials (49)
and with an empty one:Edit: I updated the Infra wiki page
I cannot tell you how it's possible. Only that it happened exactly as I described. I never looked up the password or copied it anywhere.
I just double-checked, even though I was certain before. I can still do this by just SSHing into barnard, and without doing anything else, running
ldapsearch -x -w $password -D 'cn=Directory Manager' -b "ou=users,dc=kosmos,dc=org" -H "ldaps://ldap.kosmos.org" -v
will yield the result almost exactly as posted in the example:Thanks, I can reproduce that on barnard. The search does not return actual results with that empty password variable, but it is successful, unlike with an empty/wrong password, or without a
-w
switch. It does not look like it is a problem since no results are returned on local requests without the correct passwordThis appears to happen because the server is running on localhost, with an empty password variable from another server the search isn't successful as on barnard.
It says "search result" and then shows some numbers. Running the same command with an actual password also doesn't yield "actual results" for me. Are you referring to different commands?
By actual results I mean this part:
I still don't see what is the actual result in that. But OK.
I just want to make certain that we don't overlook a security issue there, and that people with shell access cannot randomly access all user data.
I got it, passing the empty unquoted variable as a password is the same as doing this:
This is called Anonymous Bind (https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/configuring-special-binds.html#disabling-anonymous-binds). We can set
nsslapd-allow-anonymous-access: off
to disable it.I have set
nsslapd-allow-anonymous-access: off
on barnard, pushing the code changesThat looks much better. 👍
I think we can merge it now.