improvement of ssl_cert and openldap's linkage.

diff --git a/cookbooks/openldap/metadata.rb b/cookbooks/openldap/metadata.rb
index f5537f6..69448a9 100644 (file)
--- a/cookbooks/openldap/metadata.rb
+++ b/cookbooks/openldap/metadata.rb
@@ -4,7 +4,7 @@ maintainer_email ''
 license          'Apache 2.0'
 description      'Installs/Configures openldap'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.1'
+version          '0.1.2'
 
-depends 'ssl_cert'
+depends 'ssl_cert', '>= 0.1.5'
 

diff --git a/cookbooks/openldap/recipes/server.rb b/cookbooks/openldap/recipes/server.rb
index a6ea4d9..00109a4 100644 (file)
--- a/cookbooks/openldap/recipes/server.rb
+++ b/cookbooks/openldap/recipes/server.rb
@@ -22,15 +22,18 @@ case node[:platform_family]
     [
       'slapd',
       'ldap-utils',
+      'ssl-cert',
     ].each {|pkg|
       resources(:package => pkg) rescue package pkg do
         action :install
       end
     }
-
-    service 'slapd' do
-      action [:enable, :start]
-      supports :status => true, :restart => true, :reload => false
+    
+    # for SSL server key access
+    group 'ssl-cert' do
+      action :modify
+      members 'openldap'
+      append true
     end
   when 'rhel'
     [
@@ -42,13 +45,18 @@ case node[:platform_family]
       end
     }
 
-    service 'slapd' do
-      #action [:enable, :start]
-      action [:enable]
-      supports :status => true, :restart => true, :reload => false
+    # for SSL server key access
+    if node['openldap']['with_ssl_cert_cookbook'] \
+      && node['ssl_cert']['rhel']['key_access_group'] != 'root' then
+      group node['ssl_cert']['rhel']['key_access_group'] do
+        action :modify
+        members 'ldap'
+        append true
+      end
     end
 end
 
+# deploy ldif file for TLS settings.
 if node['openldap']['with_ssl_cert_cookbook'] then
   [
     '00_olc-add-ldaps.ldif',
@@ -63,6 +71,12 @@ if node['openldap']['with_ssl_cert_cookbook'] then
   }
 end
 
+service 'slapd' do
+  #action [:enable, :start]
+  action [:enable]
+  supports :status => true, :restart => true, :reload => false
+end
+
 log <<-EOM
 Note:
 You must setup OpenLDAP configurations in the first installation:

diff --git a/cookbooks/ssl_cert/CHANGELOG.md b/cookbooks/ssl_cert/CHANGELOG.md
index 2639fbf..8ab7a8d 100644 (file)
--- a/cookbooks/ssl_cert/CHANGELOG.md
+++ b/cookbooks/ssl_cert/CHANGELOG.md
@@ -1,6 +1,10 @@
 ssl_cert CHANGELOG
 ==================
 
+0.1.5
+-----
+- add ['ssl_cert']['rhel']['key_access_group'] attribute.
+
 0.1.4
 -----
 - improvement for vault item key setting (add nested hash key path format delimited by slash)

diff --git a/cookbooks/ssl_cert/README.md b/cookbooks/ssl_cert/README.md
index 9de6824..d82acd9 100644 (file)
--- a/cookbooks/ssl_cert/README.md
+++ b/cookbooks/ssl_cert/README.md
@@ -18,6 +18,7 @@ Attributes
 |:--|:--|:--|:--|
 |`['ssl_cert']['ca_names']`|Array|deployed CA certificates from chef-vault|empty|
 |`['ssl_cert']['common_names']`|Array|deployed server keys and/or certificates from chef-vault|empty|
+|`['ssl_cert']['rhel']['key_access_group']`|String|RHEL family's key access group (ver. 0.1.5 or later)|`'ssl-cert'`|
 |`['ssl_cert']['chef_gem']['clear_sources']`|Boolean|chef_gem resource's clear_sources property.|`false`|
 |`['ssl_cert']['chef_gem']['source']`|String|chef_gem resource's source property.|`nil`|
 |`['ssl_cert']['chef_gem']['options']`|String|chef_gem resource's options property.|`nil`|

diff --git a/cookbooks/ssl_cert/attributes/default.rb b/cookbooks/ssl_cert/attributes/default.rb
index 8c726fa..4ec1901 100644 (file)
--- a/cookbooks/ssl_cert/attributes/default.rb
+++ b/cookbooks/ssl_cert/attributes/default.rb
@@ -27,6 +27,9 @@ default['ssl_cert']['common_names'] = [
   #'ldap.grid.example.com',
 ]
 
+# debian key access group is 'ssl-cert'
+default['ssl_cert']['rhel']['key_access_group'] = 'ssl-cert'
+
 # for chef-vault installation
 default['ssl_cert']['chef_gem']['clear_sources'] = false
 default['ssl_cert']['chef_gem']['source'] = nil

diff --git a/cookbooks/ssl_cert/libraries/helper.rb b/cookbooks/ssl_cert/libraries/helper.rb
index 8aaba02..c35d4f6 100644 (file)
--- a/cookbooks/ssl_cert/libraries/helper.rb
+++ b/cookbooks/ssl_cert/libraries/helper.rb
@@ -39,9 +39,14 @@ module Helper
 
 
   def get_private_key_group
+    if node['ssl_cert']['rhel']['key_access_group'].nil? \
+      || node['ssl_cert']['rhel']['key_access_group'].empty? then
+      node.override['ssl_cert']['rhel']['key_access_group'] = 'root'
+    end
+
     node.value_for_platform_family(
       'debian'  => 'ssl-cert',
-      'rhel'    => 'root',
+      'rhel'    => node['ssl_cert']['rhel']['key_access_group'],
       'default' => 'root',
     )
   end
@@ -136,7 +141,12 @@ module Helper
 
     key_path = node['ssl_cert']["#{undotted_cn}_key_path"]
     key_group = get_private_key_group
+    group key_group do
+      system true
+      action :create
+    end
     key_mode = get_private_key_mode
+
     resources(:file => key_path) rescue file key_path do
       content secret
       sensitive true

diff --git a/cookbooks/ssl_cert/metadata.rb b/cookbooks/ssl_cert/metadata.rb
index 7a258f5..172c15a 100644 (file)
--- a/cookbooks/ssl_cert/metadata.rb
+++ b/cookbooks/ssl_cert/metadata.rb
@@ -4,5 +4,5 @@ maintainer_email ''
 license          'Apache 2.0'
 description      'Installs/Configures ssl_cert'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.4'
+version          '0.1.5'