# CHANGELOG for openldap-grid
+0.2.6
+-----
+- adds the `['openldap']['server']['enabled']` attribute.
+- improves CA certificates and server key pair deployment.
+- refactors specs.
+
0.2.5
-----
- refactoring.
|`['openldap']['nss-ldapd']['base']`|String||`dc=example,dc=net`|
|`['openldap']['nss-ldapd']['<nscd.conf key>']`|String|other nscd.conf key||
|`['openldap']['ldap_lookup_nameservices']`|Array|['passwd', 'group']|`empty`|
+|`['openldap']['server']['enabled']`|Boolean|`slapd` service enabled (ver. 0.2.6 or later)|`true`|
|`['openldap']['server']['extra_schema']['samba']`|Boolean|add the schema for Samba (ver. 0.2.3 or later)|`false`|
|`['openldap']['server']['ldaps']`|Boolean|enable ldaps (ver. 0.1.2 or later)|`false`|
|`['openldap']['server']['KRB5_KTNAME']`|String|e.g. `'/etc/krb5.keytab'` (ver. 0.1.2 or later)|`nil`|
}
```
-### with ssl_cert cookbook
+### SSL CA certificate management by ssl_cert cookbook
If `node['openldap']['with_ssl_cert_cookbook']` is `true`, `node['openldap']['client']['TLS_CACERT']` and `node['openldap']['nss-ldapd']['tls_cacertfile']` are overridden by the file path based on `['openldap']['ssl_cert']['ca_name']` attribute.
+### SSL server keys and certificates management by ssl_cert cookbook
+
+- create vault items.
+
+```text
+$ ruby -rjson -e 'puts JSON.generate({"private" => File.read("ldap.grid.example.com.prod.key")})' \
+> > ~/tmp/ldap.grid.example.com.prod.key.json
+
+$ ruby -rjson -e 'puts JSON.generate({"public" => File.read("ldap.grid.example.com.prod.crt")})' \
+> > ~/tmp/ldap.grid.example.com.prod.crt.json
+
+$ cd $CHEF_REPO_PATH
+
+$ knife vault create ssl_server_keys ldap.grid.example.com.prod \
+> --json ~/tmp/ldap.grid.example.com.prod.key.json
+
+$ knife vault create ssl_server_certs ldap.grid.example.com.prod \
+> --json ~/tmp/ldap.grid.example.com.prod.crt.json
+```
+
+- grant reference permission to the ldap host
+
+```text
+$ knife vault update ssl_server_keys ldap.grid.example.com.prod -S 'name:ldap*.grid.example.com'
+$ knife vault update ssl_server_certs ldap.grid.example.com.prod -S 'name:ldap*.grid.example.com'
+```
+
+- modify run_list and attributes
+
+```ruby
+run_list(
+ #'recipe[ssl_cert::server_key_pairs]', # gitlab-grid <= 0.2.5
+ 'recipe[opeldap-grid::server]',
+)
+
+override_attributes(
+ 'ssl_cert' => {
+ #'common_names' => [
+ # 'ldap.grid.example.com', # gitlab-grid <= 0.2.5
+ #],
+ },
+ 'openldap' => {
+ 'with_ssl_cert_cookbook' => true,
+ 'ssl_cert' => {
+ 'common_name' => 'ldap.grid.example.com',
+ },
+ # ...
+ },
+)
+```
+
## License and Authors
- Author:: whitestar at osdn.jp
```text
-Copyright 2013-2017, whitestar
+Copyright 2013-2018, whitestar
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
# Cookbook Name:: openldap-grid
# Attributes:: default
#
-# Copyright 2013-2016, whitestar
+# Copyright 2013-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
default['openldap']['ldap_lookup_nameservices'] = [] # e.g. ['passwd', 'group']
#default['openldap'][''] =
+default['openldap']['server']['enabled'] = true
default['openldap']['server']['extra_schema'] = {
'samba' => false,
}
---
-# $ fly -t target sp -p openldap-grid-cookbook -c concourse.yml -l fly-vars.yml -l ~/sec/credentials-prod.yml
+# $ fly -t $CC_TARGET sp -p openldap-grid-cookbook -c concourse.yml -l fly-vars.yml -l ~/sec/credentials-prod.yml
resources:
- name: src-git
type: git
ca_certs:
- domain: ((registry-mirror-domain)) # e.g. registry.docker.example.com:5000
cert: ((docker-reg-ca-cert))
- check_every: 12h # default: 1m
+ check_every: 6h # default: 1m
jobs:
- name: test-cookbook
tag_prefix: ((cookbook-name))-
tag: src-git/cookbooks/((cookbook-name))/version
only_tag: true
- annotate: ../src-git/cookbooks/((cookbook-name))/version
+ annotate: src-git/cookbooks/((cookbook-name))/version
# Cookbook Name:: openldap-grid
# Recipe:: client
#
-# Copyright 2013-2016, whitestar
+# Copyright 2013-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
if node['openldap']['with_ssl_cert_cookbook'] \
&& (tls_cacert.nil? || tls_cacert.empty?)
::Chef::Recipe.send(:include, SSLCert::Helper)
+
+ ca_name = node['openldap']['ssl_cert']['ca_name']
+ unless ca_name.nil?
+ append_ca_name(ca_name)
+ include_recipe 'ssl_cert::ca_certs'
+ end
+
node.force_override['openldap']['client']['TLS_CACERT'] \
= ca_cert_path(node['openldap']['ssl_cert']['ca_name'])
end
# Cookbook Name:: openldap-grid
# Recipe:: nss-ldapd
#
-# Copyright 2013-2016, whitestar
+# Copyright 2013-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
if node['openldap']['with_ssl_cert_cookbook'] \
&& (tls_cacertfile.nil? || tls_cacertfile.empty?)
::Chef::Recipe.send(:include, SSLCert::Helper)
+
+ ca_name = node['openldap']['ssl_cert']['ca_name']
+ unless ca_name.nil?
+ append_ca_name(ca_name)
+ include_recipe 'ssl_cert::ca_certs'
+ end
+
node.force_override['openldap']['nss-ldapd']['tls_cacertfile'] \
= ca_cert_path(node['openldap']['ssl_cert']['ca_name'])
end
# Cookbook Name:: openldap-grid
# Recipe:: server
#
-# Copyright 2016, whitestar
+# Copyright 2016-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
end
end
-# deploy ldif file for TLS settings.
+# deploy SSL certs and keys and ldif file for TLS settings.
if node['openldap']['with_ssl_cert_cookbook']
+ ::Chef::Recipe.send(:include, SSLCert::Helper)
+
+ ca_name = node['openldap']['ssl_cert']['ca_name']
+ unless ca_name.nil?
+ append_ca_name(ca_name)
+ include_recipe 'ssl_cert::ca_certs'
+ end
+
+ cn = node['openldap']['ssl_cert']['common_name']
+ append_server_ssl_cn(cn)
+ include_recipe 'ssl_cert::server_key_pairs'
+
[
'00_olc-add-ldaps.ldif',
'00_olc-mod-ldaps.ldif',
}
end
+srv_act = node['openldap']['server']['enabled'] ? [:enable] : [:disable, :stop]
service 'slapd' do
- #action [:enable, :start]
- action [:enable]
+ action srv_act
supports status: true, restart: true, reload: false
end
# Cookbook Name:: openldap
# Recipe Spec:: client_spec
#
-# Copyright 2015, whitestar
+# Copyright 2015-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
describe 'openldap::client' do
let(:chef_run_on_debian) {
ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node|
- node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com'
- node.set['openldap']['client']['BASE'] = 'dc=example,dc=com'
+ node.override['openldap']['client']['URI'] = 'ldap://ldap.example.com'
+ node.override['openldap']['client']['BASE'] = 'dc=example,dc=com'
}.converge(described_recipe)
}
let(:chef_run_on_rhel) {
ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node|
- node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com'
- node.set['openldap']['client']['BASE'] = 'dc=example,dc=com'
+ node.override['openldap']['client']['URI'] = 'ldap://ldap.example.com'
+ node.override['openldap']['client']['BASE'] = 'dc=example,dc=com'
}.converge(described_recipe)
}
# Cookbook Name:: openldap
# Recipe Spec:: nss-ldapd_spec
#
-# Copyright 2015, whitestar
+# Copyright 2015-2018, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
describe 'openldap::nss-ldapd' do
let(:chef_run_on_debian) {
ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node|
- node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
- node.set['openldap']['nss-ldapd']['invalid_key'] = 'value'
+ node.override['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
+ node.override['openldap']['nss-ldapd']['invalid_key'] = 'value'
}.converge(described_recipe)
}
let(:chef_run_on_rhel) {
ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node|
- node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
- node.set['openldap']['nss-ldapd']['invalid_key'] = 'value'
+ node.override['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
+ node.override['openldap']['nss-ldapd']['invalid_key'] = 'value'
}.converge(described_recipe)
}