From d843bd1361e24cbc1f9c6f9dd0f8f7360602d4e4 Mon Sep 17 00:00:00 2001 From: whitestar Date: Sun, 10 Jan 2016 13:47:34 +0900 Subject: [PATCH] improvement of grid nameservice cluster setup. --- cookbooks/krb5/CHANGELOG.md | 14 ++- cookbooks/krb5/README.md | 2 +- cookbooks/krb5/metadata.rb | 2 +- cookbooks/krb5/recipes/kdc-slave.rb | 100 +++++++++++++++++++++ cookbooks/krb5/recipes/kdc.rb | 81 +---------------- cookbooks/krb5/templates/debian/etc/krb5.conf | 5 ++ cookbooks/openldap/CHANGELOG.md | 15 ++-- cookbooks/openldap/README.md | 14 ++- cookbooks/openldap/attributes/default.rb | 9 +- cookbooks/openldap/metadata.rb | 5 +- cookbooks/openldap/recipes/client.rb | 13 ++- cookbooks/openldap/recipes/nss-ldapd.rb | 7 +- cookbooks/openldap/recipes/server.rb | 75 ++++++++++++++++ .../default/etc/ldap/00_olc-add-ldaps.ldif | 10 +++ .../default/etc/ldap/00_olc-mod-ldaps.ldif | 11 +++ roles/grid-ns-master.rb | 56 ++++++++++++ roles/grid-ns-slave.rb | 57 ++++++++++++ roles/grid-ns.rb | 18 +--- roles/ldap-client-grid.rb | 26 ++++-- 19 files changed, 390 insertions(+), 130 deletions(-) create mode 100644 cookbooks/krb5/recipes/kdc-slave.rb create mode 100644 cookbooks/openldap/recipes/server.rb create mode 100644 cookbooks/openldap/templates/default/etc/ldap/00_olc-add-ldaps.ldif create mode 100644 cookbooks/openldap/templates/default/etc/ldap/00_olc-mod-ldaps.ldif create mode 100644 roles/grid-ns-master.rb create mode 100644 roles/grid-ns-slave.rb diff --git a/cookbooks/krb5/CHANGELOG.md b/cookbooks/krb5/CHANGELOG.md index 667e21d..8d1aee4 100644 --- a/cookbooks/krb5/CHANGELOG.md +++ b/cookbooks/krb5/CHANGELOG.md @@ -1,12 +1,10 @@ # CHANGELOG for krb5 -This file is used to list changes made in each version of krb5. +0.1.2 +----- +- add kdc-slave recipe. -## 0.1.0: +0.1.0 +----- +- Initial release of krb5 -* Initial release of krb5 - -- - - -Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown. - -The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown. diff --git a/cookbooks/krb5/README.md b/cookbooks/krb5/README.md index 7d170d8..0282c84 100644 --- a/cookbooks/krb5/README.md +++ b/cookbooks/krb5/README.md @@ -6,7 +6,7 @@ This cookbook contains Admin., KDC and Client setup recipes for Kerberos 5. Requirements ------------ -Nothing. +None. Attributes ---------- diff --git a/cookbooks/krb5/metadata.rb b/cookbooks/krb5/metadata.rb index 46cc19a..8914730 100644 --- a/cookbooks/krb5/metadata.rb +++ b/cookbooks/krb5/metadata.rb @@ -4,7 +4,7 @@ maintainer_email '' license 'Apache 2.0' description 'Installs/Configures krb5' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.1' +version '0.1.2' %w{ debian ubuntu centos redhat fedora }.each do |os| supports os diff --git a/cookbooks/krb5/recipes/kdc-slave.rb b/cookbooks/krb5/recipes/kdc-slave.rb new file mode 100644 index 0000000..83aaeba --- /dev/null +++ b/cookbooks/krb5/recipes/kdc-slave.rb @@ -0,0 +1,100 @@ +# +# Cookbook Name:: krb5 +# Recipe:: kdc-slave +# +# Copyright 2016, whitestar +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +case node[:platform_family] + when 'debian' + package 'krb5-kdc' do + action :install + end + + service 'krb5-kdc' do + action [:enable, :start] + supports :status => true, :restart => true, :reload => false + end + + template '/etc/krb5kdc/kdc.conf' do + source 'etc/krb5kdc/kdc.conf' + owner 'root' + group 'root' + mode '0644' + end + template '/etc/krb5kdc/kpropd.acl' do + source 'etc/krb5kdc/kpropd.acl' + owner 'root' + group 'root' + mode '0644' + end + + package 'xinetd' do + action :install + end + + service 'xinetd' do + action [:enable, :start] + supports :status => true, :restart => true, :reload => false + end + + template '/etc/xinetd.d/krb_prop' do + source 'etc/xinetd.d/krb_prop' + owner 'root' + group 'root' + mode '0644' + notifies :reload, 'service[xinetd]' + end + when 'rhel' + package 'krb5-server' do + action :install + end + + service 'krb5kdc' do + #action [:enable, :start] + action [:enable] + supports :status => true, :restart => true, :reload => false + end + + template '/var/kerberos/krb5kdc/kdc.conf' do + source 'var/kerberos/krb5kdc/kdc.conf' + owner 'root' + group 'root' + mode '0600' + end + template '/var/kerberos/krb5kdc/kpropd.acl' do + source 'var/kerberos/krb5kdc/kpropd.acl' + owner 'root' + group 'root' + mode '0600' + end + + service 'kprop' do + action [:enable, :start] + supports :status => true, :restart => true, :reload => true + end +end + +log <<-EOM +Note: +You must add the host principal of this host for propagation.: + $ sudo kadmin -p admin + ... + kadmin: add_principal -randkey host/ns01.grid.example.com + ... + kadmin: ktadd host/ns01.grid.example.com + ... +EOM + diff --git a/cookbooks/krb5/recipes/kdc.rb b/cookbooks/krb5/recipes/kdc.rb index ffa7040..c614c9c 100644 --- a/cookbooks/krb5/recipes/kdc.rb +++ b/cookbooks/krb5/recipes/kdc.rb @@ -17,84 +17,5 @@ # limitations under the License. # -case node[:platform_family] - when 'debian' - package 'krb5-kdc' do - action :install - end - - service 'krb5-kdc' do - action [:enable, :start] - supports :status => true, :restart => true, :reload => false - end - - template '/etc/krb5kdc/kdc.conf' do - source 'etc/krb5kdc/kdc.conf' - owner 'root' - group 'root' - mode '0644' - end - template '/etc/krb5kdc/kpropd.acl' do - source 'etc/krb5kdc/kpropd.acl' - owner 'root' - group 'root' - mode '0644' - end - - package 'xinetd' do - action :install - end - - service 'xinetd' do - action [:enable, :start] - supports :status => true, :restart => true, :reload => false - end - - template '/etc/xinetd.d/krb_prop' do - source 'etc/xinetd.d/krb_prop' - owner 'root' - group 'root' - mode '0644' - notifies :reload, 'service[xinetd]' - end - when 'rhel' - package 'krb5-server' do - action :install - end - - service 'krb5kdc' do - #action [:enable, :start] - action [:enable] - supports :status => true, :restart => true, :reload => false - end - - template '/var/kerberos/krb5kdc/kdc.conf' do - source 'var/kerberos/krb5kdc/kdc.conf' - owner 'root' - group 'root' - mode '0600' - end - template '/var/kerberos/krb5kdc/kpropd.acl' do - source 'var/kerberos/krb5kdc/kpropd.acl' - owner 'root' - group 'root' - mode '0600' - end - - service 'kprop' do - action [:enable, :start] - supports :status => true, :restart => true, :reload => true - end -end - -log <<-EOM -Note: -You must add the host principal of this host for propagation.: - $ sudo kadmin -p admin - ... - kadmin: add_principal -randkey host/ns01.grid.example.com - ... - kadmin: ktadd host/ns01.grid.example.com - ... -EOM +include_recipe 'krb5::kdc-slave' diff --git a/cookbooks/krb5/templates/debian/etc/krb5.conf b/cookbooks/krb5/templates/debian/etc/krb5.conf index 9f2b031..d1afa9d 100644 --- a/cookbooks/krb5/templates/debian/etc/krb5.conf +++ b/cookbooks/krb5/templates/debian/etc/krb5.conf @@ -1,3 +1,8 @@ +[logging] + kdc = FILE:/var/log/kerberos/krb5kdc.log + admin_server = FILE:/var/log/kerberos/kadmin.log + default = FILE:/var/log/kerberos/krb5lib.log + [libdefaults] default_realm = <%= node['krb5']['libdefaults']['default_realm'] %> diff --git a/cookbooks/openldap/CHANGELOG.md b/cookbooks/openldap/CHANGELOG.md index 6231e1c..1f0649c 100644 --- a/cookbooks/openldap/CHANGELOG.md +++ b/cookbooks/openldap/CHANGELOG.md @@ -1,12 +1,11 @@ # CHANGELOG for openldap -This file is used to list changes made in each version of openldap. +0.1.1 +----- +- add server recipe. +- add linkage with ssl_cert cookbook. -## 0.1.0: +0.1.0 +----- +- Initial release of openldap -* Initial release of openldap - -- - - -Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown. - -The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown. diff --git a/cookbooks/openldap/README.md b/cookbooks/openldap/README.md index bdf4fcb..27b12ca 100644 --- a/cookbooks/openldap/README.md +++ b/cookbooks/openldap/README.md @@ -1,12 +1,12 @@ openldap Cookbook ================= -This cookbook sets up OpenLDAP client and nss-ldapd. +This cookbook sets up OpenLDAP client, server and nss-ldapd. Requirements ------------ -Nothing. +None. Attributes ---------- @@ -14,6 +14,9 @@ Attributes #### openldap::default |Key|Type|Description, example|Default| |:--|:--|:--|:--| +|`['openldap']['with_ssl_cert_cookbook']`|Boolean|make it work with ssl_cert cookbook. (ver. 0.1.1 or later)|`false`| +|`['openldap']['ssl_cert']['ca_name']`|String|CA name used by ssl_cert (ver. 0.1.1 or later)|`nil`| +|`['openldap']['ssl_cert']['common_name']`|String|Server common name useed by ssl_cert. (ver. 0.1.1 or later)|`node['fqdn']`| |`['openldap']['client']['URI']`|String|ldap://ldap.example.com ldap://ldap-master.example.com:666|`nil`| |`['openldap']['client']['BASE']`|String|dc=example,dc=com|`nil`| |`['openldap']['client']['SIZELIMIT']`|String|12|`nil`| @@ -39,17 +42,22 @@ Just include `openldap::recipe` in your node's `run_list`: "name":"my_node", "run_list": [ "recipe[openldap::client]", + "recipe[openldap::server]", "recipe[openldap::nss-ldapd]" ] } ``` +#### with ssl_cert cookbook + +If node['openldap']['with_ssl_cert_cookbook'] is true, node['openldap']['client']['TLS_CACERT'] and node['openldap']['nss-ldapd']['tls_cacertfile'] are overridden by the file path based on ['openldap']['ssl_cert']['ca_name'] attribute. + License and Authors ------------------- - Author:: whitestar at osdn.jp ```text -Copyright 2013-2015, whitestar +Copyright 2013-2016, whitestar Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/cookbooks/openldap/attributes/default.rb b/cookbooks/openldap/attributes/default.rb index 14b985e..d99fb9d 100644 --- a/cookbooks/openldap/attributes/default.rb +++ b/cookbooks/openldap/attributes/default.rb @@ -2,7 +2,7 @@ # Cookbook Name:: openldap # Attributes:: default # -# Copyright 2013, whitestar +# Copyright 2013-2016, whitestar # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +17,13 @@ # limitations under the License. # +default['openldap']['with_ssl_cert_cookbook'] = false +# If node['openldap']['with_ssl_cert_cookbook'] is true, +# node['openldap']['client']['TLS_CACERT'] and ['openldap']['nss-ldapd']['tls_cacertfile'] +# are overridden by the following 'ca_name' attributes. +default['openldap']['ssl_cert']['ca_name'] = nil +default['openldap']['ssl_cert']['common_name'] = node['fqdn'] + default['openldap']['client']['URI'] = nil # ldap://ldap.example.com ldap://ldap-master.example.com:666 default['openldap']['client']['BASE'] = nil # dc=example,dc=com default['openldap']['client']['SIZELIMIT'] = nil # 12 diff --git a/cookbooks/openldap/metadata.rb b/cookbooks/openldap/metadata.rb index e223242..f5537f6 100644 --- a/cookbooks/openldap/metadata.rb +++ b/cookbooks/openldap/metadata.rb @@ -4,4 +4,7 @@ maintainer_email '' license 'Apache 2.0' description 'Installs/Configures openldap' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.0' +version '0.1.1' + +depends 'ssl_cert' + diff --git a/cookbooks/openldap/recipes/client.rb b/cookbooks/openldap/recipes/client.rb index 41af56b..75a3c2c 100644 --- a/cookbooks/openldap/recipes/client.rb +++ b/cookbooks/openldap/recipes/client.rb @@ -2,7 +2,7 @@ # Cookbook Name:: openldap # Recipe:: client # -# Copyright 2013, whitestar +# Copyright 2013-2016, whitestar # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -49,9 +49,15 @@ ldap_conf_keys = [ 'TLS_CRLFILE' ] +if node['openldap']['with_ssl_cert_cookbook'] then + node.override['openldap']['client']['TLS_CACERT'] \ + = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] +end + case node[:platform_family] when 'debian' - package 'ldap-utils' do + pkg = 'ldap-utils' + resources(:package => pkg) rescue package pkg do action :install end @@ -63,7 +69,8 @@ case node[:platform_family] variables({'ldap_conf_keys' => ldap_conf_keys}) end when 'rhel' - package 'openldap-clients' do + pkg = 'openldap-clients' + resources(:package => pkg) rescue package pkg do action :install end diff --git a/cookbooks/openldap/recipes/nss-ldapd.rb b/cookbooks/openldap/recipes/nss-ldapd.rb index e539117..15680a2 100644 --- a/cookbooks/openldap/recipes/nss-ldapd.rb +++ b/cookbooks/openldap/recipes/nss-ldapd.rb @@ -2,7 +2,7 @@ # Cookbook Name:: openldap # Recipe:: nss-ldapd # -# Copyright 2013, whitestar +# Copyright 2013-2016, whitestar # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -55,6 +55,11 @@ nslcd_conf_keys = [ 'pam_authz_search' ] +if node['openldap']['with_ssl_cert_cookbook'] then + node.override['openldap']['nss-ldapd']['tls_cacertfile'] \ + = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] +end + case node[:platform_family] when 'debian' %w{ diff --git a/cookbooks/openldap/recipes/server.rb b/cookbooks/openldap/recipes/server.rb new file mode 100644 index 0000000..a6ea4d9 --- /dev/null +++ b/cookbooks/openldap/recipes/server.rb @@ -0,0 +1,75 @@ +# +# Cookbook Name:: openldap +# Recipe:: server +# +# Copyright 2016, whitestar +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +case node[:platform_family] + when 'debian' + [ + 'slapd', + 'ldap-utils', + ].each {|pkg| + resources(:package => pkg) rescue package pkg do + action :install + end + } + + service 'slapd' do + action [:enable, :start] + supports :status => true, :restart => true, :reload => false + end + when 'rhel' + [ + 'openldap-servers', + 'openldap-clients', + ].each {|pkg| + resources(:package => pkg) rescue package pkg do + action :install + end + } + + service 'slapd' do + #action [:enable, :start] + action [:enable] + supports :status => true, :restart => true, :reload => false + end +end + +if node['openldap']['with_ssl_cert_cookbook'] then + [ + '00_olc-add-ldaps.ldif', + '00_olc-mod-ldaps.ldif', + ].each {|ldif| + template "/etc/ldap/#{ldif}" do + source "etc/ldap/#{ldif}" + owner 'root' + group 'root' + mode '0644' + end + } +end + +log <<-EOM +Note: +You must setup OpenLDAP configurations in the first installation: + [Debian] + $ sudo sudo dpkg-reconfigure -plow slapd + [CentOS] + edit /etc/openldap/slap.d configurations + $ sudo service slapd restart +EOM + diff --git a/cookbooks/openldap/templates/default/etc/ldap/00_olc-add-ldaps.ldif b/cookbooks/openldap/templates/default/etc/ldap/00_olc-add-ldaps.ldif new file mode 100644 index 0000000..aab6efe --- /dev/null +++ b/cookbooks/openldap/templates/default/etc/ldap/00_olc-add-ldaps.ldif @@ -0,0 +1,10 @@ +# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-add-ldaps.ldif +dn: cn=config +add: olcTLSCACertificateFile +olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %> +- +add: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %> +- +add: olcTLSCertificateFile +olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %> diff --git a/cookbooks/openldap/templates/default/etc/ldap/00_olc-mod-ldaps.ldif b/cookbooks/openldap/templates/default/etc/ldap/00_olc-mod-ldaps.ldif new file mode 100644 index 0000000..9ec41a9 --- /dev/null +++ b/cookbooks/openldap/templates/default/etc/ldap/00_olc-mod-ldaps.ldif @@ -0,0 +1,11 @@ +# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-mod-ldaps.ldif +dn: cn=config +changetype: modify +replace: olcTLSCACertificateFile +olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %> +- +replace: olcTLSCertificateKeyFile +olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %> +- +replace: olcTLSCertificateFile +olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %> diff --git a/roles/grid-ns-master.rb b/roles/grid-ns-master.rb new file mode 100644 index 0000000..77e601d --- /dev/null +++ b/roles/grid-ns-master.rb @@ -0,0 +1,56 @@ +# +# Copyright 2016, whitestar +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +$LOAD_PATH.push("#{File.dirname(__FILE__)}/_lib") +#${chef-repo}/roles/_lib/grid.rb +require 'grid' + +name 'grid-ns-master' +description 'Grid nameservice master node' + +run_list( + 'role[grid-ns]', + 'recipe[ssl_cert::default]', + 'recipe[krb5::admin]', + 'recipe[openldap::server]', +) + +#env_run_lists() + +default_attributes( +) + +override_attributes( + 'ssl_cert' => { + 'ca_cert_file_prefix' => '00', + 'server_cert_file_prefix' => '01', + 'server_key_file_prefix' => '01', + 'ca_names' => [ + 'grid_ca', + ], + 'common_names' => [ + 'ldap.grid.example.com', + ], + }, + 'openldap' => { + 'with_ssl_cert_cookbook' => true, + 'ssl_cert' => { + 'ca_name' => 'grid_ca', + 'common_name' => 'ldap.grid.example.com', + }, + }, +) + diff --git a/roles/grid-ns-slave.rb b/roles/grid-ns-slave.rb new file mode 100644 index 0000000..c62b329 --- /dev/null +++ b/roles/grid-ns-slave.rb @@ -0,0 +1,57 @@ +# +# Copyright 2016, whitestar +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +$LOAD_PATH.push("#{File.dirname(__FILE__)}/_lib") +#${chef-repo}/roles/_lib/grid.rb +require 'grid' + +name 'grid-ns-slave' +description 'Grid nameservice slave node' + +run_list( + 'role[grid-ns]', + 'recipe[ssl_cert::default]', + 'recipe[krb5::kdc-slave]', + 'recipe[openldap::server]', +) + +#env_run_lists() + +default_attributes( +) + +override_attributes( + 'ssl_cert' => { + 'ca_cert_file_prefix' => '00', + 'server_cert_file_prefix' => '01', + 'server_key_file_prefix' => '01', + 'ca_names' => [ + 'grid_ca', + ], + 'common_names' => [ + # TODO: node['fqdn'] + #'ldap.grid.example.com', + ], + }, + 'openldap' => { + 'with_ssl_cert_cookbook' => true, + 'ssl_cert' => { + 'ca_name' => 'grid_ca', + #'common_name' => 'ldap.grid.example.com', # default: node['fqdn'] + }, + }, +) + diff --git a/roles/grid-ns.rb b/roles/grid-ns.rb index e61c6a0..4bb25eb 100644 --- a/roles/grid-ns.rb +++ b/roles/grid-ns.rb @@ -22,11 +22,10 @@ name 'grid-ns' description 'Grid nameservice node' run_list( - # TODO: 'role[node_commons]', - 'recipe[ssl_cert::default]', - 'role[grid-realm]', - 'role[ganglia-gmond]' + 'role[krb5-client-grid]', + 'role[ldap-client-grid]', + #'role[ganglia-gmond]' ) #env_run_lists() @@ -53,17 +52,6 @@ default_attributes( ) override_attributes( - 'ssl_cert' => { - 'ca_cert_file_prefix' => '00', - 'server_cert_file_prefix' => '01', - 'server_key_file_prefix' => '01', - 'ca_names' => [ - 'grid_ca', - ], - 'common_names' => [ - 'ldap.grid.example.com', - ], - }, 'ganglia' => { # gmond 'cluster' => { diff --git a/roles/ldap-client-grid.rb b/roles/ldap-client-grid.rb index 06674e7..375fed4 100644 --- a/roles/ldap-client-grid.rb +++ b/roles/ldap-client-grid.rb @@ -2,7 +2,7 @@ name 'ldap-client-grid' description 'LDAP client role for Grid' run_list( - 'recipe[grid::cacert_deploy]', + 'recipe[ssl_cert::ca_certs]', 'role[ldap-client]', 'recipe[openldap::nss-ldapd]' ) @@ -11,19 +11,28 @@ run_list( uri = 'ldap://ldap.grid.example.com/' base = 'dc=grid,dc=example,dc=com' -ca_cert_file = '/etc/ssl/certs/grid_internal_cacert.pem' +ca_name = 'grid_ca' +#ca_cert_file = '/etc/ssl/certs/00grid_ca.crt' default_attributes( - 'grid' => { - 'cacert' => { - 'path' => ca_cert_file - } + 'ssl_cert' => { + 'ca_cert_file_prefix' => '00', + 'server_cert_file_prefix' => '01', + 'server_key_file_prefix' => '01', + 'ca_names' => [ + ca_name, + ], }, 'openldap' => { + 'with_ssl_cert_cookbook' => true, + 'ssl_cert' => { + 'ca_name' => ca_name, + }, 'client' => { 'URI' => uri, 'BASE' => base, - 'TLS_CACERT' => ca_cert_file, + # because with_ssl_cert_cookbook is set + #'TLS_CACERT' => ca_cert_file, 'TLS_REQCERT' => 'allow', 'TLS_CHECKPEER' => 'yes', 'SASL_MECH' => 'GSSAPI' @@ -32,7 +41,8 @@ default_attributes( 'uri' => uri, 'base' => base, 'ssl' => 'start_tls', - 'tls_cacertfile' => ca_cert_file, + # because with_ssl_cert_cookbook is set + #'tls_cacertfile' => ca_cert_file, 'tls_reqcert' => 'demand' }, 'ldap_lookup_nameservices' => ['passwd', 'group'] -- 2.11.0