updates for grid-ns-master role.

diff --git a/cookbooks/krb5/CHANGELOG.md b/cookbooks/krb5/CHANGELOG.md
index 8d1aee4..4d1bf8a 100644 (file)
--- a/cookbooks/krb5/CHANGELOG.md
+++ b/cookbooks/krb5/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG for krb5
 
+0.1.3
+-----
+- bug fix.
+- add ['krb5']['kadm5.acl'] attribute.
+
 0.1.2
 -----
 - add kdc-slave recipe.

diff --git a/cookbooks/krb5/README.md b/cookbooks/krb5/README.md
index 0282c84..6c6b96c 100644 (file)
--- a/cookbooks/krb5/README.md
+++ b/cookbooks/krb5/README.md
@@ -22,6 +22,7 @@ Attributes
 |`['krb5']['realms']["#{node['krb5']['libdefaults']['default_realm']}"]['kdcs']`|Array|in /etc/krb5.conf|`['localhost']`|
 |`['krb5']['realms']["#{node['krb5']['libdefaults']['default_realm']}"]['admin_setver']`|String|in /etc/krb5.conf|`'localhost'`|
 |`['krb5']['domain_realms']`|Array|in /etc/krb5.conf|`['localhost = LOCALDOMAIN']`|
+|`['krb5']['kadm5.acl']`|String|ACL setting in /etc/krb5kdc/kadm5.acl|`''`|
 |`['krb5']['kpropd.acl']`|String|ACL setting in /etc/krb5kdc/kpropd.acl|`''`|
 
 Usage

diff --git a/cookbooks/krb5/attributes/default.rb b/cookbooks/krb5/attributes/default.rb
index 6351c5b..ff672f5 100644 (file)
--- a/cookbooks/krb5/attributes/default.rb
+++ b/cookbooks/krb5/attributes/default.rb
@@ -43,6 +43,13 @@ default['krb5']['domain_realms'] = [
   'localhost = LOCALDOMAIN'
 ]
 
+default['krb5']['kadm5.acl'] = ''
+=begin
+# e.g.
+default['krb5']['kadm5.acl'] = <<-EOC
+*/admin *
+EOC
+=end
 default['krb5']['kpropd.acl'] = ''
 =begin
 # e.g. list KDCs

diff --git a/cookbooks/krb5/metadata.rb b/cookbooks/krb5/metadata.rb
index 8914730..a2a5d08 100644 (file)
--- a/cookbooks/krb5/metadata.rb
+++ b/cookbooks/krb5/metadata.rb
@@ -4,7 +4,7 @@ maintainer_email ''
 license          'Apache 2.0'
 description      'Installs/Configures krb5'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.2'
+version          '0.1.3'
 
 %w{ debian ubuntu centos redhat fedora }.each do |os|
   supports os

diff --git a/cookbooks/krb5/recipes/admin.rb b/cookbooks/krb5/recipes/admin.rb
index 0407c7f..2d4acf6 100644 (file)
--- a/cookbooks/krb5/recipes/admin.rb
+++ b/cookbooks/krb5/recipes/admin.rb
@@ -2,7 +2,7 @@
 # Cookbook Name:: krb5
 # Recipe:: admin
 #
-# Copyright 2013, whitestar
+# Copyright 2013-2016, whitestar
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -24,7 +24,8 @@ case node[:platform_family]
     end
 
     service 'krb5-admin-server' do
-      action [:enable, :start]
+      #action [:enable, :start]
+      action [:enable]
       supports :status => true, :restart => true, :reload => false
     end
 
@@ -33,15 +34,25 @@ case node[:platform_family]
     end
 
     service 'krb5-kdc' do
-      action [:enable, :start]
+      #action [:enable, :start]
+      action [:enable]
       supports :status => true, :restart => true, :reload => false
     end
 
     template '/etc/krb5kdc/kdc.conf' do
-      source 'etc/krb5kdc/kdc.conf'
+      source  'etc/krb5kdc/kdc.conf'
+      owner 'root'
+      group 'root'
+      mode '0644'
+      #notifies :restart, "service[krb5-kdc]"
+    end
+
+    template '/etc/krb5kdc/kadm5.acl' do
+      source  'etc/krb5kdc/kadm5.acl'
       owner 'root'
       group 'root'
       mode '0644'
+      #notifies :restart, "service[krb5-admin-server]"
     end
   when 'rhel'
     package 'krb5-server' do
@@ -60,16 +71,25 @@ case node[:platform_family]
     end
 
     template '/var/kerberos/krb5kdc/kdc.conf' do
-      source 'var/kerberos/krb5kdc/kdc.conf'
+      source  'var/kerberos/krb5kdc/kdc.conf'
+      owner 'root'
+      group 'root'
+      mode '0600'
+      #notifies :restart, "service[krb5kdc]"
+    end
+
+    template '/var/kerberos/krb5kdc/kadm5.acl' do
+      source  'vat/kerberos/krb5kdc/kadm5.acl'
       owner 'root'
       group 'root'
       mode '0600'
+      #notifies :restart, "service[kadmin]"
     end
 end
 
 log <<-EOM
 Note:
-You must initialize a Kerberos realm in the first installation:
+You must initialize a Kerberos realm in the first installation before starting service:
   [Debian]
     $ sudo krb5_newrealm
     $ sudo service krb5-kdc restart

diff --git a/cookbooks/krb5/recipes/client.rb b/cookbooks/krb5/recipes/client.rb
index 1ad1d7a..638cc35 100644 (file)
--- a/cookbooks/krb5/recipes/client.rb
+++ b/cookbooks/krb5/recipes/client.rb
@@ -2,7 +2,7 @@
 # Cookbook Name:: krb5
 # Recipe:: client
 #
-# Copyright 2013, whitestar
+# Copyright 2013-2016, whitestar
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -29,7 +29,7 @@ case node[:platform_family]
 end
 
 template '/etc/krb5.conf' do
-  source 'etc/krb5.conf'
+  source  'etc/krb5.conf'
   owner 'root'
   group 'root'
   mode '0644'

diff --git a/cookbooks/krb5/recipes/kdc-slave.rb b/cookbooks/krb5/recipes/kdc-slave.rb
index 83aaeba..271a4fb 100644 (file)
--- a/cookbooks/krb5/recipes/kdc-slave.rb
+++ b/cookbooks/krb5/recipes/kdc-slave.rb
@@ -24,18 +24,20 @@ case node[:platform_family]
     end
 
     service 'krb5-kdc' do
-      action [:enable, :start]
+      #action [:enable, :start]
+      action [:enable]
       supports :status => true, :restart => true, :reload => false
     end
 
     template '/etc/krb5kdc/kdc.conf' do
-      source 'etc/krb5kdc/kdc.conf'
+      source  'etc/krb5kdc/kdc.conf'
       owner 'root'
       group 'root'
       mode '0644'
+      #notifies :restart, "service[krb5-kdc]"
     end
     template '/etc/krb5kdc/kpropd.acl' do
-      source 'etc/krb5kdc/kpropd.acl'
+      source  'etc/krb5kdc/kpropd.acl'
       owner 'root'
       group 'root'
       mode '0644'
@@ -51,7 +53,7 @@ case node[:platform_family]
     end
 
     template '/etc/xinetd.d/krb_prop' do
-      source 'etc/xinetd.d/krb_prop'
+      source  'etc/xinetd.d/krb_prop'
       owner 'root'
       group 'root'
       mode '0644'
@@ -69,13 +71,14 @@ case node[:platform_family]
     end
 
     template '/var/kerberos/krb5kdc/kdc.conf' do
-      source 'var/kerberos/krb5kdc/kdc.conf'
+      source  'var/kerberos/krb5kdc/kdc.conf'
       owner 'root'
       group 'root'
       mode '0600'
+      #notifies :restart, "service[krb5kdc]"
     end
     template '/var/kerberos/krb5kdc/kpropd.acl' do
-      source 'var/kerberos/krb5kdc/kpropd.acl'
+      source  'var/kerberos/krb5kdc/kpropd.acl'
       owner 'root'
       group 'root'
       mode '0600'

diff --git a/cookbooks/krb5/templates/centos/var/kerberos/krb5kdc/kadm5.acl b/cookbooks/krb5/templates/centos/var/kerberos/krb5kdc/kadm5.acl
new file mode 100644 (file)
index 0000000..c1a8190
--- /dev/null
+++ b/cookbooks/krb5/templates/centos/var/kerberos/krb5kdc/kadm5.acl
@@ -0,0 +1,7 @@
+# This file Is the access control list for krb5 administration.
+# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
+# One common way to set up Kerberos administration is to allow any principal 
+# ending in /admin  is given full administrative rights.
+# To enable this, uncomment the following line:
+# */admin *
+<%= node['krb5']['kadm5.acl'] %>

diff --git a/cookbooks/krb5/templates/debian/etc/krb5.conf b/cookbooks/krb5/templates/debian/etc/krb5.conf
index d1afa9d..9f2b031 100644 (file)
--- a/cookbooks/krb5/templates/debian/etc/krb5.conf
+++ b/cookbooks/krb5/templates/debian/etc/krb5.conf
@@ -1,8 +1,3 @@
-[logging]
-       kdc = FILE:/var/log/kerberos/krb5kdc.log
-       admin_server = FILE:/var/log/kerberos/kadmin.log
-       default = FILE:/var/log/kerberos/krb5lib.log
-
 [libdefaults]
        default_realm = <%= node['krb5']['libdefaults']['default_realm'] %>
 

diff --git a/cookbooks/krb5/templates/debian/etc/krb5kdc/kadm5.acl b/cookbooks/krb5/templates/debian/etc/krb5kdc/kadm5.acl
new file mode 100644 (file)
index 0000000..c1a8190
--- /dev/null
+++ b/cookbooks/krb5/templates/debian/etc/krb5kdc/kadm5.acl
@@ -0,0 +1,7 @@
+# This file Is the access control list for krb5 administration.
+# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
+# One common way to set up Kerberos administration is to allow any principal 
+# ending in /admin  is given full administrative rights.
+# To enable this, uncomment the following line:
+# */admin *
+<%= node['krb5']['kadm5.acl'] %>

diff --git a/cookbooks/openldap/CHANGELOG.md b/cookbooks/openldap/CHANGELOG.md
index 1f0649c..3d3fb52 100644 (file)
--- a/cookbooks/openldap/CHANGELOG.md
+++ b/cookbooks/openldap/CHANGELOG.md
@@ -1,5 +1,10 @@
 # CHANGELOG for openldap
 
+0.1.2
+-----
+- add ['openldap']['server']['ldaps'] attribute.
+- add ['openldap']['server']['KRB5_KTNAME'] attribute.
+
 0.1.1
 -----
 - add server recipe.

diff --git a/cookbooks/openldap/README.md b/cookbooks/openldap/README.md
index 27b12ca..dd1c422 100644 (file)
--- a/cookbooks/openldap/README.md
+++ b/cookbooks/openldap/README.md
@@ -31,6 +31,8 @@ Attributes
 |`['openldap']['nss-ldapd']['base']`|String||`dc=example,dc=net`|
 |`['openldap']['nss-ldapd']['<nscd.conf key>']`|String|other nscd.conf key||
 |`['openldap']['ldap_lookup_nameservices']`|Array|['passwd', 'group']|`empty`|
+|`['openldap']['server']['ldaps']`|Boolean|enable ldaps (ver. 0.1.2 or later)|`false`|
+|`['openldap']['server']['KRB5_KTNAME']`|String|e.g. `'/etc/krb5.keytab'` (ver. 0.1.2 or later)|`nil`|
 
 Usage
 -----

diff --git a/cookbooks/openldap/attributes/default.rb b/cookbooks/openldap/attributes/default.rb
index d99fb9d..98ebcde 100644 (file)
--- a/cookbooks/openldap/attributes/default.rb
+++ b/cookbooks/openldap/attributes/default.rb
@@ -45,3 +45,6 @@ default['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
 default['openldap']['ldap_lookup_nameservices'] = []  # e.g. ['passwd', 'group']
 #default['openldap'][''] = 
 
+default['openldap']['server']['ldaps'] = false
+default['openldap']['server']['KRB5_KTNAME'] = nil  # e.g. '/etc/krb5.keytab'
+

diff --git a/cookbooks/openldap/recipes/server.rb b/cookbooks/openldap/recipes/server.rb
index 00109a4..89ea667 100644 (file)
--- a/cookbooks/openldap/recipes/server.rb
+++ b/cookbooks/openldap/recipes/server.rb
@@ -35,6 +35,13 @@ case node[:platform_family]
       members 'openldap'
       append true
     end
+
+    template "/etc/default/slapd" do
+      source  "etc/default/slapd"
+      owner 'root'
+      group 'root'
+      mode '0644'
+    end
   when 'rhel'
     [
       'openldap-servers',
@@ -54,6 +61,13 @@ case node[:platform_family]
         append true
       end
     end
+
+    template "/etc/sysconfig/ldap" do
+      source  "etc/sysconfig/ldap"
+      owner 'root'
+      group 'root'
+      mode '0644'
+    end
 end
 
 # deploy ldif file for TLS settings.

diff --git a/cookbooks/openldap/templates/centos/etc/sysconfig/ldap b/cookbooks/openldap/templates/centos/etc/sysconfig/ldap
new file mode 100644 (file)
index 0000000..f66dc71
--- /dev/null
+++ b/cookbooks/openldap/templates/centos/etc/sysconfig/ldap
@@ -0,0 +1,41 @@
+# Options of slapd (see man slapd)
+#SLAPD_OPTIONS=
+
+# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
+#
+# Run slapd with -h "... ldap:/// ..."
+#   yes/no, default: yes
+SLAPD_LDAP=yes
+
+# Run slapd with -h "... ldapi:/// ..."
+#   yes/no, default: yes
+SLAPD_LDAPI=yes
+
+# Run slapd with -h "... ldaps:/// ..."
+#   yes/no, default: no
+<%
+ldaps = 'no'
+if node['openldap']['server']['ldaps'] == true then
+  ldaps = 'yes'
+end
+-%>
+SLAPD_LDAPS=<%= ldaps %>
+
+# Run slapd with -h "... $SLAPD_URLS ..."
+# This option could be used instead of previous three ones, but:
+# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
+# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
+# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
+# default: empty
+#SLAPD_URLS=""
+
+# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
+#SLAPD_SHUTDOWN_TIMEOUT=3
+
+# Parameters to ulimit, use to change system limits for slapd
+#SLAPD_ULIMIT_SETTINGS=""
+
+<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%>
+export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %>
+<% end -%>
+

diff --git a/cookbooks/openldap/templates/default/etc/default/slapd b/cookbooks/openldap/templates/default/etc/default/slapd
new file mode 100644 (file)
index 0000000..7d6eda0
--- /dev/null
+++ b/cookbooks/openldap/templates/default/etc/default/slapd
@@ -0,0 +1,54 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+<%
+services = 'ldap:/// ldapi:///'
+if node['openldap']['server']['ldaps'] == true then
+  services = "#{services} ldaps:///"
+end
+-%>
+SLAPD_SERVICES="<%= services %>"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%>
+export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %>
+<% end -%>
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""

diff --git a/roles/grid-ns-master.rb b/roles/grid-ns-master.rb
index 77e601d..5653fe2 100644 (file)
--- a/roles/grid-ns-master.rb
+++ b/roles/grid-ns-master.rb
@@ -45,12 +45,21 @@ override_attributes(
       'ldap.grid.example.com',
     ],
   },
+  'krb5' => {
+    'kadm5.acl' => <<-EOC
+admin *
+EOC
+  },
   'openldap' => {
     'with_ssl_cert_cookbook' => true,
     'ssl_cert' => {
       'ca_name' => 'grid_ca',
       'common_name' => 'ldap.grid.example.com',
     },
+    'server' => {
+      'ldaps' => true,
+      'KRB5_KTNAME' => '/etc/krb5.keytab',
+    },
   },
 )