# CHANGELOG for krb5
+0.1.3
+-----
+- bug fix.
+- add ['krb5']['kadm5.acl'] attribute.
+
0.1.2
-----
- add kdc-slave recipe.
|`['krb5']['realms']["#{node['krb5']['libdefaults']['default_realm']}"]['kdcs']`|Array|in /etc/krb5.conf|`['localhost']`|
|`['krb5']['realms']["#{node['krb5']['libdefaults']['default_realm']}"]['admin_setver']`|String|in /etc/krb5.conf|`'localhost'`|
|`['krb5']['domain_realms']`|Array|in /etc/krb5.conf|`['localhost = LOCALDOMAIN']`|
+|`['krb5']['kadm5.acl']`|String|ACL setting in /etc/krb5kdc/kadm5.acl|`''`|
|`['krb5']['kpropd.acl']`|String|ACL setting in /etc/krb5kdc/kpropd.acl|`''`|
Usage
'localhost = LOCALDOMAIN'
]
+default['krb5']['kadm5.acl'] = ''
+=begin
+# e.g.
+default['krb5']['kadm5.acl'] = <<-EOC
+*/admin *
+EOC
+=end
default['krb5']['kpropd.acl'] = ''
=begin
# e.g. list KDCs
license 'Apache 2.0'
description 'Installs/Configures krb5'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '0.1.2'
+version '0.1.3'
%w{ debian ubuntu centos redhat fedora }.each do |os|
supports os
# Cookbook Name:: krb5
# Recipe:: admin
#
-# Copyright 2013, whitestar
+# Copyright 2013-2016, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
end
service 'krb5-admin-server' do
- action [:enable, :start]
+ #action [:enable, :start]
+ action [:enable]
supports :status => true, :restart => true, :reload => false
end
end
service 'krb5-kdc' do
- action [:enable, :start]
+ #action [:enable, :start]
+ action [:enable]
supports :status => true, :restart => true, :reload => false
end
template '/etc/krb5kdc/kdc.conf' do
- source 'etc/krb5kdc/kdc.conf'
+ source 'etc/krb5kdc/kdc.conf'
+ owner 'root'
+ group 'root'
+ mode '0644'
+ #notifies :restart, "service[krb5-kdc]"
+ end
+
+ template '/etc/krb5kdc/kadm5.acl' do
+ source 'etc/krb5kdc/kadm5.acl'
owner 'root'
group 'root'
mode '0644'
+ #notifies :restart, "service[krb5-admin-server]"
end
when 'rhel'
package 'krb5-server' do
end
template '/var/kerberos/krb5kdc/kdc.conf' do
- source 'var/kerberos/krb5kdc/kdc.conf'
+ source 'var/kerberos/krb5kdc/kdc.conf'
+ owner 'root'
+ group 'root'
+ mode '0600'
+ #notifies :restart, "service[krb5kdc]"
+ end
+
+ template '/var/kerberos/krb5kdc/kadm5.acl' do
+ source 'vat/kerberos/krb5kdc/kadm5.acl'
owner 'root'
group 'root'
mode '0600'
+ #notifies :restart, "service[kadmin]"
end
end
log <<-EOM
Note:
-You must initialize a Kerberos realm in the first installation:
+You must initialize a Kerberos realm in the first installation before starting service:
[Debian]
$ sudo krb5_newrealm
$ sudo service krb5-kdc restart
# Cookbook Name:: krb5
# Recipe:: client
#
-# Copyright 2013, whitestar
+# Copyright 2013-2016, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
end
template '/etc/krb5.conf' do
- source 'etc/krb5.conf'
+ source 'etc/krb5.conf'
owner 'root'
group 'root'
mode '0644'
end
service 'krb5-kdc' do
- action [:enable, :start]
+ #action [:enable, :start]
+ action [:enable]
supports :status => true, :restart => true, :reload => false
end
template '/etc/krb5kdc/kdc.conf' do
- source 'etc/krb5kdc/kdc.conf'
+ source 'etc/krb5kdc/kdc.conf'
owner 'root'
group 'root'
mode '0644'
+ #notifies :restart, "service[krb5-kdc]"
end
template '/etc/krb5kdc/kpropd.acl' do
- source 'etc/krb5kdc/kpropd.acl'
+ source 'etc/krb5kdc/kpropd.acl'
owner 'root'
group 'root'
mode '0644'
end
template '/etc/xinetd.d/krb_prop' do
- source 'etc/xinetd.d/krb_prop'
+ source 'etc/xinetd.d/krb_prop'
owner 'root'
group 'root'
mode '0644'
end
template '/var/kerberos/krb5kdc/kdc.conf' do
- source 'var/kerberos/krb5kdc/kdc.conf'
+ source 'var/kerberos/krb5kdc/kdc.conf'
owner 'root'
group 'root'
mode '0600'
+ #notifies :restart, "service[krb5kdc]"
end
template '/var/kerberos/krb5kdc/kpropd.acl' do
- source 'var/kerberos/krb5kdc/kpropd.acl'
+ source 'var/kerberos/krb5kdc/kpropd.acl'
owner 'root'
group 'root'
mode '0600'
--- /dev/null
+# This file Is the access control list for krb5 administration.
+# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
+# One common way to set up Kerberos administration is to allow any principal
+# ending in /admin is given full administrative rights.
+# To enable this, uncomment the following line:
+# */admin *
+<%= node['krb5']['kadm5.acl'] %>
-[logging]
- kdc = FILE:/var/log/kerberos/krb5kdc.log
- admin_server = FILE:/var/log/kerberos/kadmin.log
- default = FILE:/var/log/kerberos/krb5lib.log
-
[libdefaults]
default_realm = <%= node['krb5']['libdefaults']['default_realm'] %>
--- /dev/null
+# This file Is the access control list for krb5 administration.
+# When this file is edited run /etc/init.d/krb5-admin-server restart to activate
+# One common way to set up Kerberos administration is to allow any principal
+# ending in /admin is given full administrative rights.
+# To enable this, uncomment the following line:
+# */admin *
+<%= node['krb5']['kadm5.acl'] %>
# CHANGELOG for openldap
+0.1.2
+-----
+- add ['openldap']['server']['ldaps'] attribute.
+- add ['openldap']['server']['KRB5_KTNAME'] attribute.
+
0.1.1
-----
- add server recipe.
|`['openldap']['nss-ldapd']['base']`|String||`dc=example,dc=net`|
|`['openldap']['nss-ldapd']['<nscd.conf key>']`|String|other nscd.conf key||
|`['openldap']['ldap_lookup_nameservices']`|Array|['passwd', 'group']|`empty`|
+|`['openldap']['server']['ldaps']`|Boolean|enable ldaps (ver. 0.1.2 or later)|`false`|
+|`['openldap']['server']['KRB5_KTNAME']`|String|e.g. `'/etc/krb5.keytab'` (ver. 0.1.2 or later)|`nil`|
Usage
-----
default['openldap']['ldap_lookup_nameservices'] = [] # e.g. ['passwd', 'group']
#default['openldap'][''] =
+default['openldap']['server']['ldaps'] = false
+default['openldap']['server']['KRB5_KTNAME'] = nil # e.g. '/etc/krb5.keytab'
+
members 'openldap'
append true
end
+
+ template "/etc/default/slapd" do
+ source "etc/default/slapd"
+ owner 'root'
+ group 'root'
+ mode '0644'
+ end
when 'rhel'
[
'openldap-servers',
append true
end
end
+
+ template "/etc/sysconfig/ldap" do
+ source "etc/sysconfig/ldap"
+ owner 'root'
+ group 'root'
+ mode '0644'
+ end
end
# deploy ldif file for TLS settings.
--- /dev/null
+# Options of slapd (see man slapd)
+#SLAPD_OPTIONS=
+
+# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
+#
+# Run slapd with -h "... ldap:/// ..."
+# yes/no, default: yes
+SLAPD_LDAP=yes
+
+# Run slapd with -h "... ldapi:/// ..."
+# yes/no, default: yes
+SLAPD_LDAPI=yes
+
+# Run slapd with -h "... ldaps:/// ..."
+# yes/no, default: no
+<%
+ldaps = 'no'
+if node['openldap']['server']['ldaps'] == true then
+ ldaps = 'yes'
+end
+-%>
+SLAPD_LDAPS=<%= ldaps %>
+
+# Run slapd with -h "... $SLAPD_URLS ..."
+# This option could be used instead of previous three ones, but:
+# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
+# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
+# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
+# default: empty
+#SLAPD_URLS=""
+
+# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
+#SLAPD_SHUTDOWN_TIMEOUT=3
+
+# Parameters to ulimit, use to change system limits for slapd
+#SLAPD_ULIMIT_SETTINGS=""
+
+<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%>
+export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %>
+<% end -%>
+
--- /dev/null
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+<%
+services = 'ldap:/// ldapi:///'
+if node['openldap']['server']['ldaps'] == true then
+ services = "#{services} ldaps:///"
+end
+-%>
+SLAPD_SERVICES="<%= services %>"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work). Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work). Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab). To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%>
+export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %>
+<% end -%>
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
'ldap.grid.example.com',
],
},
+ 'krb5' => {
+ 'kadm5.acl' => <<-EOC
+admin *
+EOC
+ },
'openldap' => {
'with_ssl_cert_cookbook' => true,
'ssl_cert' => {
'ca_name' => 'grid_ca',
'common_name' => 'ldap.grid.example.com',
},
+ 'server' => {
+ 'ldaps' => true,
+ 'KRB5_KTNAME' => '/etc/krb5.keytab',
+ },
},
)