# CHANGELOG for krb5
-This file is used to list changes made in each version of krb5.
+0.1.2
+-----
+- add kdc-slave recipe.
-## 0.1.0:
+0.1.0
+-----
+- Initial release of krb5
-* Initial release of krb5
-
-- - -
-Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
-
-The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
Requirements
------------
-Nothing.
+None.
Attributes
----------
license 'Apache 2.0'
description 'Installs/Configures krb5'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '0.1.1'
+version '0.1.2'
%w{ debian ubuntu centos redhat fedora }.each do |os|
supports os
--- /dev/null
+#
+# Cookbook Name:: krb5
+# Recipe:: kdc-slave
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+case node[:platform_family]
+ when 'debian'
+ package 'krb5-kdc' do
+ action :install
+ end
+
+ service 'krb5-kdc' do
+ action [:enable, :start]
+ supports :status => true, :restart => true, :reload => false
+ end
+
+ template '/etc/krb5kdc/kdc.conf' do
+ source 'etc/krb5kdc/kdc.conf'
+ owner 'root'
+ group 'root'
+ mode '0644'
+ end
+ template '/etc/krb5kdc/kpropd.acl' do
+ source 'etc/krb5kdc/kpropd.acl'
+ owner 'root'
+ group 'root'
+ mode '0644'
+ end
+
+ package 'xinetd' do
+ action :install
+ end
+
+ service 'xinetd' do
+ action [:enable, :start]
+ supports :status => true, :restart => true, :reload => false
+ end
+
+ template '/etc/xinetd.d/krb_prop' do
+ source 'etc/xinetd.d/krb_prop'
+ owner 'root'
+ group 'root'
+ mode '0644'
+ notifies :reload, 'service[xinetd]'
+ end
+ when 'rhel'
+ package 'krb5-server' do
+ action :install
+ end
+
+ service 'krb5kdc' do
+ #action [:enable, :start]
+ action [:enable]
+ supports :status => true, :restart => true, :reload => false
+ end
+
+ template '/var/kerberos/krb5kdc/kdc.conf' do
+ source 'var/kerberos/krb5kdc/kdc.conf'
+ owner 'root'
+ group 'root'
+ mode '0600'
+ end
+ template '/var/kerberos/krb5kdc/kpropd.acl' do
+ source 'var/kerberos/krb5kdc/kpropd.acl'
+ owner 'root'
+ group 'root'
+ mode '0600'
+ end
+
+ service 'kprop' do
+ action [:enable, :start]
+ supports :status => true, :restart => true, :reload => true
+ end
+end
+
+log <<-EOM
+Note:
+You must add the host principal of this host for propagation.:
+ $ sudo kadmin -p admin
+ ...
+ kadmin: add_principal -randkey host/ns01.grid.example.com
+ ...
+ kadmin: ktadd host/ns01.grid.example.com
+ ...
+EOM
+
# limitations under the License.
#
-case node[:platform_family]
- when 'debian'
- package 'krb5-kdc' do
- action :install
- end
-
- service 'krb5-kdc' do
- action [:enable, :start]
- supports :status => true, :restart => true, :reload => false
- end
-
- template '/etc/krb5kdc/kdc.conf' do
- source 'etc/krb5kdc/kdc.conf'
- owner 'root'
- group 'root'
- mode '0644'
- end
- template '/etc/krb5kdc/kpropd.acl' do
- source 'etc/krb5kdc/kpropd.acl'
- owner 'root'
- group 'root'
- mode '0644'
- end
-
- package 'xinetd' do
- action :install
- end
-
- service 'xinetd' do
- action [:enable, :start]
- supports :status => true, :restart => true, :reload => false
- end
-
- template '/etc/xinetd.d/krb_prop' do
- source 'etc/xinetd.d/krb_prop'
- owner 'root'
- group 'root'
- mode '0644'
- notifies :reload, 'service[xinetd]'
- end
- when 'rhel'
- package 'krb5-server' do
- action :install
- end
-
- service 'krb5kdc' do
- #action [:enable, :start]
- action [:enable]
- supports :status => true, :restart => true, :reload => false
- end
-
- template '/var/kerberos/krb5kdc/kdc.conf' do
- source 'var/kerberos/krb5kdc/kdc.conf'
- owner 'root'
- group 'root'
- mode '0600'
- end
- template '/var/kerberos/krb5kdc/kpropd.acl' do
- source 'var/kerberos/krb5kdc/kpropd.acl'
- owner 'root'
- group 'root'
- mode '0600'
- end
-
- service 'kprop' do
- action [:enable, :start]
- supports :status => true, :restart => true, :reload => true
- end
-end
-
-log <<-EOM
-Note:
-You must add the host principal of this host for propagation.:
- $ sudo kadmin -p admin
- ...
- kadmin: add_principal -randkey host/ns01.grid.example.com
- ...
- kadmin: ktadd host/ns01.grid.example.com
- ...
-EOM
+include_recipe 'krb5::kdc-slave'
+[logging]
+ kdc = FILE:/var/log/kerberos/krb5kdc.log
+ admin_server = FILE:/var/log/kerberos/kadmin.log
+ default = FILE:/var/log/kerberos/krb5lib.log
+
[libdefaults]
default_realm = <%= node['krb5']['libdefaults']['default_realm'] %>
# CHANGELOG for openldap
-This file is used to list changes made in each version of openldap.
+0.1.1
+-----
+- add server recipe.
+- add linkage with ssl_cert cookbook.
-## 0.1.0:
+0.1.0
+-----
+- Initial release of openldap
-* Initial release of openldap
-
-- - -
-Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
-
-The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
openldap Cookbook
=================
-This cookbook sets up OpenLDAP client and nss-ldapd.
+This cookbook sets up OpenLDAP client, server and nss-ldapd.
Requirements
------------
-Nothing.
+None.
Attributes
----------
#### openldap::default
|Key|Type|Description, example|Default|
|:--|:--|:--|:--|
+|`['openldap']['with_ssl_cert_cookbook']`|Boolean|make it work with ssl_cert cookbook. (ver. 0.1.1 or later)|`false`|
+|`['openldap']['ssl_cert']['ca_name']`|String|CA name used by ssl_cert (ver. 0.1.1 or later)|`nil`|
+|`['openldap']['ssl_cert']['common_name']`|String|Server common name useed by ssl_cert. (ver. 0.1.1 or later)|`node['fqdn']`|
|`['openldap']['client']['URI']`|String|ldap://ldap.example.com ldap://ldap-master.example.com:666|`nil`|
|`['openldap']['client']['BASE']`|String|dc=example,dc=com|`nil`|
|`['openldap']['client']['SIZELIMIT']`|String|12|`nil`|
"name":"my_node",
"run_list": [
"recipe[openldap::client]",
+ "recipe[openldap::server]",
"recipe[openldap::nss-ldapd]"
]
}
```
+#### with ssl_cert cookbook
+
+If node['openldap']['with_ssl_cert_cookbook'] is true, node['openldap']['client']['TLS_CACERT'] and node['openldap']['nss-ldapd']['tls_cacertfile'] are overridden by the file path based on ['openldap']['ssl_cert']['ca_name'] attribute.
+
License and Authors
-------------------
- Author:: whitestar at osdn.jp
```text
-Copyright 2013-2015, whitestar
+Copyright 2013-2016, whitestar
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
# Cookbook Name:: openldap
# Attributes:: default
#
-# Copyright 2013, whitestar
+# Copyright 2013-2016, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# limitations under the License.
#
+default['openldap']['with_ssl_cert_cookbook'] = false
+# If node['openldap']['with_ssl_cert_cookbook'] is true,
+# node['openldap']['client']['TLS_CACERT'] and ['openldap']['nss-ldapd']['tls_cacertfile']
+# are overridden by the following 'ca_name' attributes.
+default['openldap']['ssl_cert']['ca_name'] = nil
+default['openldap']['ssl_cert']['common_name'] = node['fqdn']
+
default['openldap']['client']['URI'] = nil # ldap://ldap.example.com ldap://ldap-master.example.com:666
default['openldap']['client']['BASE'] = nil # dc=example,dc=com
default['openldap']['client']['SIZELIMIT'] = nil # 12
license 'Apache 2.0'
description 'Installs/Configures openldap'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version '0.1.0'
+version '0.1.1'
+
+depends 'ssl_cert'
+
# Cookbook Name:: openldap
# Recipe:: client
#
-# Copyright 2013, whitestar
+# Copyright 2013-2016, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
'TLS_CRLFILE'
]
+if node['openldap']['with_ssl_cert_cookbook'] then
+ node.override['openldap']['client']['TLS_CACERT'] \
+ = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"]
+end
+
case node[:platform_family]
when 'debian'
- package 'ldap-utils' do
+ pkg = 'ldap-utils'
+ resources(:package => pkg) rescue package pkg do
action :install
end
variables({'ldap_conf_keys' => ldap_conf_keys})
end
when 'rhel'
- package 'openldap-clients' do
+ pkg = 'openldap-clients'
+ resources(:package => pkg) rescue package pkg do
action :install
end
# Cookbook Name:: openldap
# Recipe:: nss-ldapd
#
-# Copyright 2013, whitestar
+# Copyright 2013-2016, whitestar
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
'pam_authz_search'
]
+if node['openldap']['with_ssl_cert_cookbook'] then
+ node.override['openldap']['nss-ldapd']['tls_cacertfile'] \
+ = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"]
+end
+
case node[:platform_family]
when 'debian'
%w{
--- /dev/null
+#
+# Cookbook Name:: openldap
+# Recipe:: server
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+case node[:platform_family]
+ when 'debian'
+ [
+ 'slapd',
+ 'ldap-utils',
+ ].each {|pkg|
+ resources(:package => pkg) rescue package pkg do
+ action :install
+ end
+ }
+
+ service 'slapd' do
+ action [:enable, :start]
+ supports :status => true, :restart => true, :reload => false
+ end
+ when 'rhel'
+ [
+ 'openldap-servers',
+ 'openldap-clients',
+ ].each {|pkg|
+ resources(:package => pkg) rescue package pkg do
+ action :install
+ end
+ }
+
+ service 'slapd' do
+ #action [:enable, :start]
+ action [:enable]
+ supports :status => true, :restart => true, :reload => false
+ end
+end
+
+if node['openldap']['with_ssl_cert_cookbook'] then
+ [
+ '00_olc-add-ldaps.ldif',
+ '00_olc-mod-ldaps.ldif',
+ ].each {|ldif|
+ template "/etc/ldap/#{ldif}" do
+ source "etc/ldap/#{ldif}"
+ owner 'root'
+ group 'root'
+ mode '0644'
+ end
+ }
+end
+
+log <<-EOM
+Note:
+You must setup OpenLDAP configurations in the first installation:
+ [Debian]
+ $ sudo sudo dpkg-reconfigure -plow slapd
+ [CentOS]
+ edit /etc/openldap/slap.d configurations
+ $ sudo service slapd restart
+EOM
+
--- /dev/null
+# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-add-ldaps.ldif
+dn: cn=config
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %>
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %>
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %>
--- /dev/null
+# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-mod-ldaps.ldif
+dn: cn=config
+changetype: modify
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %>
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %>
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %>
--- /dev/null
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+$LOAD_PATH.push("#{File.dirname(__FILE__)}/_lib")
+#${chef-repo}/roles/_lib/grid.rb
+require 'grid'
+
+name 'grid-ns-master'
+description 'Grid nameservice master node'
+
+run_list(
+ 'role[grid-ns]',
+ 'recipe[ssl_cert::default]',
+ 'recipe[krb5::admin]',
+ 'recipe[openldap::server]',
+)
+
+#env_run_lists()
+
+default_attributes(
+)
+
+override_attributes(
+ 'ssl_cert' => {
+ 'ca_cert_file_prefix' => '00',
+ 'server_cert_file_prefix' => '01',
+ 'server_key_file_prefix' => '01',
+ 'ca_names' => [
+ 'grid_ca',
+ ],
+ 'common_names' => [
+ 'ldap.grid.example.com',
+ ],
+ },
+ 'openldap' => {
+ 'with_ssl_cert_cookbook' => true,
+ 'ssl_cert' => {
+ 'ca_name' => 'grid_ca',
+ 'common_name' => 'ldap.grid.example.com',
+ },
+ },
+)
+
--- /dev/null
+#
+# Copyright 2016, whitestar
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+$LOAD_PATH.push("#{File.dirname(__FILE__)}/_lib")
+#${chef-repo}/roles/_lib/grid.rb
+require 'grid'
+
+name 'grid-ns-slave'
+description 'Grid nameservice slave node'
+
+run_list(
+ 'role[grid-ns]',
+ 'recipe[ssl_cert::default]',
+ 'recipe[krb5::kdc-slave]',
+ 'recipe[openldap::server]',
+)
+
+#env_run_lists()
+
+default_attributes(
+)
+
+override_attributes(
+ 'ssl_cert' => {
+ 'ca_cert_file_prefix' => '00',
+ 'server_cert_file_prefix' => '01',
+ 'server_key_file_prefix' => '01',
+ 'ca_names' => [
+ 'grid_ca',
+ ],
+ 'common_names' => [
+ # TODO: node['fqdn']
+ #'ldap.grid.example.com',
+ ],
+ },
+ 'openldap' => {
+ 'with_ssl_cert_cookbook' => true,
+ 'ssl_cert' => {
+ 'ca_name' => 'grid_ca',
+ #'common_name' => 'ldap.grid.example.com', # default: node['fqdn']
+ },
+ },
+)
+
description 'Grid nameservice node'
run_list(
- # TODO:
'role[node_commons]',
- 'recipe[ssl_cert::default]',
- 'role[grid-realm]',
- 'role[ganglia-gmond]'
+ 'role[krb5-client-grid]',
+ 'role[ldap-client-grid]',
+ #'role[ganglia-gmond]'
)
#env_run_lists()
)
override_attributes(
- 'ssl_cert' => {
- 'ca_cert_file_prefix' => '00',
- 'server_cert_file_prefix' => '01',
- 'server_key_file_prefix' => '01',
- 'ca_names' => [
- 'grid_ca',
- ],
- 'common_names' => [
- 'ldap.grid.example.com',
- ],
- },
'ganglia' => {
# gmond
'cluster' => {
description 'LDAP client role for Grid'
run_list(
- 'recipe[grid::cacert_deploy]',
+ 'recipe[ssl_cert::ca_certs]',
'role[ldap-client]',
'recipe[openldap::nss-ldapd]'
)
uri = 'ldap://ldap.grid.example.com/'
base = 'dc=grid,dc=example,dc=com'
-ca_cert_file = '/etc/ssl/certs/grid_internal_cacert.pem'
+ca_name = 'grid_ca'
+#ca_cert_file = '/etc/ssl/certs/00grid_ca.crt'
default_attributes(
- 'grid' => {
- 'cacert' => {
- 'path' => ca_cert_file
- }
+ 'ssl_cert' => {
+ 'ca_cert_file_prefix' => '00',
+ 'server_cert_file_prefix' => '01',
+ 'server_key_file_prefix' => '01',
+ 'ca_names' => [
+ ca_name,
+ ],
},
'openldap' => {
+ 'with_ssl_cert_cookbook' => true,
+ 'ssl_cert' => {
+ 'ca_name' => ca_name,
+ },
'client' => {
'URI' => uri,
'BASE' => base,
- 'TLS_CACERT' => ca_cert_file,
+ # because with_ssl_cert_cookbook is set
+ #'TLS_CACERT' => ca_cert_file,
'TLS_REQCERT' => 'allow',
'TLS_CHECKPEER' => 'yes',
'SASL_MECH' => 'GSSAPI'
'uri' => uri,
'base' => base,
'ssl' => 'start_tls',
- 'tls_cacertfile' => ca_cert_file,
+ # because with_ssl_cert_cookbook is set
+ #'tls_cacertfile' => ca_cert_file,
'tls_reqcert' => 'demand'
},
'ldap_lookup_nameservices' => ['passwd', 'group']