diff --git a/mainserver.yml b/mainserver.yml index 88a1401..a97a47b 100644 --- a/mainserver.yml +++ b/mainserver.yml @@ -9,6 +9,6 @@ foo_pwd: 123 roles: - - ldap -# - krb5-kdc-ldap +# - ldap + - krb5-kdc-ldap diff --git a/roles/krb5-kdc-ldap/defaults/main.yml b/roles/krb5-kdc-ldap/defaults/main.yml new file mode 100644 index 0000000..7ea992c --- /dev/null +++ b/roles/krb5-kdc-ldap/defaults/main.yml @@ -0,0 +1,5 @@ +--- +kdc_pwd: "{{ lookup('password', '/tmp/kdc.pwd length=24') }}" +kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd length=24') }}" +kdc_master_pwd: "{{ lookup('password', '/tmp/kdc_master.pwd length=24') }}" +kdc_pwd_file: "/root/kdc-master.pwd" diff --git a/roles/krb5-kdc-ldap/handlers/main.yml b/roles/krb5-kdc-ldap/handlers/main.yml new file mode 100644 index 0000000..dd749e0 --- /dev/null +++ b/roles/krb5-kdc-ldap/handlers/main.yml @@ -0,0 +1,7 @@ +- name: restart krb5-kdc + service: name=krb5-kdc state=restarted enabled=yes + listen: "restart krb5-kdc" + +- name: restart krb5-admin-server + service: name=krb5-admin-server state=restarted enabled=yes + listen: "restart krb5-admin-server" diff --git a/roles/krb5-kdc-ldap/meta/main.yml b/roles/krb5-kdc-ldap/meta/main.yml new file mode 100644 index 0000000..b19fb35 --- /dev/null +++ b/roles/krb5-kdc-ldap/meta/main.yml @@ -0,0 +1,3 @@ +--- +dependencies: + - role: ldap diff --git a/roles/krb5-kdc-ldap/tasks/main.yml b/roles/krb5-kdc-ldap/tasks/main.yml new file mode 100644 index 0000000..6f37107 --- /dev/null +++ b/roles/krb5-kdc-ldap/tasks/main.yml @@ -0,0 +1,146 @@ +## Install and configure krb5-kdc-ldap (if not done yet), +## run most tasks only on krb5-kdc-ldap installation. +--- + +- name: check if slapd is already there + stat: path=/usr/sbin/krb5kdc + register: krb5kdc + +- name: prepare krb5.conf + template: + src: krb5.conf + dest: /etc/krb5.conf + +- name: prepare kdc.conf + template: + src: kdc.conf + dest: /etc/krb5kdc/kdc.conf + +- name: prepare kadm5.acl + template: + src: kadm5.acl + dest: /etc/krb5kdc/kadm5.acl + notify: "restart krb5-admin-server" + +- name: install krb5-kdc-ldap and krb5-admin-server + apt: + name: + - krb5-kdc-ldap + - krb5-admin-server + state: latest + +- name: prepare kerberos.openldap.ldif + shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif + when: not krb5kdc.stat.exists + +- name: activate kerberos.openldap.ldif schema + command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/kerberos.openldap.ldif + when: not krb5kdc.stat.exists + +- name: make sure we have a kerberos container + ldap_entry: + dn: "cn=kerberos,{{ basedn }}" + objectClass: krbContainer + bind_dn: "cn=admin,{{ basedn }}" + bind_pw: "{{ ldap_admin_pwd }}" + when: not krb5kdc.stat.exists + +- name: make sure we have a kdc object + ldap_entry: + dn: "cn=kdc,cn=kerberos,{{ basedn }}" + objectClass: + - organizationalRole + - simpleSecurityObject + attributes: + userPassword: "{{ kdc_pwd }}" + bind_dn: "cn=admin,{{ basedn }}" + bind_pw: "{{ ldap_admin_pwd }}" + when: not krb5kdc.stat.exists + +- name: make sure we have a kadmin object + ldap_entry: + dn: "cn=kadmin,cn=kerberos,{{ basedn }}" + objectClass: + - organizationalRole + - simpleSecurityObject + attributes: + userPassword: "{{ kadmin_pwd }}" + bind_dn: "cn=admin,{{ basedn }}" + bind_pw: "{{ ldap_admin_pwd }}" + when: not krb5kdc.stat.exists + +- name: modify ACLs to account for KDC + ldap_attr: + dn: "olcDatabase={1}mdb,cn=config" + name: olcAccess + values: + - >- + to attrs=userPassword + by self write + by anonymous auth + by * none + - >- + to attrs=shadowLastChange + by self write + by * read + - >- + to dn.subtree="cn=kerberos,{{ basedn }}" + by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read + by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write + by * none + - >- + to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData + by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read + by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write + by self read + by * auth + - >- + to * + by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write + by * read + state: exact + when: not krb5kdc.stat.exists + +- name: add KDC indexes to LDAP + ldap_attr: + dn: "olcDatabase={1}mdb,cn=config" + name: olcDbIndex + values: krbPrincipalName pres,sub,eq + when: not krb5kdc.stat.exists + +- name: prepare password for kdc + shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile + no_log: true + when: not krb5kdc.stat.exists + +- name: prepare password for kadmin + shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_pwd }} | xxd -g0 -ps | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile + no_log: true + when: not krb5kdc.stat.exists + +- name: dump kdc master password + shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_pwd_file }}" ; chmod 0600 "{{ kdc_pwd_file }}" + no_log: true + when: not krb5kdc.stat.exists + +- name: initialize KDC + command: + >- + kdb5_ldap_util + -D cn=admin,"{{ basedn }}" + -w "{{ ldap_admin_pwd }}" + -H ldapi:/// + create -s -subtrees "{{ basedn }}" + -P "{{ kdc_master_pwd }}" + -r "{{ ldap_domain | upper }}" + no_log: true + notify: "restart krb5-kdc" + when: not krb5kdc.stat.exists + +- name: add default policy to silence warning when using kadmin + command: kadmin.local -q "add_policy default" + when: not krb5kdc.stat.exists + +- name: kerberize dummy user foo + command: kadmin.local -q 'add_principal -pw {{ foo_pwd }} -x dn="uid=foo,ou=people,{{ basedn }}" foo' + when: foo_pwd is defined diff --git a/roles/krb5-kdc-ldap/templates/kadm5.acl b/roles/krb5-kdc-ldap/templates/kadm5.acl new file mode 100644 index 0000000..1ddf3ff --- /dev/null +++ b/roles/krb5-kdc-ldap/templates/kadm5.acl @@ -0,0 +1,4 @@ +## access controls for the Kerberos KDC +root/admin@{{ ldap_domain | upper }} * +*@{{ ldap_domain | upper }} cil +*/*@{{ ldap_domain | upper }} i diff --git a/roles/krb5-kdc-ldap/templates/kdc.conf b/roles/krb5-kdc-ldap/templates/kdc.conf new file mode 100644 index 0000000..477c9ba --- /dev/null +++ b/roles/krb5-kdc-ldap/templates/kdc.conf @@ -0,0 +1,15 @@ +[kdcdefaults] + kdc_ports = 750,88 + +[realms] + {{ ldap_domain | upper }} = { + admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab + acl_file = /etc/krb5kdc/kadm5.acl + key_stash_file = /etc/krb5kdc/stash + kdc_ports = 750,88 + max_life = 10h 0m 0s + max_renewable_life = 7d 0h 0m 0s + master_key_type = des3-hmac-sha1 + #supported_enctypes = aes256-cts:normal aes128-cts:normal + default_principal_flags = +preauth + } diff --git a/roles/krb5-kdc-ldap/templates/krb5.conf b/roles/krb5-kdc-ldap/templates/krb5.conf new file mode 100644 index 0000000..8f231cb --- /dev/null +++ b/roles/krb5-kdc-ldap/templates/krb5.conf @@ -0,0 +1,26 @@ +[libdefaults] + default_realm = {{ ldap_domain | upper }} + +[realms] + {{ ldap_domain | upper }} = { + kdc = {{ ansible_hostname }} + admin_server = {{ ansible_hostname }} + database_module = LDAP + } + +[domain_realm] + .{{ ldap_domain }} = {{ ldap_domain | upper }} + {{ ldap_domain }} = {{ ldap_domain | upper }} + +[dbdefaults] + ldap_kerberos_container_dn = cn=kerberos,{{ basedn }} + +[dbmodules] + LDAP = { + db_library = kldap + ldap_kdc_dn = cn=kdc,cn=kerberos,{{ basedn }} + ldap_kadmind_dn = cn=kadmin,cn=kerberos,{{ basedn }} + ldap_service_password_file = /etc/krb5kdc/service.keyfile + ldap_servers = ldapi:/// + ldap_conns_per_server = 5 + }