Minor fixes and improvements, mostly KDC/LDAP related.
This commit is contained in:
Andreas B. Mundt
parent
ece5bca5b5
commit
ce6bd53319
8 changed files with 52 additions and 19 deletions
|
|
@ -1,3 +1,7 @@
|
|||
- name: check if dnsmasq is already there
|
||||
stat: path=/etc/dnsmasq.d/dnsmasq-dhcp
|
||||
register: dnsmasq
|
||||
|
||||
- name: install dnsmasq package
|
||||
apt:
|
||||
name: dnsmasq
|
||||
|
|
@ -9,6 +13,7 @@
|
|||
line: "{{ item.1 }}\t{{ 'debian%03d' | format(item.0) }}"
|
||||
with_indexed_items: "{{ dhcp_list }}"
|
||||
notify: "restart dnsmasq"
|
||||
when: not dnsmasq.stat.exists
|
||||
|
||||
- name: configure dnsmasq
|
||||
template:
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
---
|
||||
kdc_pwd: "{{ lookup('password', '/tmp/kdc.pwd length=24') }}"
|
||||
kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd length=24') }}"
|
||||
kdc_master_pwd: "{{ lookup('password', '/tmp/kdc_master.pwd length=24') }}"
|
||||
kdc_pwd_file: "/root/kdc-master.pwd"
|
||||
kdc_master_pwd_file: "/root/kdc-master.pwd"
|
||||
|
||||
kdc_service_pwd: "{{ lookup('password', '/tmp/kdc-service.pwd length=24') }}"
|
||||
kadmin_service_pwd: "{{ lookup('password', '/tmp/kadmin-service.pwd length=24') }}"
|
||||
|
||||
kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd length=24') }}"
|
||||
kadmin_pwd_file: "/root/kadmin.pwd"
|
||||
|
|
|
|||
|
|
@ -11,6 +11,9 @@
|
|||
src: krb5.conf.j2
|
||||
dest: /etc/krb5.conf
|
||||
|
||||
- name: make sure krb5kdc exists
|
||||
file: path=/etc/krb5kdc state=directory recurse=yes
|
||||
|
||||
- name: prepare kdc.conf
|
||||
template:
|
||||
src: kdc.conf.j2
|
||||
|
|
@ -52,7 +55,7 @@
|
|||
- organizationalRole
|
||||
- simpleSecurityObject
|
||||
attributes:
|
||||
userPassword: "{{ kdc_pwd }}"
|
||||
userPassword: "{{ kdc_service_pwd }}"
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
|
@ -64,7 +67,7 @@
|
|||
- organizationalRole
|
||||
- simpleSecurityObject
|
||||
attributes:
|
||||
userPassword: "{{ kadmin_pwd }}"
|
||||
userPassword: "{{ kadmin_service_pwd }}"
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
|
@ -109,17 +112,17 @@
|
|||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: prepare password for kdc
|
||||
shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
|
||||
shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: prepare password for kadmin
|
||||
shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_pwd }} | xxd -g0 -ps | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
|
||||
shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: dump kdc master password
|
||||
shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_pwd_file }}" ; chmod 0600 "{{ kdc_pwd_file }}"
|
||||
shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ; chmod 0600 "{{ kdc_master_pwd_file }}"
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
|
|
@ -137,18 +140,35 @@
|
|||
notify: "restart krb5-kdc"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add root/admin as kadmin
|
||||
command: kadmin.local -q "addprinc -pw {{ kadmin_pwd }} root/admin"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: dump kadmin password
|
||||
shell: echo -n "{{ kadmin_pwd }}" > "{{ kadmin_pwd_file }}" ; chmod 0600 "{{ kadmin_pwd_file }}"
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add default policy to silence warning when using kadmin
|
||||
command: kadmin.local -q "add_policy default"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: create machine principal
|
||||
command: kadmin.local -q "addprinc -randkey host/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
- name: create machine principals
|
||||
command: kadmin.local -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
with_items:
|
||||
- host
|
||||
- ldap
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add principal to the keytab
|
||||
command: kadmin.local -q "ktadd host/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
command: kadmin.local -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
with_items:
|
||||
- host
|
||||
- ldap
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
##############
|
||||
|
||||
- name: kerberize dummy user foo
|
||||
command: kadmin.local -q 'add_principal -pw {{ foo_pwd }} -x dn="uid=foo,ou=people,{{ basedn }}" foo'
|
||||
when: foo_pwd is defined
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
## access controls for the Kerberos KDC
|
||||
root/admin@{{ ldap_domain | upper }} *
|
||||
*@{{ ldap_domain | upper }} cil
|
||||
*/*@{{ ldap_domain | upper }} i
|
||||
|
|
|
|||
|
|
@ -2,3 +2,4 @@ ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
|
|||
ldap_pwd_file: "/root/ldap-admin.pwd"
|
||||
ldap_domain: "{{ ansible_domain | default('intern', true) }}"
|
||||
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
|
||||
lan_homes: /home/lan
|
||||
|
|
|
|||
|
|
@ -37,11 +37,13 @@
|
|||
no_log: true
|
||||
when: not slapd.stat.exists
|
||||
|
||||
- name: install slapd and python-ldap
|
||||
- name: install slapd, ldap-utils, ldapvi and python3-ldap
|
||||
apt:
|
||||
name:
|
||||
- slapd
|
||||
- python-ldap
|
||||
- ldap-utils
|
||||
- ldapvi
|
||||
- python3-ldap
|
||||
state: latest
|
||||
|
||||
- name: make initial slapd configuration available
|
||||
|
|
@ -90,7 +92,7 @@
|
|||
userPassword: "{{ foo_pwd }}"
|
||||
uidNumber: 10000
|
||||
gidNumber: 10000
|
||||
homeDirectory: /home/lan/foo
|
||||
homeDirectory: "{{ lan_homes }}/foo"
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: foo_pwd is defined
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
export_root: /srv/nfs4
|
||||
export_dir: /home/lan
|
||||
lan_homes: /home/lan
|
||||
ldap_domain: "{{ ansible_domain | default('intern', true) }}"
|
||||
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
|
||||
|
|
|
|||
|
|
@ -14,12 +14,12 @@
|
|||
file: path={{ export_root }}/home/ state=directory recurse=yes
|
||||
|
||||
- name: make sure the export exists
|
||||
file: path={{ export_dir }} state=directory recurse=yes
|
||||
file: path={{ lan_homes }} state=directory recurse=yes
|
||||
|
||||
- name: bind mount exported dir
|
||||
mount:
|
||||
path: "{{ export_root }}/home/"
|
||||
src: "{{ export_dir }}"
|
||||
src: "{{ lan_homes }}"
|
||||
fstype: none
|
||||
state: mounted
|
||||
opts: bind
|
||||
|
|
@ -40,11 +40,11 @@
|
|||
register: kadmin
|
||||
|
||||
- name: create machine principal
|
||||
command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
|
||||
command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
when: kadmin.stat.exists and not exports.stat.exists
|
||||
|
||||
- name: add principal to the keytab
|
||||
command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
|
||||
command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
|
||||
notify: "restart rpc-svcgssd"
|
||||
when: kadmin.stat.exists and not exports.stat.exists
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue