maverick icon indicating copy to clipboard operation
maverick copied to clipboard

Published 20 hours ago verified publisher icon goodrobots

Implement centralised auth

Open fnoop opened this issue 8 years ago • 16 comments

ie ldap

fnoop avatar Nov 27 '17 00:11 fnoop

https://forge.puppet.com/camptocamp/openldap https://forge.puppet.com/bodgit/openldap https://forge.puppet.com/spacepants/ds_389/readme

fnoop avatar Feb 16 '18 16:02 fnoop

Openldap simpler, easier to setup, better community support, lower resource usage. 389ds better vendor support (redhat), better development rate.

This should be the simplest lowest resource usage implementation available, start with openldap.

fnoop avatar Feb 16 '18 16:02 fnoop

openldap uses openssl and fairly simple deployment model. 389ds mostly part of freeipa, uses nss and is a much more complex/harder deployment model.

fnoop avatar Jun 03 '18 10:06 fnoop

389 is more modern and better development effort. easier to do multimaster replication. should be an option, if not now then for the future, and particularly for larger setups.

fnoop avatar Jun 03 '18 10:06 fnoop

Use https://github.com/camptocamp/puppet-openldap git version as more up to date than puppetforge.

fnoop avatar Jun 03 '18 10:06 fnoop

Use 'dc=maverick, dc=one' DIT base rather than trying to dynamically determine and create base from user domain. Will be much easier to document, support and maintain this way. Should be an option however, for bigger outfits.

fnoop avatar Jun 03 '18 10:06 fnoop

Openldap up and running with dc=maverick,dc=one base. Now add:

  • TLS, preferably from existing CA and certs
  • Basic initial data, including mav account

fnoop avatar Jun 04 '18 20:06 fnoop

Also configure ldap client

fnoop avatar Jun 04 '18 22:06 fnoop

Now TLS is working using certs generated against the central mavCA:

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x -Z
ldap_start_tls: Connect error (-11)
	additional info: TLS: hostname does not match CN in peer certificate
# extended LDIF
#
# LDAPv3
# base <dc=maverick,dc=one> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# maverick.one
dn: dc=maverick,dc=one
objectClass: top
objectClass: dcObject
objectClass: organization
dc: maverick
o: maverick.one

# admin, maverick.one
dn: cn=admin,dc=maverick,dc=one
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

However there is a problem with cert hostname:

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
	additional info: TLS: hostname does not match CN in peer certificate

fnoop avatar Jun 05 '18 11:06 fnoop

Excellent reference: http://www.zytrax.com/books/ldap/ch15/

fnoop avatar Jun 05 '18 11:06 fnoop

Security profile set to required TLS:

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x
ldap_bind: Confidentiality required (13)
	additional info: TLS confidentiality required

But to allow flawed cert connection (requiring absolute verification is unnecessary on local selfcert):

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x -Z
ldap_start_tls: Connect error (-11)
	additional info: TLS: hostname does not match CN in peer certificate
# extended LDIF
#
# LDAPv3
# base <dc=maverick,dc=one> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# maverick.one
dn: dc=maverick,dc=one
objectClass: top
objectClass: dcObject
objectClass: organization
dc: maverick
o: maverick.one

# admin, maverick.one
dn: cn=admin,dc=maverick,dc=one
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

fnoop avatar Jun 05 '18 21:06 fnoop

Now need to work out how to design DIT for users and groups, and how to manage those entries using puppet, and/or maverick-api.

fnoop avatar Jun 07 '18 23:06 fnoop

slapd install fails if maverick ldap config already in place - the package has a post-up script and check.

fnoop avatar Jun 14 '18 20:06 fnoop

Aargh, AVC now getting in the way on ubuntu 18.04:

Jun 14 21:32:33 dom-ubuntu audit[31187]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/srv/maverick/config/security/ldap/cn=config.ldif" pid=3118
Jun 14 21:32:33 dom-ubuntu kernel: audit: type=1400 audit(1529008353.641:55): apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/srv/maverick/config/secur
Jun 14 21:32:33 dom-ubuntu slapd[31187]: ldif_read_file: Permission denied for "/srv/maverick/config/security/ldap/cn=config.ldif"

fnoop avatar Jun 14 '18 20:06 fnoop

Move ldap data (/var/lib/ldap) to /srv/maverick/data/security and ldap config (/etc/ldap) to /srv/maverick/config/security

fnoop avatar Mar 28 '19 08:03 fnoop

On first portion of dev bootstrap:

Notice: /Stage[main]/Maverick_security::Ssl/Exec[create-ca-rootcert]/returns: executed successfully
Error: Could not set 'directory' on ensure: Could not find user openldap (file: /srv/maverick/software/maverick/manifests/maverick-modules/maverick_security/manifests/ldap_server.pp, line: 19)
Error: Could not set 'directory' on ensure: Could not find user openldap (file: /srv/maverick/software/maverick/manifests/maverick-modules/maverick_security/manifests/ldap_server.pp, line: 19)
Wrapped exception:
Could not find user openldap
Error: /Stage[main]/Maverick_security::Ldap_server/File[/etc/ldap/ssl]/ensure: change from 'absent' to 'directory' failed: Could not set 'directory' on ensure: Could not find user openldap (file: /srv/maverick/software/maverick/manifests/maverick-modules/maverick_security/manifests/ldap_server.pp, line: 19)
Notice: /Stage[main]/Maverick_security::Ldap_server/Exec[create-ldapssl-key]: Dependency File[/etc/ldap/ssl] has failures: true

fnoop avatar Apr 25 '19 10:04 fnoop