Project

General

Profile

Actions

Bug #619

closed

Enhancement #615: new Toushirou: configuration migration

LDAP servers: install slapd

Added by Pierre-Louis Bonicoli over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Category:
Service :: IS / AAA / PKI
Start date:
2018-04-23
Due date:
% Done:

100%

Estimated time:
Patch Available:
Confirmed:
No
Branch:
ldap_config
Entity:
DuckCorp
Security:
Help Needed:

Description

$ ansible-playbook -l Toushirou -i hosts.yml --ask-pass -v playbooks/common.yml

TASK [dc-accounts : Generate Shirka-light Configuration] *****************************************************************************************************
fatal: [Toushirou]: FAILED! => {"changed": false, "checksum": "4aa6b0fe7169098414b8fe10eb0879f4d1478859", "dest": "/etc/mp-admin/shirka.conf", "gid": 0, "group": "root", "mode": "0644", "msg": "chgrp failed: failed to look up group dc-admins", "owner": "root", "path": "/etc/mp-admin/shirka.conf", "size": 254, "state": "file", "uid": 0}

Should tenants/duckcorp/ldap.yml playbook be executed before tenants/duckcorp/accounts.yml ?


Related issues 3 (1 open2 closed)

Related to DuckCorp Infrastructure - Enhancement #140: Switch to slapd.d configRejectedMarc Dequènes2010-09-05

Actions
Related to DuckCorp Infrastructure - Bug #594: slap_global_control: unrecognized controlBlockedMarc Dequènes2017-09-21

Actions
Related to DuckCorp Infrastructure - Enhancement #626: Automate the WORLD!!!ResolvedDC Admins2018-05-07

Actions
Actions #1

Updated by Pierre-Louis Bonicoli over 6 years ago

  • Description updated (diff)
Actions #2

Updated by Pierre-Louis Bonicoli over 6 years ago

  • Description updated (diff)
Actions #3

Updated by Pierre-Louis Bonicoli over 6 years ago

Not related: not sure why Fetch auth service account info is used twice with same parameters:
- here
- and there ?

Actions #4

Updated by Pierre-Louis Bonicoli over 6 years ago

Isn't /etc/ldap/ldap.conf configuration missing ?

Actions #5

Updated by Pierre-Louis Bonicoli over 6 years ago

  • Subject changed from dc-accounts: failed to look up group dc-admins to Toushirou: install slapd
  • Parent task set to #615

l'installation initiale du LDAP est pas gérée encore car installer le package c'est trivial mais le setup des backends et de la replication c'est plus compliqué

Actions #6

Updated by Marc Dequènes over 6 years ago

  • Category changed from System :: Base to Service :: IS / AAA / PKI

The two call to `service_account_info` could indeed be factorized.

The basic installation (easy) and replication setup (harder) Ansibilization has not been done yet. I focues on the content because it was critical but indeed it needs to be done.

Actions #7

Updated by Marc Dequènes over 6 years ago

  • Subject changed from Toushirou: install slapd to LDAP servers: install slapd
Actions #8

Updated by Marc Dequènes over 6 years ago

  • Status changed from New to In Progress
  • Assignee set to Marc Dequènes
Actions #9

Updated by Marc Dequènes over 6 years ago

  • % Done changed from 0 to 10

I changed the order, good catch.

I removed the redundant call.

Actions #10

Updated by Marc Dequènes over 6 years ago

How would you suggest we do the servers' config: generating temporary LDIFs and slapadd-ing? I guess we would need to ldapsearch if this was added before, seems complicated. Or maybe generating (offline) files in the `/etc/ldap/slapd.d/` directory directly? It should be fast and only at install time, so no downtime.

I think this would also make easier to update the schema (with a very short downtime like when we update the content).

Actions #11

Updated by Marc Dequènes over 6 years ago

Actions #12

Updated by Marc Dequènes over 6 years ago

I appears to be a tad complicated. We should not have a huge amount of parameters to setup, then replication and feeking the master with the schemas. So I'll try to list what's really useful.

I saw Ansible has LDAP modules but it's lacking a few things. `ldap_entry` is used to create a new entry, and you would need to at least setup the compulsory attributes, but this module does not assert the states of the attributes is fine, which means you need to repeat yourself with `ldap_attr` to ensue their values us still right. There is also no way to query the database, which might be annoying to take proper decisions as entries' indexes might differ.

I think we should also solve #594 in the process.

Actions #13

Updated by Marc Dequènes over 6 years ago

  • Related to Bug #594: slap_global_control: unrecognized control added
Actions #14

Updated by Marc Dequènes over 6 years ago

  • Branch set to ldap_config

Working on a simple integration into the dc-ldap role for now.

Actions #15

Updated by Marc Dequènes over 6 years ago

I read copying files did not always worked out well. Also there are a lot of parameters which were converted from the conffiles and, according to upstream, must be cleaned up. We should also switch to mdb and it is supposed to be seamless. Moreover the root DN should not be in a database, so following the default package setup would probably be better.

Listing the useful settings:

  • cn=config
    • olcLocalSSF
    • olcLogLevel
    • olcTLSCACertificateFile
    • olcTLSCertificateFile
    • olcTLSCertificateKeyFile
  • cn=config/cn=module{0}
    • olcModuleLoad
  • cn=config/olcDatabase={-1}frontend
    • olcMonitoring
  • cn=config/olcDatabase={0}config
    • olcAccess
    • olcMonitoring
    • olcRootPW (add)
  • cn=config/olcDatabase={0}config/olcOverlay={0}syncprov
    • olcSpCheckpoint
    • olcSpSessionlog
    • olcSpReloadHint
  • cn=config/olcDatabase={1}monitor
    • olcMonitoring
    • olcAccess
  • cn=config/olcDatabase={1}mdb
    • olcSuffix
    • olcAccess
    • olcRootDN
    • olcRootPW (remove)
    • olcMonitoring
    • olcDbIndex
    • olcLimits
    • olcDbDirectory

As for the schema, duckcorp seem to only need ISPEnv2.

Actions #16

Updated by Marc Dequènes over 6 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 100

With some modifications and cleanup this is done.

Also the schema file was unmaintained, so I reverse engineered from the LDIF of the database. It is again the primary source of knowledge.

Changing the schema content is still an issue, a OpenLDAP has quite some limitations. This would be worked on in the future.

There is a new playbook regen_ldap_content.yml to regenerate the database content only.

Actions #17

Updated by Marc Dequènes about 6 years ago

Actions

Also available in: Atom PDF