Project

General

Profile

Bug #619

Enhancement #615: new Toushirou: configuration migration

LDAP servers: install slapd

Added by Pierre-Louis Bonicoli about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Category:
Service :: IS / AAA / PKI
Start date:
2018-04-23
Due date:
% Done:

100%

Patch Available:
Confirmed:
No
Branch:
ldap_config
Entity:
DuckCorp
Security:
Help Needed:

Description

$ ansible-playbook -l Toushirou -i hosts.yml --ask-pass -v playbooks/common.yml

TASK [dc-accounts : Generate Shirka-light Configuration] *****************************************************************************************************
fatal: [Toushirou]: FAILED! => {"changed": false, "checksum": "4aa6b0fe7169098414b8fe10eb0879f4d1478859", "dest": "/etc/mp-admin/shirka.conf", "gid": 0, "group": "root", "mode": "0644", "msg": "chgrp failed: failed to look up group dc-admins", "owner": "root", "path": "/etc/mp-admin/shirka.conf", "size": 254, "state": "file", "uid": 0}

Should tenants/duckcorp/ldap.yml playbook be executed before tenants/duckcorp/accounts.yml ?


Related issues

Related to DuckCorp Infrastructure - Enhancement #140: Switch to slapd.d config Rejected 2010-09-05
Related to DuckCorp Infrastructure - Bug #594: slap_global_control: unrecognized control Blocked 2017-09-21
Related to DuckCorp Infrastructure - Enhancement #626: Automate the WORLD!!! In Progress 2018-05-07

History

#1 Updated by Pierre-Louis Bonicoli about 1 year ago

  • Description updated (diff)

#2 Updated by Pierre-Louis Bonicoli about 1 year ago

  • Description updated (diff)

#3 Updated by Pierre-Louis Bonicoli about 1 year ago

Not related: not sure why Fetch auth service account info is used twice with same parameters:
- here
- and there ?

#4 Updated by Pierre-Louis Bonicoli about 1 year ago

Isn't /etc/ldap/ldap.conf configuration missing ?

#5 Updated by Pierre-Louis Bonicoli about 1 year ago

  • Subject changed from dc-accounts: failed to look up group dc-admins to Toushirou: install slapd
  • Parent task set to #615

l'installation initiale du LDAP est pas gérée encore car installer le package c'est trivial mais le setup des backends et de la replication c'est plus compliqué

#6 Updated by Marc Dequènes about 1 year ago

  • Category changed from System :: Base to Service :: IS / AAA / PKI

The two call to `service_account_info` could indeed be factorized.

The basic installation (easy) and replication setup (harder) Ansibilization has not been done yet. I focues on the content because it was critical but indeed it needs to be done.

#7 Updated by Marc Dequènes about 1 year ago

  • Subject changed from Toushirou: install slapd to LDAP servers: install slapd

#8 Updated by Marc Dequènes about 1 year ago

  • Status changed from New to In Progress
  • Assignee set to Marc Dequènes

#9 Updated by Marc Dequènes about 1 year ago

  • % Done changed from 0 to 10

I changed the order, good catch.

I removed the redundant call.

#10 Updated by Marc Dequènes about 1 year ago

How would you suggest we do the servers' config: generating temporary LDIFs and slapadd-ing? I guess we would need to ldapsearch if this was added before, seems complicated. Or maybe generating (offline) files in the `/etc/ldap/slapd.d/` directory directly? It should be fast and only at install time, so no downtime.

I think this would also make easier to update the schema (with a very short downtime like when we update the content).

#11 Updated by Marc Dequènes about 1 year ago

#12 Updated by Marc Dequènes about 1 year ago

I appears to be a tad complicated. We should not have a huge amount of parameters to setup, then replication and feeking the master with the schemas. So I'll try to list what's really useful.

I saw Ansible has LDAP modules but it's lacking a few things. `ldap_entry` is used to create a new entry, and you would need to at least setup the compulsory attributes, but this module does not assert the states of the attributes is fine, which means you need to repeat yourself with `ldap_attr` to ensue their values us still right. There is also no way to query the database, which might be annoying to take proper decisions as entries' indexes might differ.

I think we should also solve #594 in the process.

#13 Updated by Marc Dequènes about 1 year ago

  • Related to Bug #594: slap_global_control: unrecognized control added

#14 Updated by Marc Dequènes about 1 year ago

  • Branch set to ldap_config

Working on a simple integration into the dc-ldap role for now.

#15 Updated by Marc Dequènes about 1 year ago

I read copying files did not always worked out well. Also there are a lot of parameters which were converted from the conffiles and, according to upstream, must be cleaned up. We should also switch to mdb and it is supposed to be seamless. Moreover the root DN should not be in a database, so following the default package setup would probably be better.

Listing the useful settings:

  • cn=config
    • olcLocalSSF
    • olcLogLevel
    • olcTLSCACertificateFile
    • olcTLSCertificateFile
    • olcTLSCertificateKeyFile
  • cn=config/cn=module{0}
    • olcModuleLoad
  • cn=config/olcDatabase={-1}frontend
    • olcMonitoring
  • cn=config/olcDatabase={0}config
    • olcAccess
    • olcMonitoring
    • olcRootPW (add)
  • cn=config/olcDatabase={0}config/olcOverlay={0}syncprov
    • olcSpCheckpoint
    • olcSpSessionlog
    • olcSpReloadHint
  • cn=config/olcDatabase={1}monitor
    • olcMonitoring
    • olcAccess
  • cn=config/olcDatabase={1}mdb
    • olcSuffix
    • olcAccess
    • olcRootDN
    • olcRootPW (remove)
    • olcMonitoring
    • olcDbIndex
    • olcLimits
    • olcDbDirectory

As for the schema, duckcorp seem to only need ISPEnv2.

#16 Updated by Marc Dequènes about 1 year ago

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 100

With some modifications and cleanup this is done.

Also the schema file was unmaintained, so I reverse engineered from the LDIF of the database. It is again the primary source of knowledge.

Changing the schema content is still an issue, a OpenLDAP has quite some limitations. This would be worked on in the future.

There is a new playbook regen_ldap_content.yml to regenerate the database content only.

#17 Updated by Marc Dequènes 5 months ago

Also available in: Atom PDF