Bug #619
closedEnhancement #615: new Toushirou: configuration migration
LDAP servers: install slapd
100%
Description
$ ansible-playbook -l Toushirou -i hosts.yml --ask-pass -v playbooks/common.yml TASK [dc-accounts : Generate Shirka-light Configuration] ***************************************************************************************************** fatal: [Toushirou]: FAILED! => {"changed": false, "checksum": "4aa6b0fe7169098414b8fe10eb0879f4d1478859", "dest": "/etc/mp-admin/shirka.conf", "gid": 0, "group": "root", "mode": "0644", "msg": "chgrp failed: failed to look up group dc-admins", "owner": "root", "path": "/etc/mp-admin/shirka.conf", "size": 254, "state": "file", "uid": 0}
Should tenants/duckcorp/ldap.yml
playbook be executed before tenants/duckcorp/accounts.yml
?
Updated by Pierre-Louis Bonicoli over 6 years ago
Updated by Pierre-Louis Bonicoli over 6 years ago
Isn't /etc/ldap/ldap.conf
configuration missing ?
Updated by Pierre-Louis Bonicoli over 6 years ago
- Subject changed from dc-accounts: failed to look up group dc-admins to Toushirou: install slapd
- Parent task set to #615
l'installation initiale du LDAP est pas gérée encore car installer le package c'est trivial mais le setup des backends et de la replication c'est plus compliqué
Updated by Marc Dequènes over 6 years ago
- Category changed from System :: Base to Service :: IS / AAA / PKI
The two call to `service_account_info` could indeed be factorized.
The basic installation (easy) and replication setup (harder) Ansibilization has not been done yet. I focues on the content because it was critical but indeed it needs to be done.
Updated by Marc Dequènes over 6 years ago
- Subject changed from Toushirou: install slapd to LDAP servers: install slapd
Updated by Marc Dequènes over 6 years ago
- Status changed from New to In Progress
- Assignee set to Marc Dequènes
Updated by Marc Dequènes over 6 years ago
- % Done changed from 0 to 10
I changed the order, good catch.
I removed the redundant call.
Updated by Marc Dequènes over 6 years ago
How would you suggest we do the servers' config: generating temporary LDIFs and slapadd-ing? I guess we would need to ldapsearch if this was added before, seems complicated. Or maybe generating (offline) files in the `/etc/ldap/slapd.d/` directory directly? It should be fast and only at install time, so no downtime.
I think this would also make easier to update the schema (with a very short downtime like when we update the content).
Updated by Marc Dequènes over 6 years ago
- Related to Enhancement #140: Switch to slapd.d config added
Updated by Marc Dequènes over 6 years ago
I appears to be a tad complicated. We should not have a huge amount of parameters to setup, then replication and feeking the master with the schemas. So I'll try to list what's really useful.
I saw Ansible has LDAP modules but it's lacking a few things. `ldap_entry` is used to create a new entry, and you would need to at least setup the compulsory attributes, but this module does not assert the states of the attributes is fine, which means you need to repeat yourself with `ldap_attr` to ensue their values us still right. There is also no way to query the database, which might be annoying to take proper decisions as entries' indexes might differ.
I think we should also solve #594 in the process.
Updated by Marc Dequènes over 6 years ago
- Related to Bug #594: slap_global_control: unrecognized control added
Updated by Marc Dequènes over 6 years ago
- Branch set to ldap_config
Working on a simple integration into the dc-ldap role for now.
Updated by Marc Dequènes over 6 years ago
I read copying files did not always worked out well. Also there are a lot of parameters which were converted from the conffiles and, according to upstream, must be cleaned up. We should also switch to mdb and it is supposed to be seamless. Moreover the root DN should not be in a database, so following the default package setup would probably be better.
Listing the useful settings:
- cn=config
- olcLocalSSF
- olcLogLevel
- olcTLSCACertificateFile
- olcTLSCertificateFile
- olcTLSCertificateKeyFile
- cn=config/cn=module{0}
- olcModuleLoad
- cn=config/olcDatabase={-1}frontend
- olcMonitoring
- cn=config/olcDatabase={0}config
- olcAccess
- olcMonitoring
- olcRootPW (add)
- cn=config/olcDatabase={0}config/olcOverlay={0}syncprov
- olcSpCheckpoint
- olcSpSessionlog
- olcSpReloadHint
- cn=config/olcDatabase={1}monitor
- olcMonitoring
- olcAccess
- cn=config/olcDatabase={1}mdb
- olcSuffix
- olcAccess
- olcRootDN
- olcRootPW (remove)
- olcMonitoring
- olcDbIndex
- olcLimits
- olcDbDirectory
As for the schema, duckcorp seem to only need ISPEnv2.
Updated by Marc Dequènes over 6 years ago
- Status changed from In Progress to Resolved
- % Done changed from 10 to 100
With some modifications and cleanup this is done.
Also the schema file was unmaintained, so I reverse engineered from the LDIF of the database. It is again the primary source of knowledge.
Changing the schema content is still an issue, a OpenLDAP has quite some limitations. This would be worked on in the future.
There is a new playbook regen_ldap_content.yml to regenerate the database content only.
Updated by Marc Dequènes about 6 years ago
- Related to Enhancement #626: Automate the WORLD!!! added