Bug #619
closed
Enhancement #615: new Toushirou: configuration migration
LDAP servers: install slapd
Added by Pierre-Louis Bonicoli over 6 years ago.
Updated over 6 years ago.
Category:
Service :: IS / AAA / PKI
Description
$ ansible-playbook -l Toushirou -i hosts.yml --ask-pass -v playbooks/common.yml
TASK [dc-accounts : Generate Shirka-light Configuration] *****************************************************************************************************
fatal: [Toushirou]: FAILED! => {"changed": false, "checksum": "4aa6b0fe7169098414b8fe10eb0879f4d1478859", "dest": "/etc/mp-admin/shirka.conf", "gid": 0, "group": "root", "mode": "0644", "msg": "chgrp failed: failed to look up group dc-admins", "owner": "root", "path": "/etc/mp-admin/shirka.conf", "size": 254, "state": "file", "uid": 0}
Should tenants/duckcorp/ldap.yml playbook be executed before tenants/duckcorp/accounts.yml ?
- Description updated (diff)
- Description updated (diff)
Not related: not sure why Fetch auth service account info is used twice with same parameters:
- here
- and there ?
Isn't /etc/ldap/ldap.conf configuration missing ?
- Subject changed from dc-accounts: failed to look up group dc-admins to Toushirou: install slapd
- Parent task set to #615
l'installation initiale du LDAP est pas gérée encore car installer le package c'est trivial mais le setup des backends et de la replication c'est plus compliqué
- Category changed from System :: Base to Service :: IS / AAA / PKI
The two call to `service_account_info` could indeed be factorized.
The basic installation (easy) and replication setup (harder) Ansibilization has not been done yet. I focues on the content because it was critical but indeed it needs to be done.
- Subject changed from Toushirou: install slapd to LDAP servers: install slapd
- Status changed from New to In Progress
- Assignee set to Marc Dequènes
- % Done changed from 0 to 10
I changed the order, good catch.
I removed the redundant call.
How would you suggest we do the servers' config: generating temporary LDIFs and slapadd-ing? I guess we would need to ldapsearch if this was added before, seems complicated. Or maybe generating (offline) files in the `/etc/ldap/slapd.d/` directory directly? It should be fast and only at install time, so no downtime.
I think this would also make easier to update the schema (with a very short downtime like when we update the content).
I appears to be a tad complicated. We should not have a huge amount of parameters to setup, then replication and feeking the master with the schemas. So I'll try to list what's really useful.
I saw Ansible has LDAP modules but it's lacking a few things. `ldap_entry` is used to create a new entry, and you would need to at least setup the compulsory attributes, but this module does not assert the states of the attributes is fine, which means you need to repeat yourself with `ldap_attr` to ensue their values us still right. There is also no way to query the database, which might be annoying to take proper decisions as entries' indexes might differ.
I think we should also solve #594 in the process.
- Related to Bug #594: slap_global_control: unrecognized control added
- Branch set to ldap_config
Working on a simple integration into the dc-ldap role for now.
I read copying files did not always worked out well. Also there are a lot of parameters which were converted from the conffiles and, according to upstream, must be cleaned up. We should also switch to mdb and it is supposed to be seamless. Moreover the root DN should not be in a database, so following the default package setup would probably be better.
Listing the useful settings:
- cn=config
- olcLocalSSF
- olcLogLevel
- olcTLSCACertificateFile
- olcTLSCertificateFile
- olcTLSCertificateKeyFile
- cn=config/cn=module{0}
- cn=config/olcDatabase={-1}frontend
- cn=config/olcDatabase={0}config
- olcAccess
- olcMonitoring
- olcRootPW (add)
- cn=config/olcDatabase={0}config/olcOverlay={0}syncprov
- olcSpCheckpoint
- olcSpSessionlog
- olcSpReloadHint
- cn=config/olcDatabase={1}monitor
- cn=config/olcDatabase={1}mdb
- olcSuffix
- olcAccess
- olcRootDN
- olcRootPW (remove)
- olcMonitoring
- olcDbIndex
- olcLimits
- olcDbDirectory
As for the schema, duckcorp seem to only need ISPEnv2.
- Status changed from In Progress to Resolved
- % Done changed from 10 to 100
With some modifications and cleanup this is done.
Also the schema file was unmaintained, so I reverse engineered from the LDIF of the database. It is again the primary source of knowledge.
Changing the schema content is still an issue, a OpenLDAP has quite some limitations. This would be worked on in the future.
There is a new playbook regen_ldap_content.yml to regenerate the database content only.
Also available in: Atom
PDF
Updated by 
Updated by