diff options
author | Simon Rettberg | 2015-02-09 19:01:00 +0100 |
---|---|---|
committer | Simon Rettberg | 2015-02-09 19:01:00 +0100 |
commit | 91ac8aa9242371457d5d161584d8062adda0e7cb (patch) | |
tree | d0958691a2c10b592e1e83e97581d82411aed266 | |
parent | sshd config (diff) | |
download | tmlite-bwlp-91ac8aa9242371457d5d161584d8062adda0e7cb.tar.gz tmlite-bwlp-91ac8aa9242371457d5d161584d8062adda0e7cb.tar.xz tmlite-bwlp-91ac8aa9242371457d5d161584d8062adda0e7cb.zip |
[CreateAdConfig] Adapt to sssd (instead of nslcd)
-rw-r--r-- | data/ad/ldap.conf.template | 9 | ||||
-rw-r--r-- | data/ad/nsswitch.conf | 4 | ||||
-rw-r--r-- | data/ad/sssd.conf.template | 19 | ||||
-rw-r--r-- | src/main/java/org/openslx/satserver/util/Template.java | 29 | ||||
-rw-r--r-- | src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java | 57 |
5 files changed, 79 insertions, 39 deletions
diff --git a/data/ad/ldap.conf.template b/data/ad/ldap.conf.template new file mode 100644 index 0000000..c607405 --- /dev/null +++ b/data/ad/ldap.conf.template @@ -0,0 +1,9 @@ +URI %URI% +BASE %SEARCHBASE% +BIND_TIMELIMIT 10 +TIMELIMIT 30 +TLS_REQCERT demand +TLS_CACERT %CACERT% +nss_base_passwd %SEARCHBASE% +nss_base_group %SEARCHBASE% +nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data diff --git a/data/ad/nsswitch.conf b/data/ad/nsswitch.conf index 1909d49..75ea9f8 100644 --- a/data/ad/nsswitch.conf +++ b/data/ad/nsswitch.conf @@ -1,5 +1,5 @@ -passwd: compat ldap -group: compat ldap +passwd: compat sss +group: compat sss shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 diff --git a/data/ad/sssd.conf.template b/data/ad/sssd.conf.template new file mode 100644 index 0000000..90b25ed --- /dev/null +++ b/data/ad/sssd.conf.template @@ -0,0 +1,19 @@ +[sssd] +config_file_version = 2 +services = nss, pam +domains = LDAP +[nss] +filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd,demo +[pam] +[domain/LDAP] +id_provider = ldap +auth_provider = ldap +ldap_tls_reqcert = demand +ldap_tls_cacert = %CACERT% +ldap_schema = rfc2307 +ldap_uri = %URI% +ldap_group_search_base = %SEARCHBASE% +ldap_user_search_base = %SEARCHBASE% +ldap_search_base = %SEARCHBASE% +cache_credentials = true + diff --git a/src/main/java/org/openslx/satserver/util/Template.java b/src/main/java/org/openslx/satserver/util/Template.java new file mode 100644 index 0000000..82d0695 --- /dev/null +++ b/src/main/java/org/openslx/satserver/util/Template.java @@ -0,0 +1,29 @@ +package org.openslx.satserver.util; + +import java.io.File; +import java.io.IOException; + +import org.apache.commons.io.FileUtils; + +public class Template +{ + + private String content; + + public Template(final String filename) throws IOException + { + this.content = FileUtils.readFileToString( new File( filename ) ); + } + + public void replace(final String search, final String replace) + { + this.content = this.content.replace( search, replace ); + } + + @Override + public String toString() + { + return this.content; + } + +} diff --git a/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java b/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java index c74b9dc..ee3bfb8 100644 --- a/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java +++ b/src/main/java/org/openslx/taskmanager/tasks/CreateAdConfig.java @@ -10,6 +10,7 @@ import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream; import org.apache.commons.io.FileUtils; import org.openslx.satserver.util.Archive; import org.openslx.satserver.util.Exec; +import org.openslx.satserver.util.Template; import org.openslx.satserver.util.Util; import org.openslx.taskmanager.api.AbstractTask; @@ -60,6 +61,8 @@ public class CreateAdConfig extends AbstractTask TarArchiveOutputStream outArchive = null; String keyFile = "/opt/ldadp/configs/" + this.moduleid + ".key.pem"; String certFile = "/opt/ldadp/configs/" + this.moduleid + ".crt.pem"; + String uri = "ldaps://" + this.proxyip + ":" + this.proxyport + "/"; + String cacertPath = "/etc/ldap-proxy.pem"; try { // Generate keys { @@ -90,6 +93,16 @@ public class CreateAdConfig extends AbstractTask this.home, certFile, keyFile ); + // Generic ldap config + final Template ldapConf = new Template( "./data/ad/ldap.conf.template" ); + ldapConf.replace( "%URI%", uri ); + ldapConf.replace( "%SEARCHBASE%", this.searchbase ); + ldapConf.replace( "%CACERT%", cacertPath ); + // sssd config + final Template sssdConf = new Template( "./data/ad/sssd.conf.template" ); + sssdConf.replace( "%URI%", uri ); + sssdConf.replace( "%SEARCHBASE%", this.searchbase ); + sssdConf.replace( "%CACERT%", cacertPath ); String fileName = "/opt/ldadp/configs/" + this.moduleid + ".cfg"; try { Files.deleteIfExists( Paths.get( this.filename ) ); @@ -107,41 +120,8 @@ public class CreateAdConfig extends AbstractTask status.error = "Could not create archive at " + this.filename; return false; } - // Generic ldap config - String ldapConf = String - .format( - "URI ldaps://%s:%d/\n" - + "BASE %s\n" - + "BIND_TIMELIMIT 10\n" - + "TIMELIMIT 30\n" - + "TLS_REQCERT demand\n" - + "TLS_CACERT /etc/ldap-proxy.pem\n" - + "nss_base_passwd %s\n" - + "nss_base_group %s\n" - + "nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data\n", - this.proxyip, this.proxyport, - this.searchbase, - this.searchbase, - this.searchbase - ); - // nslcd config - String nslcdConf = String - .format( - "URI ldaps://%s:%d/\n" - + "BASE %s\n" - + "BIND_TIMELIMIT 10\n" - + "TIMELIMIT 30\n" - + "TLS_REQCERT demand\n" - + "TLS_CACERTFILE /etc/ldap-proxy.pem\n" - + "scope sub\n" - + "nss_initgroups_ignoreusers avahi,avahi-autoipd,backup,bin,colord,daemon,dnsmasq,games,gnats,hplip,irc,kernoops,libuuid,lightdm,list,lp,mail,man,messagebus,news,proxy,pulse,root,rtkit,saned,speech-dispatcher,sshd,sync,sys,syslog,usbmux,uucp,whoopsie,www-data\n", - this.proxyip, this.proxyport, - this.searchbase, - this.searchbase, - this.searchbase - ); // The cert we just created - if ( !Archive.tarAddFile( outArchive, "/etc/ldap-proxy.pem", new File( certFile ), 0644 ) ) { + if ( !Archive.tarAddFile( outArchive, cacertPath, new File( certFile ), 0644 ) ) { status.error = "Could not add ldap-proxy.pem to module"; return false; } @@ -163,15 +143,18 @@ public class CreateAdConfig extends AbstractTask status.error = "Could not add mount script to module"; return false; } - boolean ret = Archive.tarCreateFileFromString( outArchive, "/etc/ldap.conf", ldapConf, 0644 ) - && Archive.tarCreateFileFromString( outArchive, "/etc/nslcd.conf", nslcdConf, 0644 ) + boolean ret = Archive.tarCreateFileFromString( outArchive, "/etc/ldap.conf", ldapConf.toString(), 0644 ) + && Archive.tarCreateFileFromString( outArchive, "/etc/sssd/sssd.conf", sssdConf.toString(), 0644 ) && Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/ldap/ldap.conf" ) && Archive.tarCreateSymlink( outArchive, "/etc/ldap.conf", "/etc/openldap/ldap.conf" ) - && Archive.tarCreateSymlink( outArchive, "../nslcd.service", "/etc/systemd/system/basic.target.wants/nslcd.service" ); + && Archive.tarCreateSymlink( outArchive, "../sssd.service", "/etc/systemd/system/basic.target.wants/sssd.service" ); if ( !ret ) { status.error = "Could not add ldap configs to module"; } return ret; + } catch ( IOException e ) { + status.error = e.toString(); + return false; } finally { Util.multiClose( outArchive ); } |