aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass/idm_server
diff options
context:
space:
mode:
authorCullum Smith <cullum@sacredheartsc.com>2024-09-25 21:38:13 -0400
committerCullum Smith <cullum@sacredheartsc.com>2024-09-25 21:38:13 -0400
commitcd1ce69f104686bbb33e049c2c4c112e78febd36 (patch)
tree6654eaf12145b918cd217dcdf9b95a0060a60b7b /scripts/hostclass/idm_server
parent93994080d976d1fd98a22422a549fe371a2bcae3 (diff)
downloadinfrastructure-cd1ce69f104686bbb33e049c2c4c112e78febd36.tar.gz
finish idm client stuff
Diffstat (limited to 'scripts/hostclass/idm_server')
-rw-r--r--scripts/hostclass/idm_server/10-slapd34
-rw-r--r--scripts/hostclass/idm_server/30-kdc6
-rw-r--r--scripts/hostclass/idm_server/90-idm16
3 files changed, 35 insertions, 21 deletions
diff --git a/scripts/hostclass/idm_server/10-slapd b/scripts/hostclass/idm_server/10-slapd
index 204c405..83cdbb6 100644
--- a/scripts/hostclass/idm_server/10-slapd
+++ b/scripts/hostclass/idm_server/10-slapd
@@ -37,6 +37,17 @@ pkg install -y \
# Create ZFS dataset for OpenLDAP DB.
create_dataset -o "mountpoint=${slapd_data_dir}" "${state_dataset}/openldap-data"
+# To prevent a circular dependency in poudriere, we have to make a special "set"
+# of packages for the IDM hosts in which cyrus-sasl-gssapi is built with the
+# Heimdal libraries in base, rather than MIT.
+#
+# Heimdal does not support the KRB5_KTNAME environment variable with slapd.
+# However, you *can* specify a keytab by creating a ~/.krb5/config file in
+# the slapd user's home directory.
+pw user mod "$slapd_user" -d "$slapd_conf_dir"
+install_directory -m 0755 "${slapd_conf_dir}/.krb5"
+install_template -m 0644 "${slapd_conf_dir}/.krb5/config"
+
# Copy TLS certificate for LDAP server.
install_certificate -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_cert"
install_certificate_key -o "$slapd_user" -g "$slapd_user" slapd "$slapd_tls_key"
@@ -69,18 +80,6 @@ if [ ! -d "${slapd_conf_dir}/slapd.d" ]; then
chown -R "${slapd_user}:${slapd_user}" "${slapd_conf_dir}/slapd.d"
fi
-# Enable OpenLDAP in /etc/rc.conf, and start it.
-# Note: whatever LDAP IP you specified in $slapd_server_list must be present in
-# the `-h` argument to slapd. That's how slapd figures out its own server ID.
-sysrc -v \
- slapd_enable=YES \
- slapd_cn_config=YES \
- slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
- slapd_sockets="$slapd_socket" \
- slapd_krb5_ktname="$slapd_keytab"
-
-service slapd restart
-
# Copy the LDAP client configs.
install_template -m 0644 "${slapd_conf_dir}/ldap.conf"
@@ -90,11 +89,20 @@ install_template -m 0644 /usr/local/lib/sasl2/slapd.conf
# Allow slapd to read the saslauthd socket.
install_directory -m 0750 -o "$saslauthd_user" -g "$slapd_user" "$saslauthd_runtime_dir"
-# Enable and start saslauthd.
+# Enable OpenLDAP in /etc/rc.conf, and start it.
+# Note: whatever LDAP IP you specified in $slapd_server_list must be present in
+# the `-h` argument to slapd. That's how slapd figures out its own server ID.
sysrc -v \
+ slapd_enable=YES \
+ slapd_cn_config=YES \
+ slapd_flags="-h '${slapd_ldapi_uri}/ ldap://0.0.0.0/ ldaps://0.0.0.0/ ldaps://${BOXCONF_DEFAULT_IPV4}/'" \
+ slapd_sockets="$slapd_socket" \
+ slapd_krb5_ktname="$slapd_keytab" \
saslauthd_flags='-a kerberos5' \
saslauthd_enable=YES
+
service saslauthd restart
+service slapd restart
# Create directory tree.
if is_primary_server; then
diff --git a/scripts/hostclass/idm_server/30-kdc b/scripts/hostclass/idm_server/30-kdc
index abe040a..9347ed0 100644
--- a/scripts/hostclass/idm_server/30-kdc
+++ b/scripts/hostclass/idm_server/30-kdc
@@ -35,9 +35,3 @@ sysrc -v \
service kdc restart
service kadmind restart
-
-# Create the boxconf administrative user.
-if is_primary_server; then
- kadmin.local get_principal -terse "$boxconf_username" \
- || kadmin.local add_principal -pw "$boxconf_password" -x "containerdn=${robots_basedn}" "$boxconf_username"
-fi
diff --git a/scripts/hostclass/idm_server/90-idm b/scripts/hostclass/idm_server/90-idm
index 0a28491..adfdf36 100644
--- a/scripts/hostclass/idm_server/90-idm
+++ b/scripts/hostclass/idm_server/90-idm
@@ -40,11 +40,11 @@ associatedDomain: ${rdns}
EOF
# Create host principal.
-kadmin.local get_principal -terse "host/${fqdn}" \
+kadmin.local get_principal "host/${fqdn}" \
|| kadmin.local add_principal -nokey -x "dn=cn=${BOXCONF_HOSTNAME},${hosts_basedn}" "host/${fqdn}"
# Create ldap service principal.
-kadmin.local get_principal -terse "ldap/${fqdn}" \
+kadmin.local get_principal "ldap/${fqdn}" \
|| kadmin.local add_principal -nokey -x "containerdn=${services_basedn}" "ldap/${fqdn}"
# Create state dataset to persist keytabs across OS rebuilds.
@@ -89,3 +89,15 @@ ln -snfs "${slapd_conf_dir}/ldap.conf" /usr/local/etc/ldap.conf
install_file -m 0555 \
/usr/local/libexec/idm-ssh-known-hosts \
/usr/local/libexec/idm-ssh-authorized-keys
+
+# Create the boxconf administrative user.
+if is_primary_server && ! ldap_dn_exists "$boxconf_dn"; then
+ ldap_add "$boxconf_dn" <<EOF
+objectClass: krbPrincipal
+objectClass: simpleSecurityObject
+krbPrincipalName: ${boxconf_username}@${realm}
+userPassword: {SASL}${boxconf_username}@${realm}
+EOF
+
+ kadmin.local change_password -pw "$boxconf_password" "$boxconf_username"
+fi