Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added a script and yaml file to setup ds389 in rancher #22

Merged
merged 15 commits into from
Oct 28, 2024
Merged

Added a script and yaml file to setup ds389 in rancher #22

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
8873afe
Added a script and yaml file to setup ds389 in rancher
Oct 25, 2024
97258cf
correction
Oct 25, 2024
f28e43e
changed to helm chart
Oct 25, 2024
7adf037
turned into a library
Oct 25, 2024
1212142
changes
Oct 28, 2024
deeeaf0
changes
Oct 28, 2024
220fa92
changes
Oct 28, 2024
31840a5
changes
Oct 28, 2024
b45a0d2
changes
Oct 28, 2024
12314a1
changes
Oct 28, 2024
7a185fa
changes
Oct 28, 2024
7399f02
changes
Oct 28, 2024
00d6e4a
changes
Oct 28, 2024
f50811b
changes
Oct 28, 2024
7a1581e
changes
Oct 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
195 changes: 195 additions & 0 deletions scripts/authentication/389.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,195 @@
---
devpro marked this conversation as resolved.
Show resolved Hide resolved
apiVersion: v1
kind: Namespace
metadata:
name: ${ds389_ns_name:-ds389}
...
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ${ds389_name:-ds389}-sa
namespace: ${ds389_ns_name:-ds389}
...


---
apiVersion: v1
kind: Secret
metadata:
name: dirsrv-tls-secret
namespace: ${ds389_ns_name:-ds389}
data:
tls.key: |
${ds389_tls_key:-LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlKbnpCSkJna3Foa2lHOXcw
QkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlMZmtpMDkwcnZsb0NBZ2dBCk1CMEdDV0NHU0FG
bEF3UUJLZy4uLkdOWWM3aTlTVkRCb0E9PQotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVkt
LS0tLQ==}
tls.crt: |
${ds389_tls_cert:-LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4akNDQTY0Q0NRQ05UK2VQMnZqSnh6QU5C
Z2txaGtpRzl3MEJBUXNGQURDQnBERUxNQWtHQTFVRUJoTUMKUmxJeEVqQVFCZ05WQkFnTUMuLi51
ZEp3RTdIbm5BN2xwQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t}
...

---
apiVersion: v1
kind: Secret
metadata:
name: dirsrv-dm-password
namespace: ${ds389_ns_name:-ds389}
data:
# Password must be in base64
dm-password: ${ds389_dm_pwd_b64:-YWRtaW4xMjM=}
# dm-password: admin123
...


---
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: ${ds389_name:-ds389}
namespace: ${ds389_ns_name:-ds389}
spec:
serviceName: ${ds389_name:-ds389}-internal-svc
replicas: 1
selector:
matchLabels:
app: ${ds389_name:-ds389}
template:
metadata:
labels:
app: ${ds389_name:-ds389}
spec:
serviceAccountName: ${ds389_name:-ds389}-sa
securityContext:
fsGroup: 499
initContainers:
# Init container is required to change the permissions after a persistent volume is mounted.
# Otherwise dscontainer will be denied to create subdirectories and will fail to start.
- name: ${ds389_name:-ds389}-init-container
image: busybox
command: ["/bin/sh", "-c", "chown -R 499:499 /data"]
volumeMounts:
- name: ${ds389_name:-ds389}-data
mountPath: /data
containers:
- name: dirsrv-container
image: ${ds389_image:-docker.io/389ds/dirsrv}
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "sleep 60; dsconf localhost backend create --suffix ${ds389_rootdn:-dc=mydemo,dc=lab} --be-name userroot --create-suffix --create-entries ;
dsconf localhost pwpolicy set --pwdscheme=CRYPT-SHA512 ;
dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 ;
dsconf localhost config replace nsslapd-rootpw=${ds389_dm_pwd:-admin123} ;
dsconf localhost plugin referential-integrity enable ;
dsconf localhost plugin memberof enable ;
dsconf localhost config replace nsslapd-allow-anonymous-access=off ;
dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid ldap_user --cn ldap_user --displayName ldap_user --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/ldap_user ;
dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=ldap_user,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ;
dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid developer --cn developer --displayName developer --uidNumber 1002 --gidNumber 1002 --homeDirectory /home/developer ;
dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ;
dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} group create --cn developers;
dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} group add_member developers uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} "]
env:
## Set `cn=Directory Manager`'s password
- name: DS_DM_PASSWORD
valueFrom:
secretKeyRef:
name: dirsrv-dm-password
key: dm-password
## Use suffix as a basedn in `dsrc` file
- name: DS_SUFFIX_NAME
value: "${ds389_rootdn:-dc=mydemo,dc=lab}"
## DS_ERRORLOG_LEVEL - set the log level for `ns-slapd`, default is 266354688
- name: DS_ERRORLOG_LEVEL
value: "8192"
## DS_MEMORY_PERCENTAGE - set LDBM autotune percentage (`nsslapd-cache-autosize`), default is 25
- name: DS_MEMORY_PERCENTAGE
value: "10"
## DS_REINDEX` - run database reindex task (`db2index`)
- name: DS_REINDEX
value: "True"
## DS_STARTUP_TIMEOUT - set container startup timeout in seconds, default is 60 seconds.
- name: DS_STARTUP_TIMEOUT
value: "120"
ports:
- containerPort: 3389
protocol: TCP
- containerPort: 3636
protocol: TCP
securityContext:
runAsUser: 489
volumeMounts:
- name: ${ds389_name:-ds389}-data
mountPath: "/data"
- name: dirsrv-tls
mountPath: '/data/tls/'
readOnly: true
volumes:
- name: dirsrv-tls
secret:
secretName: dirsrv-tls-secret
items:
- key: tls.key
path: server.key
- key: tls.crt
path: server.crt
volumeClaimTemplates:
- metadata:
name: ${ds389_name:-ds389}-data
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: ${ds389_vc_size:-5Gi}
...
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ${ds389_name:-ds389}
name: ${ds389_name:-ds389}-internal-svc
namespace: ${ds389_ns_name:-ds389}
spec:
clusterIP: None
ports:
- name: ${ds389_name:-ds389}-port
port: 3389
protocol: TCP
targetPort: 3389
- name: ${ds389_name:-ds389}-tls-port
port: 3636
protocol: TCP
targetPort: 3636
selector:
app: ${ds389_name:-ds389}
type: ClusterIP
...
---
apiVersion: v1
kind: Service
metadata:
labels:
app: ${ds389_name:-ds389}
name: ${ds389_name:-ds389}-external-svc
namespace: ${ds389_ns_name:-ds389}
spec:
ports:
- name: ${ds389_name:-ds389}-port
port: 3389
protocol: TCP
targetPort: 3389
nodePort: ${ds389_port:-30389}
- name: ${ds389_name:-ds389}-tls-port
port: 3636
protocol: TCP
targetPort: 3636
nodePort: ${ds389_port_tls:-30636}
selector:
app: ${ds389_name:-ds389}
type: NodePort
...

152 changes: 152 additions & 0 deletions scripts/authentication/ds389.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
#!/bin/bash

rmahique marked this conversation as resolved.
Show resolved Hide resolved


_admin_user="cn=Directory Manager"
_admin_pwd="admin123"
_uri="ldap://node101.mydemo.lab:30389"
_connection_str="-D '${_admin_user}' -w '${_admin_pwd}' -x -H '${_uri}'"
_basedn="dc=mydemo,dc=lab"
_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}"
_ldap_user_pwd="supersecret123"



# Inspired from https://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash#11050943
function process_templates() {
eval "cat <<EOF
$(cat ${template_file} )
EOF
"
}



## DS389: Restrict permissions
## This will:
## - prevent normal users from reading the whole directory
function ds389_restrict_permissions() {
ldapmodify ${_connection_str} << EOL
dn: ou=people,${_basedn}
changetype: modify
delete: aci
aci: (targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable anyone user read"; allow (read, search, compare)(userdn="ldap:///anyone");)

dn: ou=people,${_basedn}
changetype: modify
add: aci
aci: (targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable self user read"; allow (read, search, compare)(userdn="ldap:///self");)
EOL


}



## DS389: Grant ldap_user privileges to read the whole directory
function ds389_ldap_user-user_private_read() {
rmahique marked this conversation as resolved.
Show resolved Hide resolved
ldapmodify ${_connection_str} << EOL
dn: cn=user_private_read,ou=permissions,${_basedn}
changetype: modify
add: member
member: uid=ldap_user,ou=people,${_basedn}
EOL

}


## DS389: Verify ldap_user has access
function ds389_ldap_user-access() {
ldapsearch -x -D "${_ldap_user_dn}" -w "${_ldap_user_pwd}" -H "${_uri}" -b "${_basedn}"
}



## DS389: Install 389 Directory server
function ds389_install() {
template_file=389.yml
process_templates >/tmp/389.yml
kubectl apply -f /tmp/389.yml
sleep 60
ds389_restrict_permissions
ds389_ldap_user-user_private_read
}


## DS389: uninstall 389 Directory server
function ds389_uninstall() {
kubectl -n ds389 delete ServiceAccount/ds389-sa Secret/dirsrv-tls-secret Secret/dirsrv-dm-password StatefulSet/ds389 Ingress/ds389 Service/ds389 Namespace/ds389 service/ds389-internal-svc service/ds389-external-svc; sleep 15
}


function usage() {
echo "Usage:
$0 [install|uninstall|create-user|delete-user|create-group|delete-group|check-user|check-group|change-passwd] <[user|group]> <password>"

}


_arg="$1"


if [[ ! ${_arg} ]]
then
echo "ERROR: Missing argument"
usage
exit 1
fi

case ${_arg} in
install)
ds389_install
;;
uninstall)
ds389_uninstall
;;
create-user)
[[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1)
# these are only for rancher, therefore doesn't matter if they have the same UID
dsidm localhost --basedn "${_basedn}" user create --uid $2 --cn $2 --displayName $2 --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/${2}
;;
delete-user)
[[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1)
ldapmodify ${_connection_str} << EOL
dn: ou=people,${_basedn}
changetype: modify
delete: uid
uid: $2
EOL
;;
create-group)
[[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1)
dsidm localhost --basedn "${_basedn}" group create --cn $2 ;
;;
delete-group)
[[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1)
ldapmodify ${_connection_str} << EOL
dn: ou=group,${_basedn}
changetype: modify
delete: cn
cn: $2
EOL
;;
check-user)
[[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1)
dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=people,${_basedn}
;;
check-group)
[[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ; exit 1)
dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=group,${_basedn}
;;
change-passwd)
[[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ; exit 1)
[[ "$3" == "" ]] && ( echo "ERROR: Missing password"; usage ; exit 1)
dsidm localhost -b "${_basedn}" account change_password uid=${2},ou=people,dc=mydemo,dc=lab $3
;;
*)
usage
exit 1
;;
esac


Loading