jenkins-bot has submitted this change and it was merged.
Change subject: Add LdapAuthentication role
......................................................................
Add LdapAuthentication role
Add a role to provision an openldap server and "ldapauth" wiki.
The module that adds the LDAP server is pretty basic and tuned to work
with ::role::ldapauth. It shouldn't be mistaken for a general purpose
Puppet module.
Bug: T128501
Change-Id: I11eb9e8ae9dc26ba9ea52219b770d9736cb914b3
---
M puppet/hieradata/common.yaml
A puppet/modules/openldap/manifests/init.pp
A puppet/modules/openldap/templates/default.erb
A puppet/modules/openldap/templates/ldap.conf.erb
A puppet/modules/openldap/templates/slapd.erb
A puppet/modules/role/manifests/ldapauth.pp
A puppet/modules/role/templates/ldapauth/LdapAuthentication.php.erb
A puppet/modules/role/templates/ldapauth/check_db.erb
A puppet/modules/role/templates/ldapauth/create_db.erb
9 files changed, 387 insertions(+), 0 deletions(-)
Approvals:
Dduvall: Looks good to me, approved
jenkins-bot: Verified
diff --git a/puppet/hieradata/common.yaml b/puppet/hieradata/common.yaml
index 30c5b2e..48e5167 100644
--- a/puppet/hieradata/common.yaml
+++ b/puppet/hieradata/common.yaml
@@ -279,6 +279,10 @@
payments::branch: fundraising/REL1_25
payments::dir: /vagrant/mediawiki-fr
+role::ldapauth::proxy_agent_password: vagrant_agent
+role::ldapauth::writer_password: vagrant_writer
+role::ldapauth::admin_password: vagrant_admin
+
role::mediawiki::hostname: "dev%{hiera('mediawiki::multiwiki::base_domain')}"
role::quips::vhost_name: "quips%{hiera('mwv::tld')}%{::port_fragment}"
diff --git a/puppet/modules/openldap/manifests/init.pp
b/puppet/modules/openldap/manifests/init.pp
new file mode 100644
index 0000000..f80d3f3
--- /dev/null
+++ b/puppet/modules/openldap/manifests/init.pp
@@ -0,0 +1,94 @@
+# == Class: openldap
+#
+# This class installs slapd and configures it with a single suffix hdb
+# database. The implementation here is tuned to work with ::role::ldapauth and
+# should not be mistaken for a reusable Puppet module.
+#
+# Based loosely on the openldap class from
+# https://phabricator.wikimedia.org/diffusion/OPUP/
+#
+# === Parameters
+#
+# [*suffix*]
+# Distinguished name of the root of the subtree managed by this server.
+#
+# [*datadir*]
+# The datadir this suffix will be installed, e.g. "/var/lib/ldap"
+#
+# [*admin_dn*]
+# Distinguished name of admin user.
+#
+# [*admin_password*]
+# Password for admin user.
+#
+# [*logging*]
+# Specify the kind of logging desired. Defaults to "sync stats" And it is
+# not named loglevel cause that's a puppet metaparameter
+#
+class openldap(
+ $suffix,
+ $datadir,
+ $admin_dn,
+ $admin_password,
+ $logging = 'sync stats',
+) {
+ require_package('slapd', 'ldap-utils', 'python-ldap')
+
+ # Remove the package provided ldap-based config system so that we can just
+ # hardcode the config in /etc/ldap/slapd.conf
+ exec { 'rm_slapd.d':
+ onlyif => '/usr/bin/test -d /etc/ldap/slapd.d',
+ command => '/bin/rm -rf /etc/ldap/slapd.d',
+ require => Package['slapd'],
+ }
+
+ file { $datadir:
+ ensure => directory,
+ recurse => false,
+ owner => 'openldap',
+ group => 'openldap',
+ mode => '0750',
+ force => true,
+ require => Package['slapd'],
+ }
+
+ file { '/etc/ldap/slapd.conf' :
+ ensure => present,
+ owner => 'openldap',
+ group => 'openldap',
+ mode => '0440',
+ content => template('openldap/slapd.erb'),
+ require => Package['slapd'],
+ notify => Service['slapd']
+ }
+
+ file { '/etc/default/slapd' :
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ content => template('openldap/default.erb'),
+ require => Package['slapd'],
+ notify => Service['slapd']
+ }
+
+ file { '/etc/ldap/ldap.conf':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ content => template('openldap/ldap.conf.erb'),
+ require => Package['slapd'],
+ }
+
+ service { 'slapd':
+ ensure => running,
+ hasstatus => true,
+ hasrestart => true,
+ require => [
+ Exec['rm_slapd.d'],
+ File[$datadir],
+ File['/etc/ldap/ldap.conf'],
+ ]
+ }
+}
diff --git a/puppet/modules/openldap/templates/default.erb
b/puppet/modules/openldap/templates/default.erb
new file mode 100644
index 0000000..ec6e8d4
--- /dev/null
+++ b/puppet/modules/openldap/templates/default.erb
@@ -0,0 +1,53 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+### puppet:///modules/openldap/templates/default.erb
+###################################################################
+
+# Bump the fd limit, otherwise we max out LDAP connections at around 1000
+ulimit -n 8192
+
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work). Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work). Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab). To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
diff --git a/puppet/modules/openldap/templates/ldap.conf.erb
b/puppet/modules/openldap/templates/ldap.conf.erb
new file mode 100644
index 0000000..88cfab2
--- /dev/null
+++ b/puppet/modules/openldap/templates/ldap.conf.erb
@@ -0,0 +1,13 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+### puppet:///modules/openldap/templates/ldap.conf.erb
+###################################################################
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE <%= @suffix %>
+URI ldap://127.0.0.1
+
+# Do not derefernce aliases
+DEREF never
diff --git a/puppet/modules/openldap/templates/slapd.erb
b/puppet/modules/openldap/templates/slapd.erb
new file mode 100644
index 0000000..d0b3052
--- /dev/null
+++ b/puppet/modules/openldap/templates/slapd.erb
@@ -0,0 +1,86 @@
+#####################################################################
+### THIS FILE IS MANAGED BY PUPPET
+### puppet:///modules/openldap/templates/slapd.erb
+#####################################################################
+
+# Schema and objectClass definitions
+include /etc/ldap/schema/core.schema
+include /etc/ldap/schema/cosine.schema
+include /etc/ldap/schema/inetorgperson.schema
+include /etc/ldap/schema/dyngroup.schema
+include /etc/ldap/schema/ppolicy.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+# Read slapd.conf(5) for possible values
+loglevel <%= @logging %>
+
+# Where the dynamically loaded modules are stored
+modulepath /usr/lib/ldap
+moduleload back_hdb
+moduleload memberof
+moduleload syncprov
+moduleload auditlog
+moduleload ppolicy
+moduleload deref
+moduleload unique
+
+# Maximum number of entries that is returned for a search operation
+sizelimit 2048
+
+# 10 minute idle timeout for ill-behaved clients
+idletimeout 600
+writetimeout 30
+
+# Limit amount of cpu's that is used for indexing.
+tool-threads 1
+
+#######################################################################
+## Databases
+database hdb
+suffix <%= @suffix %>
+directory <%= @datadir %>
+
+rootdn "<%= @admin_dn %>"
+rootpw <%= @admin_password %>
+
+overlay auditlog
+auditlog /var/lib/ldap/slapd-audit.log
+
+overlay deref
+
+#######################################################################
+## General parameters and indexes
+
+dbconfig set_cachesize 0 2097152 0
+dbconfig set_lk_max_objects 1500
+dbconfig set_lk_max_locks 1500
+dbconfig set_lk_max_lockers 1500
+dbconfig set_lg_regionmax 262144
+dbconfig set_lg_bsize 2097152
+
+# LDAP indices
+index default pres,eq
+index objectClass eq
+index cn eq,sub
+index uid eq,pres,sub
+
+lastmod on
+checkpoint 512 30
+
+# ACLs
+# Allow everybody to try to bind
+access to attrs=userPassword
+ by group.exact="cn=Administrators,ou=groups,<%= @suffix %>" write
+ by self =xw
+ by anonymous auth
+
+# Allow admin users to manage things and authed users to read
+access to dn.children="<%= @suffix %>"
+ by group.exact="cn=Administrators,ou=groups,<%= @suffix %>" write
+ by users read
+ by * auth
+
+# Allow no access by default
+access to * by * none
diff --git a/puppet/modules/role/manifests/ldapauth.pp
b/puppet/modules/role/manifests/ldapauth.pp
new file mode 100644
index 0000000..12d5768
--- /dev/null
+++ b/puppet/modules/role/manifests/ldapauth.pp
@@ -0,0 +1,57 @@
+# == Class: role::ldapauth
+# Provisions and LDAP server and the LdapAuthentication extension for use by
+# a wiki named ldapauth.wiki.local.wmftest.net.
+#
+# === Parameters
+# [*proxy_agent_password*]
+# Password for proxy agent account
+#
+# [*writer_password*]
+# Password for account with write access
+#
+# [*admin_password*]
+# Password for LDAP admin account
+#
+class role::ldapauth(
+ $proxy_agent_password,
+ $writer_password,
+ $admin_password,
+) {
+ # Needed for php5 maintenance scripts and if the VM is using role::zend
+ require_package('php5-ldap')
+
+ # This is a lazy short cut so we don't have to pass a bazillion options to
+ # create the initial LDIF data.
+ $base_dn = 'dc=wmftest,dc=net'
+ $admin_dn = "cn=admin,${base_dn}"
+ $user_base_dn = "ou=People,${base_dn}"
+ $proxy_agent_dn = "cn=proxyagent,${base_dn}"
+ $writer_dn = "cn=writer,${base_dn}"
+
+ class { '::openldap':
+ suffix => $base_dn,
+ datadir => '/var/lib/ldap',
+ admin_dn => $admin_dn,
+ admin_password => $admin_password,
+ }
+
+ exec { 'Create LDAP db':
+ command => template('role/ldapauth/create_db.erb'),
+ unless => template('role/ldapauth/check_db.erb'),
+ require => Class['::openldap'],
+ }
+
+ mediawiki::wiki { 'ldapauth':
+ wgconf => {
+ 'wmvExtensions' => {
+ 'CentralAuth' => false,
+ },
+ },
+ }
+
+ mediawiki::extension { 'LdapAuthentication':
+ needs_update => true,
+ settings => template('role/ldapauth/LdapAuthentication.php.erb'),
+ wiki => 'ldapauth',
+ }
+}
diff --git a/puppet/modules/role/templates/ldapauth/LdapAuthentication.php.erb
b/puppet/modules/role/templates/ldapauth/LdapAuthentication.php.erb
new file mode 100644
index 0000000..19c243d
--- /dev/null
+++ b/puppet/modules/role/templates/ldapauth/LdapAuthentication.php.erb
@@ -0,0 +1,34 @@
+//<?php
+$wgAuth = new LdapAuthenticationPlugin();
+
+$wgLDAPDomainNames = array( 'ldap' );
+$wgLDAPServerNames = array( 'ldap' => '127.0.0.1' );
+$wgLDAPEncryptionType = array( 'ldap' => 'clear' );
+
+$wgLDAPProxyAgent = array( 'ldap' => '<%= @proxy_agent_dn %>' );
+$wgLDAPProxyAgentPassword = array( 'ldap' => '<%= @proxy_agent_password %>' );
+
+$wgLDAPSearchAttributes = array( 'ldap' => 'cn' );
+$wgLDAPBaseDNs = array( 'ldap' => '<%= @base_dn %>' );
+$wgLDAPUserBaseDNs = array( 'ldap' => '<%= @user_base_dn %>' );
+
+$wgLDAPWriterDN = array( 'ldap' => '<%= @writer_dn %>' );
+$wgLDAPWriterPassword = array( 'ldap' => '<%= @writer_password %>' );
+
+$wgLDAPWriteLocation = array( 'ldap' => '<%= @user_base_dn %>' );
+$wgLDAPAddLDAPUsers = array( 'ldap' => true );
+$wgLDAPUpdateLDAP = array( 'ldap' => true );
+$wgLDAPPasswordHash = array( 'ldap' => 'clear' );
+
+// 'invaliddomain' is set to true so that mail password options
+// will be available on user creation and password mailing
+$wgLDAPMailPassword = array( 'ldap' => true, 'invaliddomain' => true );
+$wgLDAPPreferences = array( 'ldap' => array( 'email' => 'mail' ) );
+$wgLDAPUseFetchedUsername = array( 'ldap' => true );
+$wgLDAPLowerCaseUsernameScheme = array( 'ldap' => false, 'invaliddomain' =>
false );
+$wgLDAPLowerCaseUsername = array( 'ldap' => false, 'invaliddomain' => false );
+
+// Shortest password a user is allowed to login using. Notice that 1 is the
+// minimum so that when using a local domain, local users cannot login as
+// domain users (as domain user's passwords are not stored)
+$wgMinimalPasswordLength = 1;
diff --git a/puppet/modules/role/templates/ldapauth/check_db.erb
b/puppet/modules/role/templates/ldapauth/check_db.erb
new file mode 100644
index 0000000..85f07c4
--- /dev/null
+++ b/puppet/modules/role/templates/ldapauth/check_db.erb
@@ -0,0 +1 @@
+/usr/bin/ldapsearch -x -D '<%= @admin_dn %>' -w '<%= @admin_password %>' -b
'<%= @base_dn %>' '(cn=writer)'
diff --git a/puppet/modules/role/templates/ldapauth/create_db.erb
b/puppet/modules/role/templates/ldapauth/create_db.erb
new file mode 100755
index 0000000..9c4d7c1
--- /dev/null
+++ b/puppet/modules/role/templates/ldapauth/create_db.erb
@@ -0,0 +1,45 @@
+/usr/bin/ldapadd -x -D "<%= @admin_dn %>" -w "<%= @admin_password %>" <<LIDF
+dn: <%= @base_dn %>
+objectclass: dcObject
+objectclass: organization
+objectClass: top
+dc: wmftest
+o: wmftest
+description: MediaWiki-Vagrant tree
+
+dn: <%= @admin_dn %>
+objectClass: organizationalRole
+cn: admin
+description: The superuser account
+
+dn: ou=groups,<%= @base_dn %>
+objectclass: organizationalUnit
+ou: groups
+description: Generic groups branch
+
+# Name needs to match up with acls in modules/openldap/templates/slapd.erb
+dn: cn=Administrators,ou=groups,<%= @base_dn %>
+objectClass: groupOfNames
+cn: Administrators
+description: Users with administrative privilege
+member: <%= @writer_dn %>
+
+dn: <%= @user_base_dn %>
+objectclass: organizationalUnit
+ou: People
+description: People branch
+
+dn: <%= @proxy_agent_dn %>
+objectclass: organizationalRole
+objectClass: simpleSecurityObject
+cn: proxyagent
+description: Account for reading LDAP data
+userPassword: <%= @proxy_agent_password %>
+
+dn: <%= @writer_dn %>
+objectclass: organizationalRole
+objectClass: simpleSecurityObject
+cn: writer
+description: Account for editing LDAP data
+userPassword: <%= @writer_password %>
+LIDF
--
To view, visit https://gerrit.wikimedia.org/r/277702
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I11eb9e8ae9dc26ba9ea52219b770d9736cb914b3
Gerrit-PatchSet: 7
Gerrit-Project: mediawiki/vagrant
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <[email protected]>
Gerrit-Reviewer: Anomie <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Dduvall <[email protected]>
Gerrit-Reviewer: Gergő Tisza <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
