BryanDavis has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/361272 )
Change subject: striker: sudo schema support ...................................................................... striker: sudo schema support Add LDAP configuration needed to support storing sudoer rules. Initial LDAP tree contents are updated as well. Existing deployments can be updated manually using: ldapadd -x -D cn=admin,dc=wmftest,dc=net -w vagrant_admin <<LDIF dn: ou=sudoers,cn=tools,ou=projects,dc=wmftest,dc=net objectClass: organizationalUnit objectClass: top ou: sudoers LDIF ldapadd -x -D cn=admin,dc=wmftest,dc=net -w vagrant_admin <<LDIF dn: ou=people,ou=servicegroups,dc=wmftest,dc=net objectClass: organizationalunit objectClass: top ou: people dn: ou=projects,dc=wmftest,dc=net objectClass: organizationalUnit objectClass: top description: OU for openstack projects and global groups ou: projects dn: cn=tools,ou=projects,dc=wmftest,dc=net objectClass: extensibleObject objectClass: groupOfNames objectClass: top cn: tools member: uid=admin,dc=wmftest,dc=net LDIF Also includes documentation updates for recent OAuth extension changes which now require that port numbers are included in registered callbacks. Bug: T149458 Change-Id: I97503da4621de5d60207746fd564fa3196274886 --- A puppet/modules/openldap/files/sudo.schema M puppet/modules/openldap/manifests/init.pp M puppet/modules/openldap/templates/slapd.erb M puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb M puppet/modules/role/templates/striker/ldap_data.erb 5 files changed, 112 insertions(+), 2 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/mediawiki/vagrant refs/changes/72/361272/1 diff --git a/puppet/modules/openldap/files/sudo.schema b/puppet/modules/openldap/files/sudo.schema new file mode 100644 index 0000000..d3e95e0 --- /dev/null +++ b/puppet/modules/openldap/files/sudo.schema @@ -0,0 +1,76 @@ +# +# OpenLDAP schema file for Sudo +# Save as /etc/openldap/schema/sudo.schema +# + +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributeTypes ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ + description ) + ) diff --git a/puppet/modules/openldap/manifests/init.pp b/puppet/modules/openldap/manifests/init.pp index 8ddae04..c0be59e 100644 --- a/puppet/modules/openldap/manifests/init.pp +++ b/puppet/modules/openldap/manifests/init.pp @@ -72,6 +72,16 @@ notify => Service['slapd'], } + file { '/etc/ldap/schema/sudo.schema': + ensure => present, + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///modules/openldap/sudo.schema', + require => Package['slapd'], + notify => Service['slapd'], + } + file { '/etc/ldap/slapd.conf' : ensure => present, owner => 'openldap', diff --git a/puppet/modules/openldap/templates/slapd.erb b/puppet/modules/openldap/templates/slapd.erb index f93874d..0221c27 100644 --- a/puppet/modules/openldap/templates/slapd.erb +++ b/puppet/modules/openldap/templates/slapd.erb @@ -11,6 +11,7 @@ include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/rfc2307bis.schema include /etc/ldap/schema/openssh-ldap.schema +include /etc/ldap/schema/sudo.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args diff --git a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb index 1fc1730..4f1bad3 100644 --- a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb +++ b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb @@ -103,7 +103,7 @@ ===Setup Striker=== * [<%= scope['::mediawiki::server_url'] %>/wiki/Special:OAuthConsumerRegistration/propose Register an OAuth consumer for Striker] ** Application Name: <kbd>Tool Labs console</kbd> -** OAuth callback URL: <kbd><nowiki>http:</nowiki>//<%= @vhost_name %></kbd> +** OAuth callback URL: <kbd><nowiki>http:</nowiki>//<%= @vhost_name %><%= scope['::port_fragment'] %></kbd> ** Check the ''Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix.'' checkbox. ** Contact email address: <kbd><%= @admin_email %></kbd> ** Types of grants being requested: <kbd>Authentication only with access to real name and email address via Special:OAuth/identify, no API access.</kbd> @@ -113,7 +113,7 @@ Q = function(s){return document.querySelector('[name="' + s + '"]')}; Q("wpname").value = "Striker"; Q("wpdescription").value = "Striker login"; -Q("wpcallbackUrl").value = "http://<%= @vhost_name %>"; +Q("wpcallbackUrl").value = "http://<%= @vhost_name %><%= scope['::port_fragment'] %>"; Q("wpcallbackIsPrefix").checked = true; Q("wpemail").value = "<%= @admin_email %>"; Q("wpgranttype").value = "authonlyprivate"; diff --git a/puppet/modules/role/templates/striker/ldap_data.erb b/puppet/modules/role/templates/striker/ldap_data.erb index 6f39fa4..7b03a2d 100755 --- a/puppet/modules/role/templates/striker/ldap_data.erb +++ b/puppet/modules/role/templates/striker/ldap_data.erb @@ -5,6 +5,17 @@ objectClass: top description: Tools +dn: ou=people,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: organizationalUnit +objectClass: top +ou: people + +dn: ou=projects,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: organizationalUnit +objectClass: top +description: OU for openstack projects and global groups +ou: projects + dn: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> objectClass: person objectClass: inetOrgPerson @@ -39,6 +50,18 @@ gidNumber: 5001 member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> +dn: cn=tools,ou=projects,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: extensibleObject +objectClass: groupOfNames +objectClass: top +cn: tools +member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> + +dn: ou=sudoers,cn=tools,ou=projects,<%= scope['::role::ldapauth::user_base_dn'] %> +objectClass: organizationalUnit +objectClass: top +ou: sudoers + dn: cn=tools.admin,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %> objectClass: groupOfNames objectClass: posixGroup -- To view, visit https://gerrit.wikimedia.org/r/361272 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I97503da4621de5d60207746fd564fa3196274886 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/vagrant Gerrit-Branch: master Gerrit-Owner: BryanDavis <bda...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits