BryanDavis has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/361272 )
Change subject: striker: sudo schema support
......................................................................
striker: sudo schema support
Add LDAP configuration needed to support storing sudoer rules. Initial
LDAP tree contents are updated as well. Existing deployments can be
updated manually using:
ldapadd -x -D cn=admin,dc=wmftest,dc=net -w vagrant_admin <<LDIF
dn: ou=sudoers,cn=tools,ou=projects,dc=wmftest,dc=net
objectClass: organizationalUnit
objectClass: top
ou: sudoers
LDIF
ldapadd -x -D cn=admin,dc=wmftest,dc=net -w vagrant_admin <<LDIF
dn: ou=people,ou=servicegroups,dc=wmftest,dc=net
objectClass: organizationalunit
objectClass: top
ou: people
dn: ou=projects,dc=wmftest,dc=net
objectClass: organizationalUnit
objectClass: top
description: OU for openstack projects and global groups
ou: projects
dn: cn=tools,ou=projects,dc=wmftest,dc=net
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: top
cn: tools
member: uid=admin,dc=wmftest,dc=net
LDIF
Also includes documentation updates for recent OAuth extension changes
which now require that port numbers are included in registered
callbacks.
Bug: T149458
Change-Id: I97503da4621de5d60207746fd564fa3196274886
---
A puppet/modules/openldap/files/sudo.schema
M puppet/modules/openldap/manifests/init.pp
M puppet/modules/openldap/templates/slapd.erb
M puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb
M puppet/modules/role/templates/striker/ldap_data.erb
5 files changed, 112 insertions(+), 2 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/mediawiki/vagrant
refs/changes/72/361272/1
diff --git a/puppet/modules/openldap/files/sudo.schema
b/puppet/modules/openldap/files/sudo.schema
new file mode 100644
index 0000000..d3e95e0
--- /dev/null
+++ b/puppet/modules/openldap/files/sudo.schema
@@ -0,0 +1,76 @@
+#
+# OpenLDAP schema file for Sudo
+# Save as /etc/openldap/schema/sudo.schema
+#
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo (deprecated)'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $
+ description )
+ )
diff --git a/puppet/modules/openldap/manifests/init.pp
b/puppet/modules/openldap/manifests/init.pp
index 8ddae04..c0be59e 100644
--- a/puppet/modules/openldap/manifests/init.pp
+++ b/puppet/modules/openldap/manifests/init.pp
@@ -72,6 +72,16 @@
notify => Service['slapd'],
}
+ file { '/etc/ldap/schema/sudo.schema':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///modules/openldap/sudo.schema',
+ require => Package['slapd'],
+ notify => Service['slapd'],
+ }
+
file { '/etc/ldap/slapd.conf' :
ensure => present,
owner => 'openldap',
diff --git a/puppet/modules/openldap/templates/slapd.erb
b/puppet/modules/openldap/templates/slapd.erb
index f93874d..0221c27 100644
--- a/puppet/modules/openldap/templates/slapd.erb
+++ b/puppet/modules/openldap/templates/slapd.erb
@@ -11,6 +11,7 @@
include /etc/ldap/schema/ppolicy.schema
include /etc/ldap/schema/rfc2307bis.schema
include /etc/ldap/schema/openssh-ldap.schema
+include /etc/ldap/schema/sudo.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
diff --git a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb
b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb
index 1fc1730..4f1bad3 100644
--- a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb
+++ b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb
@@ -103,7 +103,7 @@
===Setup Striker===
* [<%= scope['::mediawiki::server_url']
%>/wiki/Special:OAuthConsumerRegistration/propose Register an OAuth consumer
for Striker]
** Application Name: <kbd>Tool Labs console</kbd>
-** OAuth callback URL: <kbd><nowiki>http:</nowiki>//<%= @vhost_name %></kbd>
+** OAuth callback URL: <kbd><nowiki>http:</nowiki>//<%= @vhost_name %><%=
scope['::port_fragment'] %></kbd>
** Check the ''Allow consumer to specify a callback in requests and use
"callback" URL above as a required prefix.'' checkbox.
** Contact email address: <kbd><%= @admin_email %></kbd>
** Types of grants being requested: <kbd>Authentication only with access to
real name and email address via Special:OAuth/identify, no API access.</kbd>
@@ -113,7 +113,7 @@
Q = function(s){return document.querySelector('[name="' + s + '"]')};
Q("wpname").value = "Striker";
Q("wpdescription").value = "Striker login";
-Q("wpcallbackUrl").value = "http://<%= @vhost_name %>";
+Q("wpcallbackUrl").value = "http://<%= @vhost_name %><%=
scope['::port_fragment'] %>";
Q("wpcallbackIsPrefix").checked = true;
Q("wpemail").value = "<%= @admin_email %>";
Q("wpgranttype").value = "authonlyprivate";
diff --git a/puppet/modules/role/templates/striker/ldap_data.erb
b/puppet/modules/role/templates/striker/ldap_data.erb
index 6f39fa4..7b03a2d 100755
--- a/puppet/modules/role/templates/striker/ldap_data.erb
+++ b/puppet/modules/role/templates/striker/ldap_data.erb
@@ -5,6 +5,17 @@
objectClass: top
description: Tools
+dn: ou=people,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %>
+objectClass: organizationalUnit
+objectClass: top
+ou: people
+
+dn: ou=projects,<%= scope['::role::ldapauth::base_dn'] %>
+objectClass: organizationalUnit
+objectClass: top
+description: OU for openstack projects and global groups
+ou: projects
+
dn: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %>
objectClass: person
objectClass: inetOrgPerson
@@ -39,6 +50,18 @@
gidNumber: 5001
member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %>
+dn: cn=tools,ou=projects,<%= scope['::role::ldapauth::base_dn'] %>
+objectClass: extensibleObject
+objectClass: groupOfNames
+objectClass: top
+cn: tools
+member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %>
+
+dn: ou=sudoers,cn=tools,ou=projects,<%=
scope['::role::ldapauth::user_base_dn'] %>
+objectClass: organizationalUnit
+objectClass: top
+ou: sudoers
+
dn: cn=tools.admin,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %>
objectClass: groupOfNames
objectClass: posixGroup
--
To view, visit https://gerrit.wikimedia.org/r/361272
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I97503da4621de5d60207746fd564fa3196274886
Gerrit-PatchSet: 1
Gerrit-Project: mediawiki/vagrant
Gerrit-Branch: master
Gerrit-Owner: BryanDavis <bda...@wikimedia.org>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
