[MediaWiki-commits] [Gerrit] mediawiki/vagrant[master]: striker: sudo schema support
jenkins-bot has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/361272 ) Change subject: striker: sudo schema support .. striker: sudo schema support Add LDAP configuration needed to support storing sudoer rules. Initial LDAP tree contents are updated as well. Existing deployments can be updated manually using: ldapadd -x -D cn=admin,dc=wmftest,dc=net -w vagrant_admin < Service['slapd'], } +file { '/etc/ldap/schema/sudo.schema': +ensure => present, +owner => 'root', +group => 'root', +mode=> '0444', +source => 'puppet:///modules/openldap/sudo.schema', +require => Package['slapd'], +notify => Service['slapd'], +} + file { '/etc/ldap/slapd.conf' : ensure => present, owner => 'openldap', diff --git a/puppet/modules/openldap/templates/slapd.erb b/puppet/modules/openldap/templates/slapd.erb index f93874d..0221c27 100644 --- a/puppet/modules/openldap/templates/slapd.erb +++ b/puppet/modules/openldap/templates/slapd.erb @@ -11,6 +11,7 @@ include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/rfc2307bis.schema include /etc/ldap/schema/openssh-ldap.schema +include /etc/ldap/schema/sudo.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args diff --git a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb index 1fc1730..4f1bad3 100644 --- a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb +++ b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb @@ -103,7 +103,7 @@ ===Setup Striker=== * [<%= scope['::mediawiki::server_url'] %>/wiki/Special:OAuthConsumerRegistration/propose Register an OAuth consumer for Striker] ** Application Name: Tool Labs console -** OAuth callback URL: http://<%= @vhost_name %> +** OAuth callback URL: http://<%= @vhost_name %><%= scope['::port_fragment'] %> ** Check the ''Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix.'' checkbox. ** Contact email address: <%= @admin_email %> ** Types of grants being requested: Authentication only with access to real name and email address via Special:OAuth/identify, no API access. @@ -113,7 +113,7 @@ Q = function(s){return document.querySelector('[name="' + s + '"]')}; Q("wpname").value = "Striker"; Q("wpdescription").value = "Striker login"; -Q("wpcallbackUrl").value = "http://<%= @vhost_name %>"; +Q("wpcallbackUrl").value = "http://<%= @vhost_name %><%= scope['::port_fragment'] %>"; Q("wpcallbackIsPrefix").checked = true; Q("wpemail").value = "<%= @admin_email %>"; Q("wpgranttype").value = "authonlyprivate"; diff --git a/puppet/modules/role/templates/striker/ldap_data.erb b/puppet/modules/role/templates/striker/ldap_data.erb index 6f39fa4..7b03a2d 100755 --- a/puppet/modules/role/templates/striker/ldap_data.erb +++ b/puppet/modules/role/templates/striker/ldap_data.erb @@ -5,6 +5,17 @@ objectClass: top description: Tools +dn: ou=people,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: organizationalUnit +objectClass: top +ou: people + +dn: ou=projects,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: organizationalUnit +objectClass: top +description: OU for openstack projects and global groups +ou: projects + dn: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> objectClass: person objectClass: inetOrgPerson @@ -39,6 +50,18 @@ gidNumber: 5001 member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> +dn: cn=tools,ou=projects,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: extensibleObject +objectClass: groupOfNames +objectClass: top +cn: tools +member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> + +dn: ou=sudoers,cn=tools,ou=projects,<%= scope['::role::ldapauth::user_base_dn'] %> +objectClass: organizationalUnit +objectClass: top +ou: sudoers + dn: cn=tools.admin,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %> objectClass: groupOfNames objectClass: posixGroup -- To view, visit https://gerrit.wikimedia.org/r/361272 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I97503da4621de5d60207746fd564fa3196274886 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/vagrant Gerrit-Branch: master Gerrit-Owner: BryanDavisGerrit-Reviewer: BryanDavis Gerrit-Reviewer: Dduvall Gerrit-Reviewer: jenkins-bot <> ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] mediawiki/vagrant[master]: striker: sudo schema support
BryanDavis has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/361272 ) Change subject: striker: sudo schema support .. striker: sudo schema support Add LDAP configuration needed to support storing sudoer rules. Initial LDAP tree contents are updated as well. Existing deployments can be updated manually using: ldapadd -x -D cn=admin,dc=wmftest,dc=net -w vagrant_admin < Service['slapd'], } +file { '/etc/ldap/schema/sudo.schema': +ensure => present, +owner => 'root', +group => 'root', +mode=> '0444', +source => 'puppet:///modules/openldap/sudo.schema', +require => Package['slapd'], +notify => Service['slapd'], +} + file { '/etc/ldap/slapd.conf' : ensure => present, owner => 'openldap', diff --git a/puppet/modules/openldap/templates/slapd.erb b/puppet/modules/openldap/templates/slapd.erb index f93874d..0221c27 100644 --- a/puppet/modules/openldap/templates/slapd.erb +++ b/puppet/modules/openldap/templates/slapd.erb @@ -11,6 +11,7 @@ include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/rfc2307bis.schema include /etc/ldap/schema/openssh-ldap.schema +include /etc/ldap/schema/sudo.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args diff --git a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb index 1fc1730..4f1bad3 100644 --- a/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb +++ b/puppet/modules/role/templates/striker/VagrantRoleStriker.wiki.erb @@ -103,7 +103,7 @@ ===Setup Striker=== * [<%= scope['::mediawiki::server_url'] %>/wiki/Special:OAuthConsumerRegistration/propose Register an OAuth consumer for Striker] ** Application Name: Tool Labs console -** OAuth callback URL: http://<%= @vhost_name %> +** OAuth callback URL: http://<%= @vhost_name %><%= scope['::port_fragment'] %> ** Check the ''Allow consumer to specify a callback in requests and use "callback" URL above as a required prefix.'' checkbox. ** Contact email address: <%= @admin_email %> ** Types of grants being requested: Authentication only with access to real name and email address via Special:OAuth/identify, no API access. @@ -113,7 +113,7 @@ Q = function(s){return document.querySelector('[name="' + s + '"]')}; Q("wpname").value = "Striker"; Q("wpdescription").value = "Striker login"; -Q("wpcallbackUrl").value = "http://<%= @vhost_name %>"; +Q("wpcallbackUrl").value = "http://<%= @vhost_name %><%= scope['::port_fragment'] %>"; Q("wpcallbackIsPrefix").checked = true; Q("wpemail").value = "<%= @admin_email %>"; Q("wpgranttype").value = "authonlyprivate"; diff --git a/puppet/modules/role/templates/striker/ldap_data.erb b/puppet/modules/role/templates/striker/ldap_data.erb index 6f39fa4..7b03a2d 100755 --- a/puppet/modules/role/templates/striker/ldap_data.erb +++ b/puppet/modules/role/templates/striker/ldap_data.erb @@ -5,6 +5,17 @@ objectClass: top description: Tools +dn: ou=people,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: organizationalUnit +objectClass: top +ou: people + +dn: ou=projects,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: organizationalUnit +objectClass: top +description: OU for openstack projects and global groups +ou: projects + dn: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> objectClass: person objectClass: inetOrgPerson @@ -39,6 +50,18 @@ gidNumber: 5001 member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> +dn: cn=tools,ou=projects,<%= scope['::role::ldapauth::base_dn'] %> +objectClass: extensibleObject +objectClass: groupOfNames +objectClass: top +cn: tools +member: uid=admin,<%= scope['::role::ldapauth::user_base_dn'] %> + +dn: ou=sudoers,cn=tools,ou=projects,<%= scope['::role::ldapauth::user_base_dn'] %> +objectClass: organizationalUnit +objectClass: top +ou: sudoers + dn: cn=tools.admin,ou=servicegroups,<%= scope['::role::ldapauth::base_dn'] %> objectClass: groupOfNames objectClass: posixGroup -- To view, visit https://gerrit.wikimedia.org/r/361272 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I97503da4621de5d60207746fd564fa3196274886 Gerrit-PatchSet: 1 Gerrit-Project: mediawiki/vagrant Gerrit-Branch: master Gerrit-Owner: BryanDavis___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits