Merge pull request #11 from hellofresh/feature-multiple-domains

PTII-373 Allow configure multiple domains

Author: antonu17

molecule/.gitignore .gitignoremolecule/.gitignore renamed to .gitignore

@@ -3,3 +3,5 @@
 .molecule
 pytestdebug.log
 __pycache__/
+.pytest_cache/
+.vscode/

.travis.yml

@@ -8,9 +8,5 @@ branches:
   only:
     - master
 
-install:
-  - pip install molecule
-  - pip install docker-py
-
 script:
-  - molecule test
+  - ./run_tests.sh

README.md

@@ -13,16 +13,69 @@ None
 Role Variables
 --------------
 
-You can override variables in your group_vars
-
-- `sssd_ldap_search_base: dc=example,dc=org`
-- `sssd_ldap_user_search_base: see sssd-ldap man page`
-- `sssd_ldap_group_search_base: see sssd-ldap man page`
-- `sssd_ldap_uri: ldap://example.org`
-- `sssd_ldap_default_bind_dn: cn=manager,dc=example,dc=org`
-- `sssd_ldap_default_authtok: bind_password`
-- `sssd_ldap_user_ssh_public_key: sshPublicKey`
-- `sssd_ldap_override_gid: 500`
+Role configuration aimed to be similar to SSSD configuration. But, not all configuration options,
+supported in `sssd.conf` are available in role variables with the same names. If you setup needs some options that not presented
+feel free to create pull requests. You can find available options in `defaults/main.yml` and `templates/sssd.conf.j2`
+
+`[sssd]` section allows to configure following options options:
+
+    sssd_defaults:
+      # Debug level for:
+      # Fatal failures, Critical failures, Serious failures
+      # Configuration settings, Function data
+      debug_level: '0x0370'
+      services: nss,pam,ssh
+
+`[nss]` section allows to configure following options options:
+
+    sssd_nss:
+      filter_users: root
+      filter_groups: root
+
+Some default values for domain specific configuration options are:
+
+    sssd_domain_defaults:
+      id_provider: ldap
+      auth_provider: ldap
+      enumerate: 'false'
+      ldap_uri: ldap://localhost
+      ldap_id_use_start_tls: 'false'
+      ldap_tls_reqcert: never
+      ldap_default_bind_dn: cn=manager,dc=example,dc=org
+      ldap_default_authtok_type: password
+      ldap_default_authtok: bind_password
+      ldap_search_base: dc=example,dc=org
+
+Role supports configuring multiple domains using following syntax:
+(see sssd man pages for more information)
+
+    sssd_domains:
+      - name: domain_name
+        id_provider:
+        auth_provider:
+        ldap_uri:
+        ldap_id_use_start_tls:
+        ldap_tls_reqcert:
+        ldap_default_bind_dn:
+        ldap_default_authtok_type:
+        ldap_default_authtok:
+        ldap_search_base:
+        ldap_user_search_base:
+        ldap_user_object_class:
+        ldap_user_name:
+        ldap_user_uid_number:
+        ldap_user_gid_number:
+        ldap_user_ssh_public_key:
+        ldap_user_email:
+        override_gid:
+        ldap_group_search_base:
+        ldap_group_object_class:
+        ldap_group_name:
+        ldap_group_gid_number:
+        ldap_group_member:
+
+Options that are listed in `sssd_domain_defaults` will allways be present in `sssd.conf`,
+other options can be omitted.
 
 Dependencies
 ------------
@@ -36,7 +89,7 @@ An example of how to use the role:
 
     - hosts: servers
       roles:
-         - { role: sssd-ldap }
+         - { role: ansible-sssd-ldap }
 
 License
 -------

defaults/main.yml

@@ -1,12 +1,35 @@
 ---
-sssd_ldap_search_base: dc=example,dc=org
-sssd_ldap_uri: ldap://example.org
-sssd_ldap_default_bind_dn: cn=manager,dc=example,dc=org
-sssd_ldap_default_authtok: bind_password
-sssd_ldap_user_ssh_public_key: sshPublicKey
-# If you need to override user's primary group you can use `sssd_ldap_override_gid` variable
-# sssd_ldap_override_gid: 500
+sssd_defaults:
+  # Debug level for:
+  # Fatal failures, Critical failures, Serious failures
+  # Configuration settings, Function data
+  debug_level: '0x0370'
+  services: nss,pam,ssh
 
-# The following variables can be defined:
-# sssd_ldap_user_search_base:
-# sssd_ldap_group_search_base:
+sssd_nss:
+  filter_users: root
+  filter_groups: root
+
+sssd_domain_defaults:
+  id_provider: ldap
+  auth_provider: ldap
+  enumerate: 'false'
+  ldap_uri: ldap://localhost
+  ldap_id_use_start_tls: 'false'
+  ldap_tls_reqcert: never
+  ldap_default_bind_dn: cn=manager,dc=example,dc=org
+  ldap_default_authtok_type: password
+  ldap_default_authtok: bind_password
+  ldap_search_base: dc=example,dc=org
+
+sssd_domains:
+  - name: default
+    id_provider: "{{ sssd_domain_defaults.id_provider }}"
+    auth_provider: "{{ sssd_domain_defaults.auth_provider }}"
+    ldap_uri: "{{ sssd_domain_defaults.ldap_uri }}"
+    ldap_id_use_start_tls: "{{ sssd_domain_defaults.ldap_id_use_start_tls }}"
+    ldap_tls_reqcert: "{{ sssd_domain_defaults.ldap_tls_reqcert }}"
+    ldap_default_bind_dn: "{{ sssd_domain_defaults.ldap_default_bind_dn }}"
+    ldap_default_authtok_type: "{{ sssd_domain_defaults.ldap_default_authtok_type }}"
+    ldap_default_authtok: "{{ sssd_domain_defaults.ldap_default_authtok }}"
+    ldap_search_base: "{{ sssd_domain_defaults.ldap_search_base }}"

.yamllint molecule/default/.yamllint.yamllint renamed to molecule/default/.yamllint

@@ -11,3 +11,5 @@ rules:
   # NOTE(retr0h): Templates no longer fail this lint rule.
   #               Uncomment if running old Molecule templates.
   # truthy: disable
+ignore: |
+  venv/

molecule/default/create.yml

@@ -45,6 +45,7 @@
         volumes: "{{ item.volumes | default(omit) }}"
         capabilities: "{{ item.capabilities | default(omit) }}"
         ports: "{{ item.exposed_ports | default(omit) }}"
+        links: "{{ item.links | default(omit) }}"
       register: server
       with_items: "{{ molecule_yml.platforms }}"
       async: 7200

molecule/default/molecule.yml

@@ -5,39 +5,48 @@ driver:
   name: docker
 lint:
   name: yamllint
+  options:
+    config-file: molecule/default/.yamllint
 platforms:
   - name: ubuntu-trusty
     image: ubuntu-upstart
     command: /sbin/init
-    privileged: True
+    privileged: 'true'
+    links:
+      - "openldap:openldap"
   - name: ubuntu-xenial
     image: solita/ubuntu-systemd
     command: /sbin/init
-    privileged: True
+    privileged: 'true'
     capabilities:
       - SYS_ADMIN
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    links:
+      - "openldap:openldap"
   - name: centos-7
     image: centos/systemd
     command: /usr/sbin/init
-    privileged: True
+    privileged: 'true'
     volumes:
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
     capabilities:
       - SYS_ADMIN
+    links:
+      - "openldap:openldap"
 provisioner:
   name: ansible
   inventory:
     group_vars:
       all:
-        sssd_ldap_search_base: dc=example,dc=com
-        sssd_ldap_user_search_base: dc=example,dc=com?subtree?(uidNumber=5000)
-        sssd_ldap_uri: ldap://localhost
-        sssd_ldap_default_bind_dn: cn=Manager,dc=example,dc=com
-        sssd_ldap_default_authtok: s3cr3t
-        sssd_ldap_user_ssh_public_key: sshPublicKey
-        sssd_ldap_override_gid: 1
+        sssd_domains:
+          - name: default
+            ldap_uri: ldap://openldap
+            ldap_search_base: dc=example,dc=org?subtree?(uidNumber=5000)
+            ldap_default_bind_dn: cn=admin,dc=example,dc=org
+            ldap_default_authtok: s3cr3t
+            ldap_user_ssh_public_key: sshPublicKey
+            override_gid: 1
   lint:
     name: ansible-lint
     options:

molecule/default/prepare.yml

@@ -9,47 +9,7 @@
       Debian: openssh-client
       RedHat: openssh-clients
 
-  roles:
-    - role: openldap
-      openldap_server_domain_name: example.com
-      openldap_server_rootpw: s3cr3t
-      openldap_server_enable_ssl: false
-
   tasks:
-    - name: install python-ldap
-      package:
-        name: python-ldap
-    - name: Make sure we have two test users
-      ldap_entry:
-        bind_dn: cn=Manager,dc=example,dc=com
-        bind_pw: s3cr3t
-        dn: 'uid={{ item.uid }},dc=example,dc=com'
-        objectClass:
-          - top
-          - person
-          - posixAccount
-          - inetOrgPerson
-          - organizationalPerson
-          - ldapPublicKey
-        attributes:
-          uid: "{{ item.uid }}"
-          uidNumber: "{{ item.uidNumber }}"
-          givenName: "{{ item.name }}"
-          sn: "{{ item.name }}"
-          cn: "{{ item.name }}"
-          loginShell: /bin/bash
-          homeDirectory: "/home/{{ item.uid }}"
-          sshPublicKey: "{{ item.sshPublicKey }}"
-          gidNumber: "{{ item.uidNumber }}"
-      with_items:
-        - name: Test
-          uid: test
-          uidNumber: 5000
-          sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYaGyXcqdQUIxjPr3eqXro9X/2LrLH2o+OrFeGRB2u3WxigroynxD8vLjtG6qyYYtgnvR9+2usVhbNNS3QdF3G5wenCR4Zpk6VIYofQrBYmrzJG9Bsig3G4SgnGF2x4KimupjCdD4+1S9OMF/4GzQZdaLl2HkSTYE+6430FbSD8i3IdpbRI526X8q4njrTHgIYUtAVFTPSudZ/3fIzFpfNlWq5wy1CXCGc7aqmHECQzareeoAM5NfgrUkw7TFrKP/zelDkqpJ6pwYTWg2VZYmoXmh2o+ttWFatGzJPUoeU/r+SjMn4YvMunT+L6NIrbJQkXwB9i3upMx2bQcuPl0cl test-key
-        - name: Filtered
-          uid: filtered-test
-          uidNumber: 5001
-          sshPublicKey: ''
     - name: create /root/.ssh dir
       file:
         path: /root/.ssh

run_tests.sh

@@ -0,0 +1,73 @@
+#!/bin/sh
+
+set -e
+
+echo "Create LDAP users"
+CUSTOM_LDIF_DIR=$(mktemp --directory)
+
+cat <<EOF >${CUSTOM_LDIF_DIR}/test.ldif
+dn: uid=test,dc=example,dc=org
+uid: test
+cn: test
+sn: Test
+objectClass: top
+objectClass: posixAccount
+objectClass: inetOrgPerson
+objectClass: ldapPublicKey
+loginShell: /bin/bash
+homeDirectory: /home/test
+uidNumber: 5000
+gidNumber: 5000
+mail: [email protected]
+gecos: Test User
+sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYaGyXcqdQUIxjPr3eqXro9X/2LrLH2o+OrFeGRB2u3WxigroynxD8vLjtG6qyYYtgnvR9+2usVhbNNS3QdF3G5wenCR4Zpk6VIYofQrBYmrzJG9Bsig3G4SgnGF2x4KimupjCdD4+1S9OMF/4GzQZdaLl2HkSTYE+6430FbSD8i3IdpbRI526X8q4njrTHgIYUtAVFTPSudZ/3fIzFpfNlWq5wy1CXCGc7aqmHECQzareeoAM5NfgrUkw7TFrKP/zelDkqpJ6pwYTWg2VZYmoXmh2o+ttWFatGzJPUoeU/r+SjMn4YvMunT+L6NIrbJQkXwB9i3upMx2bQcuPl0cl test-key
+EOF
+
+cat <<EOF >${CUSTOM_LDIF_DIR}/filtered.ldif
+dn: uid=filtered,dc=example,dc=org
+uid: filtered
+cn: filtered
+sn: Filtered
+objectClass: top
+objectClass: posixAccount
+objectClass: inetOrgPerson
+loginShell: /bin/bash
+homeDirectory: /home/filtered
+uidNumber: 5001
+gidNumber: 5001
+mail: [email protected]
+gecos: Filtered User
+EOF
+
+echo "Starting docker container running OpenLDAP server"
+LDAP_CONTAINER_NAME="openldap"
+LDAP_ADMIN_PASSWORD="s3cr3t"
+docker run --detach --name ${LDAP_CONTAINER_NAME} \
+    --env LDAP_ADMIN_PASSWORD=${LDAP_ADMIN_PASSWORD} \
+    --volume ${CUSTOM_LDIF_DIR}:/container/service/slapd/assets/config/bootstrap/ldif/custom \
+    osixia/openldap:1.2.0 --copy-service
+
+echo -n "Waiting for ldap server to be ready"
+until docker logs openldap 2>&1 | grep "slapd starting" >/dev/null 2>&1
+do echo -n "."; sleep 1; done
+echo
+
+echo "Prepare python virtual env for running tests"
+virtualenv --version >/dev/null
+if [ $? != 0 ]
+then
+  echo -e "Please install python virtualenv package to perform the tests"
+  exit 1
+fi
+virtualenv venv
+. ./venv/bin/activate
+pip install ansible docker-py molecule
+
+echo "Run molecule tests"
+molecule test
+
+echo "Cleanup"
+deactivate
+rm -rf ./venv/
+docker rm -f ${LDAP_CONTAINER_NAME}
+rm -rf ${CUSTOM_LDIF_DIR}