Merge pull request #220 from mrtwnklr/jf_domain_cfg_1_rebased_with_pw_storage_and_sync

Support for authentication realms configuration

Author: lae

README.md

@@ -466,27 +466,36 @@ you need to install the `ifupdown2` package. Note that this will remove
 You can set realms / domains as authentication sources in the `domains.cfg` configuration file.
 If this file is not present, only the `Linux PAM` and `Proxmox VE authentication server` realms
 are available. Supported types are `pam`, `pve`, `ad` and `ldap`.
+It’s possible to automatically sync users and groups for LDAP-based realms (LDAP & Microsoft Active Directory) with `sync: true`.
 One realm should have the `default: 1` property to mark it as the default:
 
 ```
 pve_domains_cfg:
-    - name: pam
-      type: pam
+  - name: pam
+    type: pam
+    attributes:
       comment: Linux PAM standard authentication
-    - name: pve
-      type: pve
+  - name: pve
+    type: pve
+    attributes:
       comment: Proxmox VE authentication server
-    - name: AD
-      type: ad
+  - name: ad
+    type: ad
+    attributes:
       comment: Active Directory authentication
       domain: yourdomain.com
       server1: dc01.yourdomain.com
       default: 1
       secure: 1
       server2: dc02.yourdomain.com
-    - name: LDAP
-      type: ldap
+  - name: ldap
+    type: ldap
+    sync: true
+    attributes:
+      comment: LDAP authentication
       base_dn: CN=Users,dc=yourdomain,dc=com
+      bind_dn: "uid=svc-reader,CN=Users,dc=yourdomain,dc=com"
+      bind_password: "{{ secret_ldap_svc_reader_password }}"
       server1: ldap1.yourdomain.com
       user_attr: uid
       secure: 1

defaults/main.yml

@@ -36,6 +36,7 @@ pve_manage_hosts_enabled: yes
 pve_cluster_addr0: "{{ ansible_default_ipv4.address if ansible_default_ipv4.address is defined else ansible_default_ipv6.address if ansible_default_ipv6.address is defined }}"
 # pve_cluster_addr1: "{{ ansible_eth1.ipv4.address }}
 pve_datacenter_cfg: {}
+pve_domains_cfg: []
 pve_cluster_ha_groups: []
 # additional roles for your cluster (f.e. for monitoring)
 pve_pools: []

tasks/main.yml

@@ -249,6 +249,27 @@
   with_items: "{{ pve_users }}"
   when: "not pve_cluster_enabled | bool or (pve_cluster_enabled | bool and inventory_hostname == _init_node)"
 
+- import_tasks: realms_config.yml
+  when:
+    - not pve_cluster_enabled | bool or (pve_cluster_enabled and inventory_hostname == groups[pve_group][0])
+    - pve_domains_cfg | length > 0
+
+- name: Select ldap-based realms with sync
+  set_fact:
+    pve_ldap_realms_with_sync: |
+      {{ pve_domains_cfg | selectattr('type', 'in', ['ad', 'ldap'])
+                         | selectattr('sync', 'defined') }}
+
+- name: Sync ldap-based realms
+  include_tasks: realms_sync.yml
+  loop: "{{ pve_ldap_realms_with_sync | flatten(levels=1) }}"
+  loop_control:
+    loop_var: pve_ldap_realm
+  when:
+    - not pve_cluster_enabled | bool or (pve_cluster_enabled and inventory_hostname == groups[pve_group][0])
+    - pve_domains_cfg | length > 0
+    - pve_ldap_realm.sync | bool
+
 - name: Configure Proxmox ACLs
   proxmox_acl:
     path: "{{ item.path }}"

tasks/realms_config.yml

@@ -0,0 +1,68 @@
+---
+- name: Check domains.cfg exists
+  stat:
+    path: "/etc/pve/domains.cfg"
+  register: _domains_cfg
+
+- name: Create domains.cfg if it does not exist
+  file:
+    path: "/etc/pve/domains.cfg"
+    state: "touch"
+  when:
+    - not _domains_cfg.stat.exists
+
+- name: Configure domains.cfg
+  # The parser for domains.cfg requires a blank line after each domain,
+  # and there's a TAB character before printing each key / value pair for a domain
+  copy:
+    dest: "/etc/pve/domains.cfg"
+    owner: "root"
+    group: "www-data"
+    mode: "0640"
+    content: |
+      {% for domain in pve_domains_cfg %}
+      {{ domain.type }}: {{ domain.name }}
+      {% if domain.attributes %}
+      {% for k,v in domain.attributes.items() %}
+      {% if k != 'bind_password' %}
+      	{{ k }} {{ v }}
+      {% endif %}
+      {% endfor %}
+      {% endif %}
+
+      {% endfor %}
+
+- name: Select ldap-based realms with bind_password
+  set_fact:
+    pve_ldap_realms_with_bind_pw: |
+      {{ pve_domains_cfg | selectattr('type', 'in', ['ad', 'ldap'])
+                         | selectattr('attributes.bind_password', 'defined') }}
+
+- name: Ensure /etc/pve/priv/realm/ exists
+  ansible.builtin.file:
+    path: /etc/pve/priv/realm
+    state: directory
+    owner: root
+    group: www-data
+    mode: 0700
+  when: pve_ldap_realms_with_bind_pw | length
+
+- name: Ensure ldap-based realm secret files exists
+  ansible.builtin.file:
+    path: "/etc/pve/priv/realm/{{ item.name }}.pw"
+    access_time: preserve
+    modification_time: preserve
+    state: touch
+    mode: 0600
+  with_items:
+    - "{{ pve_ldap_realms_with_bind_pw }}"
+
+- name: Update ldap-based realm secret files
+  ansible.builtin.copy:
+    content: "{{ item.attributes.bind_password }}"
+    dest: "/etc/pve/priv/realm/{{ item.name }}.pw"
+    owner: root
+    group: www-data
+    mode: 0600
+  with_items:
+    - "{{ pve_ldap_realms_with_bind_pw }}"

tasks/realms_sync.yml

@@ -0,0 +1,59 @@
+---
+# expects to be called with variable pve_ldap_realm set
+
+- name: Get pre-sync state of groups
+  ansible.builtin.shell: pveum group list --output-format json-pretty
+  register: groups_before
+  changed_when: false
+
+- name: Get pre-sync state of users
+  ansible.builtin.shell: pveum user list --output-format json-pretty
+  register: users_before
+  changed_when: false
+
+- name: "Sync ldap-based realm {{ pve_ldap_realm.name }}"
+  ansible.builtin.shell: |
+    pveum realm sync {{ pve_ldap_realm.name }}
+  changed_when: false
+
+- name: Get post-sync state of groups
+  ansible.builtin.shell: pveum group list --output-format json-pretty
+  register: groups_after
+  changed_when: false
+
+- name: Get post-sync state of users
+  ansible.builtin.shell: pveum user list --output-format json-pretty
+  register: users_after
+  changed_when: false
+
+- name: Create temporary file for pre-post-sync comparation
+  ansible.builtin.tempfile:
+    state: file
+    suffix: pve_realm_sync_pre
+  register: pre_sync_content
+  changed_when: false
+
+- name: Save pre-sync state of groups and users
+  ansible.builtin.copy:
+    content: |
+      {{ groups_before.stdout | from_json | sort(attribute='groupid') | to_yaml }}
+      {{ users_before.stdout | from_json | sort(attribute='userid') | to_yaml }}
+    dest: "{{ pre_sync_content.path }}"
+  changed_when: false
+  when: not ansible_check_mode
+
+- name: "Compare to post-sync state of groups and users for realm {{ pve_ldap_realm.name }}"
+  ansible.builtin.copy:
+    content: |
+      {{ groups_after.stdout | from_json | sort(attribute='groupid') | to_yaml }}
+      {{ users_after.stdout | from_json | sort(attribute='userid') | to_yaml }}
+    dest: "{{ pre_sync_content.path }}"
+  when: not ansible_check_mode
+  diff: true
+
+- name: Remove the temporary file for pre-post-sync comparation
+  ansible.builtin.file:
+    path: "{{ pre_sync_content.path }}"
+    state: absent
+  when: not ansible_check_mode
+  changed_when: false

tests/group_vars/all

@@ -15,6 +15,35 @@ pve_ssl_certificate: "{{ lookup('file', ssl_host_cert_path) }}"
 pve_cluster_enabled: yes
 pve_datacenter_cfg:
   console: xtermjs
+pve_domains_cfg:
+  - name: pam
+    type: pam
+    attributes:
+      comment: Linux PAM standard authentication
+  - name: pve
+    type: pve
+    attributes:
+      comment: Proxmox VE authentication server
+  - name: ad
+    type: ad
+    attributes:
+      comment: Active Directory authentication
+      domain: yourdomain.com
+      server1: dc01.yourdomain.com
+      default: 1
+      secure: 1
+      server2: dc02.yourdomain.com
+  - name: ldap
+    type: ldap
+    attributes:
+      comment: LDAP authentication
+      base_dn: CN=Users,dc=yourdomain,dc=com
+      bind_dn: "uid=svc-reader,CN=Users,dc=yourdomain,dc=com"
+      bind_password: "my-password"
+      server1: ldap1.yourdomain.com
+      user_attr: uid
+      secure: 1
+      server2: ldap2.yourdomain.com
 pve_cluster_ha_groups:
   - name: proxmox_5_01
     comment: "Resources on proxmox-5-01"

tests/test.yml

@@ -16,6 +16,34 @@
       vars:
         query: "([?type=='cluster'].quorate)[0]"
 
+    - name: Query PVE realms
+      shell: "pvesh get /access/domains --output=json"
+      register: _pve_realms
+      changed_when: False
+
+    - name: Construct realm list
+      set_fact:
+        realm_list: "{{ realm_list | default([]) }} + [ '{{ item.type }}' ]"
+      with_items: "{{ pve_domains_cfg }}"
+
+    - name: Check that PVE realms exist
+      assert:
+        that: "realm_list is subset(_pve_realms.stdout | from_json | json_query(query))"
+      vars:
+        query: "[*].type"
+      run_once: True
+
+    - name: Check PVE realms configuration
+      assert:
+        that:
+          - item.type == realm.type
+          - item.name == realm.realm
+          - item.attributes.comment == realm.comment
+      vars:
+        realm: '{{ _pve_realms.stdout | from_json
+                   | json_query("[?realm==''" + item.name + "'']") | first }}'
+      with_items: "{{ pve_domains_cfg }}"
+
     - name: Query PVE groups
       shell: "pvesh get /access/groups --output=json"
       register: _pve_groups