PHPC-103: Virtualize OpenLDAP server using CentOS

Author: bjori

Vagrantfile

@@ -23,8 +23,18 @@ Vagrant.configure(2) do |config|
     mo.vm.provision "shell", path: "scripts/ubuntu/mongo-orchestration.sh"
   end
 
+  config.vm.define "ldap", autostart: false do |ldap|
+    ldap.vm.network "private_network", ip: "192.168.112.20"
 
+    ldap.vm.box = "http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box"
+    ldap.vm.provider "vmware_workstation" do |vmware, override|
+      override.vm.box_url = "https://dl.dropbox.com/u/5721940/vagrant-boxes/vagrant-centos-6.4-x86_64-vmware_fusion.box"
+    end
 
+    ldap.vm.provision "shell", path: "scripts/centos/essentials.sh"
+    #ldap.vm.provision "shell", path: "scripts/centos/mongo-orchestration.sh"
+    ldap.vm.provision "shell", path: "scripts/centos/ldap/install.sh"
+  end
 
 end
 

scripts/centos/essentials.sh

@@ -0,0 +1,10 @@
+# Tools you can't live without
+sudo yum install -y git vim
+
+
+# I can't stand emacs
+echo 'set -o vi' | sudo tee /etc/profile.d/vishell.sh
+
+# Who knows how to configure RHEL at all anyway?
+sudo service iptables stop
+sudo chkconfig iptables off

scripts/centos/ldap/Domain.ldif

@@ -0,0 +1,5 @@
+dn: dc=10gen,dc=me
+objectClass: dcObject
+objectClass: organization
+dc: 10gen
+o : 10gen

scripts/centos/ldap/Users.ldif

@@ -0,0 +1,3 @@
+dn: ou=Users,dc=10gen,dc=me
+ou: Users
+objectClass: organizationalUnit

scripts/centos/ldap/basics.ldif

@@ -0,0 +1,10 @@
+dn: dc=10gen,dc=me
+objectclass: dcObject
+objectclass: organization
+o: MongoDB
+dc: 10gen
+
+dn: cn=Manager,dc=10gen,dc=me
+objectclass: organizationalRole
+cn: Manager
+

scripts/centos/ldap/install.sh

@@ -0,0 +1,31 @@
+yum -y update
+yum -y install epel-release
+yum -y install openldap-servers openldap-clients openldap-devel python-devel gcc cyrus-sasl-plain xfsprogs net-snmp ps-misc wget python-pip python-ldap
+
+service slapd stop
+service slapd start
+#just in case
+sleep 10
+
+ldapadd -Y EXTERNAL -H ldapi:/// -f /phongo/scripts/centos/ldap/pw.ldif
+# Add our specifics
+ldapadd -x -D "cn=Manager,dc=10gen,dc=me" -w password -f /phongo/scripts/centos/ldap/Domain.ldif
+ldapadd -x -D "cn=Manager,dc=10gen,dc=me" -w password -f /phongo/scripts/centos/ldap/Users.ldif
+
+# Add the users
+python /phongo/scripts/centos/ldap/ldapconfig.py -f /phongo/scripts/centos/ldap/users
+
+# setup saslauthd
+#sed -i 's/MECH=pam/MECH=ldap/' /etc/sysconfig/saslauthd
+#cp /phongo/scripts/centos/ldap/saslauthd.conf /etc/
+#service saslauthd start
+
+testsaslauthd -u bugs -p password -s mongod -f /var/run/saslauthd/mux
+#Show your work!
+ldapsearch -x -LLL -b dc=10gen,dc=me
+ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
+
+#Set up mongod.conf
+#echo "auth=true" >> /home/phongo/scripts/centos/ldap/mongod.conf
+#echo "setParameter=saslauthdPath=/var/run/saslauthd/mux" >> /home/phongo/scripts/centos/ldap/mongod.conf
+#echo "setParameter=authenticationMechanisms=PLAIN" >> /home/phongo/scripts/centos/ldap/mongod.conf

scripts/centos/ldap/ldapconfig.py

@@ -0,0 +1,75 @@
+#!/usr/bin/python
+
+import optparse
+import ldap
+import ldap.modlist as modlist
+
+def main():
+	parser = optparse.OptionParser(usage="""\
+				%prog [options]
+				Add users to LDAP """)
+
+	# add in command line options. Add mongo host/port combo later
+	parser.add_option("-f", "--filename", dest="fname",
+			    help="name of file with user names",
+			    default=None)
+
+	(options, args) = parser.parse_args()
+
+	if options.fname is None:
+		print "\nERROR: Must specify name of file to import\n"
+		sys.exit(-1)
+
+	# Open a connection
+	l = ldap.initialize("ldap://localhost")
+
+	# Bind/authenticate with a user with apropriate rights to add objects
+	l.simple_bind_s("cn=Manager,dc=10gen,dc=me","password")
+	
+	for uname in open(options.fname, 'r'):	
+		try:
+			# The dn of our new entry/object
+			print "adding ", uname
+			dn= 'uid=' + uname.lower() + ',ou=Users,dc=10gen,dc=me'
+	
+			ldif = configUser(uname.rstrip('\r\n')) 
+
+			# Do the actual synchronous add-operation to the ldapserver
+			l.add_s(dn,ldif)
+		except ldap.LDAPError, e:
+			print e.message['info']
+
+	# Its nice to the server to disconnect and free resources when done
+	l.unbind_s()
+
+# Do the tld configuration for the ldap tree
+def configDC():
+	# A dict to help build the "body" of the object
+	attrs = {}
+	attrs['objectclass'] = ['organization','dcObject']
+	attrs['dn'] = 'dc=10gen,dc=me'
+	attrs['dc'] = '10gen'
+	attrs['o'] = '10gen'
+	# Convert our dict to nice syntax for the add-function using modlist
+	ldif = modlist.addModlist(attrs)
+
+def configOU():
+	# A dict to help build the "body" of the object
+	attrs = {}
+	attrs['dn'] = 'dc=10gen,dc=me'
+	attrs['objectclass'] = ['organiationalUnit']
+	attrs['ou'] = 'Users'
+	ldif = modlist.addModlist(attrs)
+
+def configUser( uname ):
+	attrs = {}
+#	attrs['dn'] = ['cn=' + uname + 'ou=Users,dc=10gen,dc=me']
+	attrs['cn'] = [uname]
+#	attrs['uid'] = [uname]
+	attrs['sn'] = 'TestUser'
+	attrs['objectclass'] = ['inetOrgPerson']
+	attrs['userPassword'] = 'password'
+	return modlist.addModlist(attrs)
+
+if __name__ == "__main__":
+	main()

scripts/centos/ldap/mongod.ldif

@@ -0,0 +1,158 @@
+#
+# See slapd-config(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcArgsFile: /var/run/openldap/slapd.args
+olcPidFile: /var/run/openldap/slapd.pid
+#
+# TLS settings
+#
+olcTLSCACertificatePath: /etc/openldap/certs
+olcTLSCertificateFile: "OpenLDAP Server"
+olcTLSCertificateKeyFile: /etc/openldap/certs/password
+#
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#
+#olcReferral: ldap://root.openldap.org
+#
+# Sample security restrictions
+#	Require integrity protection (prevent hijacking)
+#	Require 112-bit (3DES or better) encryption for updates
+#	Require 64-bit encryption for simple bind
+#
+#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
+
+
+#
+# Load dynamic backend modules:
+# - modulepath is architecture dependent value (32/64-bit system)
+# - back_sql.la backend requires openldap-servers-sql package
+# - dyngroup.la and dynlist.la cannot be used at the same time
+#
+
+#dn: cn=module,cn=config
+#objectClass: olcModuleList
+#cn: module
+#olcModulepath:	/usr/lib/openldap
+#olcModulepath:	/usr/lib64/openldap
+#olcModuleload: accesslog.la
+#olcModuleload: auditlog.la
+#olcModuleload: back_dnssrv.la
+#olcModuleload: back_ldap.la
+#olcModuleload: back_mdb.la
+#olcModuleload: back_meta.la
+#olcModuleload: back_null.la
+#olcModuleload: back_passwd.la
+#olcModuleload: back_relay.la
+#olcModuleload: back_shell.la
+#olcModuleload: back_sock.la
+#olcModuleload: collect.la
+#olcModuleload: constraint.la
+#olcModuleload: dds.la
+#olcModuleload: deref.la
+#olcModuleload: dyngroup.la
+#olcModuleload: dynlist.la
+#olcModuleload: memberof.la
+#olcModuleload: pcache.la
+#olcModuleload: ppolicy.la
+#olcModuleload: refint.la
+#olcModuleload: retcode.la
+#olcModuleload: rwm.la
+#olcModuleload: seqmod.la
+#olcModuleload: smbk5pwd.la
+#olcModuleload: sssvlv.la
+#olcModuleload: syncprov.la
+#olcModuleload: translucent.la
+#olcModuleload: unique.la
+#olcModuleload: valsort.la
+
+
+#
+# Schema settings
+#
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///etc/openldap/schema/core.ldif
+include: file:///etc/openldap/schema/corba.schema
+include: file:///etc/openldap/schema/cosine.ldif
+include: file:///etc/openldap/schema/duaconf.schema
+include: file:///etc/openldap/schema/dyngroup.schema
+include: file:///etc/openldap/schema/inetorgperson.ldif
+include: file:///etc/openldap/schema/java.schema
+include: file:///etc/openldap/schema/misc.schema
+include: file:///etc/openldap/schema/nis.ldif
+include: file:///etc/openldap/schema/openldap.ldif
+include: file:///etc/openldap/schema/ppolicy.schema
+include: file:///etc/openldap/schema/collective.schema
+#
+# Frontend settings
+#
+
+dn: olcDatabase=frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: frontend
+#
+# Sample global access control policy:
+#	Root DSE: allow anyone to read it
+#	Subschema (sub)entry DSE: allow anyone to read it
+#	Other DSEs:
+#		Allow self write access
+#		Allow authenticated users read access
+#		Allow anonymous users to authenticate
+#
+#olcAccess: to dn.base="" by * read
+#olcAccess: to dn.base="cn=Subschema" by * read
+#olcAccess: to *
+#	by self write
+#	by users read
+#	by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+#
+
+#
+# Configuration database
+#
+
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" manage by * none
+
+#
+# Server status monitoring
+#
+
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: monitor
+olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
+ n=auth" read by dn.base="cn=Manager,dc=10gen,dc=me" read by * none
+
+#
+# Backend database definitions
+#
+
+dn: olcDatabase=hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: hdb
+olcSuffix: dc=10gen,dc=me
+olcRootDN: cn=Manager,dc=10gen,dc=me
+olcRootPW: {SSHA}t3hTZGC4FTOS6AnTa76aX7HRtt1IDqFM
+olcDbDirectory:	/var/lib/ldap
+olcDbIndex: objectClass eq,pres
+olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

scripts/centos/ldap/pw.ldif

@@ -0,0 +1,23 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {SSHA}t3hTZGC4FTOS6AnTa76aX7HRtt1IDqFM
+-
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=10gen,dc=me
+
+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {SSHA}t3hTZGC4FTOS6AnTa76aX7HRtt1IDqFM
+-
+replace: olcSuffix
+olcSuffix: dc=10gen,dc=me
+-
+replace: olcRootDN
+olcRootDN: cn=Manager,dc=10gen,dc=me
+
+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *  by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read  by dn.base="cn=Manager,dc=10gen,dc=me" read  by * none

scripts/centos/ldap/saslauthd.conf

@@ -0,0 +1,3 @@
+ldap_servers: ldap://localhost:389
+ldap_search_base: ou=Users,dc=10gen,dc=me
+ldap_filter: (uid=%u)