From dcf2e058ebe15019bfd33caa35f4b3a6a750709a Mon Sep 17 00:00:00 2001 From: Anastasia Kuznetsova Date: Thu, 24 Mar 2016 18:11:11 +0300 Subject: [PATCH] Change the way of users creation in LDAP Change-Id: I82b43edff5e7db98698d8538d7276c7199d53bca --- .../OpenLDAP2/package/Classes/OpenLDAP.yaml | 54 +++++++++++++------ .../Resources/ConfigureOpenLDAPUser.template | 14 +++-- .../scripts/configureOpenLDAPUser.sh | 23 +++++--- .../package/Resources/scripts/site.pp | 6 +-- murano-apps/OpenLDAP2/package/UI/ui.yaml | 17 ++++++ 5 files changed, 86 insertions(+), 28 deletions(-) diff --git a/murano-apps/OpenLDAP2/package/Classes/OpenLDAP.yaml b/murano-apps/OpenLDAP2/package/Classes/OpenLDAP.yaml index 258b9a0..09d1616 100644 --- a/murano-apps/OpenLDAP2/package/Classes/OpenLDAP.yaml +++ b/murano-apps/OpenLDAP2/package/Classes/OpenLDAP.yaml @@ -17,13 +17,17 @@ Properties: Contract: $.string().notNull() domain: Contract: $.string().notNull() + ldapRootUser: + Contract: $.string().notNull() + ldapRootPass: + Contract: $.string().notNull() ldapUser: - Contract: $.string().notNull() + Contract: $.string() ldapPass: - Contract: $.string().notNull() + Contract: $.string() Methods: - initialize: + .init: Body: - $._environment: $.find(std:Environment).require() @@ -49,14 +53,19 @@ Methods: - $.createConfiguration() - - $resources: new(sys:Resources) - $template: $resources.yaml('DeployOpenLDAP.template') - $._environment.reporter.report($this, 'OpenLDAP deploying') - $.instance.agent.call($template, $resources) - $._environment.reporter.report($this, format('OpenLDAP is available at {0}', $.instance.floatingIpAddress)) - - $.configureOpenLDAPUser($.domain, $.ldapUser, $.ldapPass) + - $._environment.reporter.report($this, format('Configuring root LDAP user')) + - $.configureOpenLDAPRootUser() + + - If: $.ldapUser != '' and $.ldapUser != null + Then: + - $._environment.reporter.report($this, format('Configuring base non-admin LDAP user')) + - $.configureOpenLDAPUser($.ldapUser, $.ldapPass) - $.setAttr(deployed, true) - $._environment.reporter.report($this, 'OpenLDAP is deployed!') @@ -65,11 +74,13 @@ Methods: Body: - $.instance.setHieraValue('ldap_domain', $.domain) - $.instance.setHieraValue('ldap_dc', $.domain.split('.')[0]) + - $.instance.setHieraValue('ldap_root_user', $.ldapRootUser) + - $.instance.setHieraValue('ldap_root_password', $.ldapRootPass) - $.instance.setHieraValue('ldap_user', $.ldapUser) - $.instance.setHieraValue('ldap_password', $.ldapPass) - !yaql "$.instance.setHieraValue('ldap::client::uri', 'localhost')" - - !yaql "$.instance.setHieraValue('ldap::server::rootpw', $.ldapPass)" + - !yaql "$.instance.setHieraValue('ldap::server::rootpw', $.ldapRootPass)" - !yaql "$.instance.setHieraValue('ldap::client::ssl_cert', '')" # @@ -78,31 +89,42 @@ Methods: #- !yaql "$.instance.setHieraValue('ldap::client::base', 'dc=example,dc=com')" #- !yaql "$.instance.setHieraValue('ldap::client::ssl', 'false')" #- !yaql "$.instance.setHieraValue('ldap::server::suffix', 'dc=example,dc=com')" - #- !yaql "$.instance.setHieraValue('ldap::server::rootdn', 'cn=admin,dc=example,dc=com')" + #- !yaql "$.instance.setHieraValue('ldap::server::rootdn', format('cn={0},dc=example,dc=com', $.ldapRootUser))" #- !yaql "$.instance.setHieraValue('ldap::server::ssl', false)" #- !yaql "$.instance.setHieraValue('ldap::server::ssl_cacert', '')" #- !yaql "$.instance.setHieraValue('ldap::server::ssl_cert', '')" #- !yaql "$.instance.setHieraValue('ldap::server::ssl_key', '')" + configureOpenLDAPRootUser: + Body: + - $resources: new(sys:Resources) + - $template: $resources.yaml('ConfigureOpenLDAPUser.template').bind(dict( + domain => $this.domain, + rootUser => $this.ldapRootUser, + rootPass => $this.ldapRootPass, + user => '', + password => '' + )) + - $.instance.agent.call($template, $resources) + configureOpenLDAPUser: Arguments: - - domain: + - user: Contract: $.string().notNull() - - ldapUser: - Contract: $.string().notNull() - - ldapPass: + - password: Contract: $.string().notNull() Body: - $resources: new(sys:Resources) - $template: $resources.yaml('ConfigureOpenLDAPUser.template').bind(dict( - domain => $domain, - ldapUser => $ldapUser, - ldapPass => $ldapPass + domain => $this.domain, + rootUser => $this.ldapRootUser, + rootPass => $this.ldapRootPass, + user => $user, + password => $password )) - $.instance.agent.call($template, $resources) - - $._environment.reporter.report($this, 'OpenLDAP user {0} is added'.format($ldapUser)) destroy: Body: - $.reportDestroyed() - - $.setAttr(deployed, false) + - $.setAttr(deployed, false) \ No newline at end of file diff --git a/murano-apps/OpenLDAP2/package/Resources/ConfigureOpenLDAPUser.template b/murano-apps/OpenLDAP2/package/Resources/ConfigureOpenLDAPUser.template index b91e88e..cb4e2ce 100644 --- a/murano-apps/OpenLDAP2/package/Resources/ConfigureOpenLDAPUser.template +++ b/murano-apps/OpenLDAP2/package/Resources/ConfigureOpenLDAPUser.template @@ -4,11 +4,19 @@ Name: Configure OpenLDAP Parameters: domain: $domain - ldapUser: $ldapUser - ldapPass: $ldapPass + rootUser: $rootUser + rootPass: $rootPass + user: $user + password: $password Body: | - return configure('{0} {1} {2}'.format(args.domain, args.ldapUser, args.ldapPass)).stdout + return configure( + '{0} {1} {2} {3} {4}'.format( + args.domain, + args.rootUser, + args.rootPass, + args.user, + args.password)).stdout Scripts: configure: diff --git a/murano-apps/OpenLDAP2/package/Resources/scripts/configureOpenLDAPUser.sh b/murano-apps/OpenLDAP2/package/Resources/scripts/configureOpenLDAPUser.sh index a8b64ba..275b680 100644 --- a/murano-apps/OpenLDAP2/package/Resources/scripts/configureOpenLDAPUser.sh +++ b/murano-apps/OpenLDAP2/package/Resources/scripts/configureOpenLDAPUser.sh @@ -1,15 +1,26 @@ #!/bin/bash DOMAIN="$1" -USERNAME="$2" -PASSWORD="$3" +ADMIN_USERNAME="$2" +ADMIN_PASSWORD="$3" +USERNAME="$4" +PASSWORD="$5" -DOMAIN_PASSWORD=$PASSWORD +DOMAIN_PASSWORD="$ADMIN_PASSWORD" NAME="`echo "$DOMAIN" | cut -d. -f1`" TLD="`echo "$DOMAIN" | cut -d. -f2`" +# If user doesn't specify non-admin username/password then +# script will create just admin user -ldapadd -x -w $DOMAIN_PASSWORD -D "cn=${USERNAME},dc=${NAME},dc=${TLD}" << USER +if [ -z $USERNAME ]; + then + USERNAME="$ADMIN_USERNAME"; + PASSWORD="$ADMIN_PASSWORD"; +fi + + +ldapadd -x -w $DOMAIN_PASSWORD -D "cn=${ADMIN_USERNAME},dc=${NAME},dc=${TLD}" << USER dn: uid=${USERNAME},ou=users,dc=${NAME},dc=${TLD} objectClass: top objectClass: account @@ -28,7 +39,7 @@ shadowMax: 0 shadowWarning: 0 USER -ldappasswd -w $DOMAIN_PASSWORD -s ${PASSWORD} -D "cn=${USERNAME},dc=${NAME},dc=${TLD}" -x uid=${USERNAME},ou=users,dc=${NAME},dc=${TLD} +ldappasswd -w $DOMAIN_PASSWORD -s ${PASSWORD} -D "cn=${ADMIN_USERNAME},dc=${NAME},dc=${TLD}" -x uid=${USERNAME},ou=users,dc=${NAME},dc=${TLD} # check if user been created -ldapwhoami -x -w ${PASSWORD} -D uid=${USERNAME},ou=users,dc=${NAME},dc=${TLD} -hlocalhost -p389 \ No newline at end of file +ldapwhoami -x -w ${PASSWORD} -D uid=${USERNAME},ou=users,dc=${NAME},dc=${TLD} -hlocalhost -p389 diff --git a/murano-apps/OpenLDAP2/package/Resources/scripts/site.pp b/murano-apps/OpenLDAP2/package/Resources/scripts/site.pp index 970fa4d..7c630aa 100644 --- a/murano-apps/OpenLDAP2/package/Resources/scripts/site.pp +++ b/murano-apps/OpenLDAP2/package/Resources/scripts/site.pp @@ -2,12 +2,12 @@ node default { $dc = hiera("ldap_dc") $dn = domain2dn(hiera("ldap_domain")) - $user = hiera('ldap_user') + $user = hiera('ldap_root_user') class { 'ldap::server': suffix => $dn, rootdn => "cn=$user,$dn", - rootpw => hiera('ldap_password'), + rootpw => hiera('ldap_root_password'), } $ldap_defaults = { @@ -17,7 +17,7 @@ node default { port => 389, ssl => false, username => "cn=$user,${dn}", - password => hiera('ldap_password') + password => hiera('ldap_root_password') } $ldap_entries = { diff --git a/murano-apps/OpenLDAP2/package/UI/ui.yaml b/murano-apps/OpenLDAP2/package/UI/ui.yaml index 2a34566..11a0ded 100644 --- a/murano-apps/OpenLDAP2/package/UI/ui.yaml +++ b/murano-apps/OpenLDAP2/package/UI/ui.yaml @@ -5,6 +5,8 @@ Application: type: io.murano.opaas.OpenLDAP name: $.appConfiguration.name domain: $.appConfiguration.domain + ldapRootUser: $.appConfiguration.ldapRootUser + ldapRootPass: $.appConfiguration.ldapRootPass ldapUser: $.appConfiguration.ldapUser ldapPass: $.appConfiguration.ldapPass instance: @@ -34,15 +36,30 @@ Forms: descriptionTitle: Domain description: >- Please, provide domain for the OpenLDAP instance + - name: ldapRootUser + type: string + label: Root Username + initial: admin + descriptionTitle: LDAP Root User + description: >- + Please, provide admin username + - name: ldapRootPass + type: password + label: Root Password + descriptionTitle: LDAP Root Password + description: >- + Please, provide admin password - name: ldapUser type: string label: Username + required: false descriptionTitle: LDAP User description: >- Please, provide username - name: ldapPass type: password label: Password + required: false descriptionTitle: LDAP Password description: >- Please, provide password