def install_sssd(args): """ Install ldap client on current host and connect to networks ldap server. """ app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallSssd", SCRIPT_VERSION) version_obj.check_executed() # Get all passwords from installation user at the start of the script. app.get_ldap_sssd_password() install_packages() installOpenLdap.setup_hosts() iptables.add_ldap_chain() iptables.save() ip = config.general.get_ldap_server_ip() general.wait_for_server_to_start(ip, "636") install_certs() # For some reason it needs to be executed twice. authconfig() authconfig() installOpenLdap.configure_client_cert_for_ldaptools() augeas = Augeas(x) create_sss_folders() configure_sssd(augeas) configure_sudo(augeas) version_obj.mark_executed()
def install_sssd(args): ''' Install ldap client on current host and connect to networks ldap server. ''' app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallSssd", SCRIPT_VERSION) version_obj.check_executed() # Get all passwords from installation user at the start of the script. app.get_ldap_sssd_password() install_packages() installOpenLdap.setup_hosts() iptables.add_ldap_chain() iptables.save() ip = config.general.get_ldap_server_ip() general.wait_for_server_to_start(ip, "636") install_certs() # For some reason it needs to be executed twice. authconfig() authconfig() installOpenLdap.configure_client_cert_for_ldaptools() configured_sssd() configured_sudo() version_obj.mark_executed()
def install_git_server(args): app.print_verbose("Install Git-Server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallGit", SCRIPT_VERSION) version_obj.check_executed() # Get all passwords from installation user at the start of the script. app.get_ldap_sssd_password() x("yum -y install git") setup_git_user() setup_repo_folder() create_empty_test_repo() set_permission_on_repos() # Deny user git to login on SSH x("usermod --shell /usr/bin/git-shell git") install_gitweb() install_cgit() # Configure apache x("cp " + app.SYCO_PATH + "var/git/git.conf /etc/httpd/conf.d/git.conf") _install_httpd_certificates() _setup_ldap_auth() x("/etc/init.d/httpd restart") # Install startpage shutil.copy(app.SYCO_PATH + "var/git/index.html", "/var/www/html/index.html") version_obj.mark_executed()
def _install_icinga(args): ''' The icinga-installation is divided into three parts - icinga core, icinga web and PNP4Nagios. Icinga core insatlls the icinga-poller (baically an exakt for of the Nagios poller except with SQL integration). Icinga-core also includes a very simple GUI that is kept as a backup in case the fancier GUI goes down for any reason. Icinga-web is the "bells and whistles" GUI which is heavier, with "improved" looks and more functionality. ''' # Initialize all used passwords. app.init_mysql_passwords() app.get_ldap_sssd_password() # Install icinga poller, web-interface and graping. icinga_db_password = _install_icinga_core(args) _install_icinga_web(icinga_db_password) _install_pnp4nagios() # Install a http index _install_http_index() # Enable SELinux _install_SELinux() # Restart all services x("service ido2db restart") x("service nrpe restart") x("service icinga restart") x("service httpd restart")
def initialize_passwords(): ''' Get all passwords from installation user at the start of the script. ''' app.get_ca_password() app.get_ldap_admin_password() app.get_ldap_sssd_password()
def _install_nrpe(args): """ The nrpe installation is quite standard . Except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all used passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At # the moment EPEL has the latest version but RPMForge obsolete the EPEL # package. Because of that, exclude nagios-nrpe from RPMForge. app.print_verbose("Install required packages for NRPE") install_packages( "nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS " "perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python") # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format( constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format( constant.SYCO_USR_PATH)) # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.general.get_monitor_server_ip() app.print_verbose("Set monitor server: %s" % monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Set permissions for read/execute under nagios-user x("chown -R root:nrpe /etc/nagios/") # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def _install_nrpe(args): """ The nrpe installation is quite standard . Except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all used passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At # the moment EPEL has the latest version but RPMForge obsolete the EPEL # package. Because of that, exclude nagios-nrpe from RPMForge. x( "yum install -y nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap " "nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable" "perl-Date-Calc policycoreutils-python --exclude=nagios-nrpe" ) # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH)) # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.general.get_monitor_server_ip() app.print_verbose("Set monitor server: %s" % monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Set permissions for read/execute under nagios-user x("chown -R root:nrpe /etc/nagios/") # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def _install_nrpe_plugins(): ''' Install NRPE-plugins (to be executed remoteley) and SELinux-rules. ''' # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* /usr/lib64/nagios/plugins/".format(constant.SYCO_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname()) # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 750 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Set MySQL password, if running MySQL. nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
def configured_sudo(): scOpen("/etc/nsswitch.conf").remove("^sudoers.*") scOpen("/etc/nsswitch.conf").add("sudoers: ldap files") x("touch /etc/ldap.conf") x("chown root:root /etc/ldap.conf") x("chmod 644 /etc/ldap.conf") scOpen("/etc/ldap.conf").remove( "^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" + "^tls_cert.*\|^tls_key.*\|sudoers_debug.*" ) scOpen("/etc/ldap.conf").add( "uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " + config.general.get_ldap_dn() + "\n" + "ssl on\n" + "tls_cacertdir /etc/openldap/cacerts\n" + "tls_cert /etc/openldap/cacerts/client.pem\n" + "tls_key /etc/openldap/cacerts/client.pem\n" + "sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" + "binddn cn=sssd," + config.general.get_ldap_dn() + "\n" + "bindpw " + app.get_ldap_sssd_password() ) # SUDO now uses it's own ldap config file. x("cp /etc/ldap.conf /etc/sudo-ldap.conf") x("chmod 440 /etc/sudo-ldap.conf") x("chown root:root /etc/sudo-ldap.conf") x("restorecon /etc/sudo-ldap.conf")
def _reload_icinga(args, reload=True): ''' Re-probes the network for running services and updates the icinga object structure. ''' # Initialize all used passwords. app.init_mysql_passwords() app.get_ldap_sssd_password() hostList = _get_host_list() _append_services_to_hostlist(hostList) _build_icinga_config(hostList) _install_server_plugins() if reload: x("service icinga reload")
def configured_sssd(): # If the authentication provider is offline, specifies for how long to allow # cached log-ins (in days). This value is measured from the last successful # online log-in. If not specified, defaults to 0 (no limit). scOpen("/etc/sssd/sssd.conf").remove("^offline_credentials_expiration.*") x("sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf") # Enumeration means that the entire set of available users and groups on the # remote source is cached on the local machine. When enumeration is disabled, # users and groups are only cached as they are requested. scOpen("/etc/sssd/sssd.conf").remove("^enumerate=true") scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]","\[domain/default\]\nenumerate=true") # Configure client certificate auth. scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_cert.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_key.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_reqcert.*") scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]", "\[domain/default\]\n" + "ldap_tls_cert = /etc/openldap/cacerts/client.pem\n" + "ldap_tls_key = /etc/openldap/cacerts/client.pem\n" + "ldap_tls_reqcert = demand" ) # Only users with this employeeType are allowed to login to this computer. scOpen("/etc/sssd/sssd.conf").remove("^access_provider.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_access_filter.*") scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]", "\[domain/default\]\n" + "access_provider = ldap\n" + "ldap_access_filter = (employeeType=Sysop)" ) # Login to ldap with a specified user. scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_bind_dn.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok_type.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok.*") scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]", "\[domain/default\]\n" + "ldap_default_bind_dn = cn=sssd," + config.general.get_ldap_dn() ) scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]", "\[domain/default\]\n" + "ldap_default_authtok_type = password" ) scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]", "\[domain/default\]\n" + "ldap_default_authtok = " + app.get_ldap_sssd_password() ) # Need to change the modified date before restarting, to tell sssd to reload # the config file. x("touch /etc/sssd/sssd.conf") # Restart sssd and read in all new configs. x("rm /var/lib/sss/db/config.ldb") x("service sssd restart") # Start sssd after reboot. x("chkconfig sssd on")
def configured_sudo(): scOpen("/etc/nsswitch.conf").remove("^sudoers.*") scOpen("/etc/nsswitch.conf").add("sudoers: ldap files") x("touch /etc/ldap.conf") x("chown root:root /etc/ldap.conf") x("chmod 644 /etc/ldap.conf") scOpen("/etc/ldap.conf").remove( "^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" + "^tls_cert.*\|^tls_key.*\|sudoers_debug.*" ) scOpen("/etc/ldap.conf").add( "uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " + config.general.get_ldap_dn() + "\n" + "ssl on\n" + "tls_cacertdir /etc/openldap/cacerts\n" + "tls_cert /etc/openldap/cacerts/client.pem\n" + "tls_key /etc/openldap/cacerts/client.pem\n" + "sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" + "binddn cn=sssd," + config.general.get_ldap_dn() + "\n" + "bindpw " + app.get_ldap_sssd_password() ) # Needed to fix a but in Centos 6.2, will be fixed in 6.3. # https://bugzilla.redhat.com/show_bug.cgi?id=760843 x("cp /etc/ldap.conf /etc/nslcd.conf")
def configure_sudo(augeas): #The database sudoers node doesn't appear to be insertable with a one liner so we have to echo it in if not augeas.find_entry("/files/etc/nsswitch.conf/database[. = 'sudoers']"): x("echo \"sudoers: ldap files sss\" >> /etc/nsswitch.conf") else: augeas.set_enhanced("/files/etc/nsswitch.conf/database[. = 'sudoers']/service[1]", "ldap") augeas.set_enhanced("/files/etc/nsswitch.conf/database[. = 'sudoers']/service[2]", "files") augeas.set_enhanced("/files/etc/nsswitch.conf/database[. = 'sudoers']/service[3]", "sss") x("touch /etc/ldap.conf") x("chown root:root /etc/ldap.conf") x("chmod 644 /etc/ldap.conf") augeas.set_enhanced("/files/etc/ldap.conf/uri", "ldaps://%s" % config.general.get_ldap_hostname()) augeas.set_enhanced("/files/etc/ldap.conf/base", config.general.get_ldap_dn()) augeas.set_enhanced("/files/etc/ldap.conf/ssl", "on") augeas.set_enhanced("/files/etc/ldap.conf/tls_cacertdir", "/etc/openldap/cacerts") augeas.set_enhanced("/files/etc/ldap.conf/tls_cert", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced("/files/etc/ldap.conf/tls_key", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced("/files/etc/ldap.conf/sudoers_base", "ou=SUDOers,dc=fareoffice,dc=com") augeas.set_enhanced("/files/etc/ldap.conf/binddn", "cn=sssd,%s" % config.general.get_ldap_dn()) augeas.set_enhanced("/files/etc/ldap.conf/bindpw", app.get_ldap_sssd_password()) # SUDO now uses it's own ldap config file. x("cp /etc/ldap.conf /etc/sudo-ldap.conf") x("chmod 440 /etc/sudo-ldap.conf") x("chown root:root /etc/sudo-ldap.conf") x("restorecon /etc/sudo-ldap.conf")
def configured_sudo(): scOpen("/etc/nsswitch.conf").remove("^sudoers.*") scOpen("/etc/nsswitch.conf").add("sudoers: ldap files") x("touch /etc/ldap.conf") x("chown root:root /etc/ldap.conf") x("chmod 644 /etc/ldap.conf") scOpen("/etc/ldap.conf").remove( "^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" + "^tls_cert.*\|^tls_key.*\|sudoers_debug.*") scOpen("/etc/ldap.conf").add( "uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " + config.general.get_ldap_dn() + "\n" + "ssl on\n" + "tls_cacertdir /etc/openldap/cacerts\n" + "tls_cert /etc/openldap/cacerts/client.pem\n" + "tls_key /etc/openldap/cacerts/client.pem\n" + "sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" + "binddn cn=sssd," + config.general.get_ldap_dn() + "\n" + "bindpw " + app.get_ldap_sssd_password()) # SUDO now uses it's own ldap config file. x("cp /etc/ldap.conf /etc/sudo-ldap.conf") x("chmod 440 /etc/sudo-ldap.conf") x("chown root:root /etc/sudo-ldap.conf") x("restorecon /etc/sudo-ldap.conf")
def _setup_ldap(): ''' Configure openvpn to authenticate through LDAP. ''' ldapconf = scOpen("/etc/openvpn/auth/ldap.conf") ldapconf.replace( "^\\s*URL\s*.*", "\\tURL\\tldaps://%s" % config.general.get_ldap_hostname()) ldapconf.replace("^\s*# Password\s*.*", "\\tPassword\\t%s" % app.get_ldap_sssd_password()) ldapconf.replace("^\s*# BindDN\s*.*", "\\tBindDN\\tcn=sssd,%s" % config.general.get_ldap_dn()) ldapconf.replace("^\s*TLSEnable\s*.*", "\\t# TLSEnable\\t YES") # Deal with certs ldapconf.replace("^\s*TLSCACertFile\s*.*", "\\tTLSCACertFile\\t /etc/openldap/cacerts/ca.crt") ldapconf.replace("^\s*TLSCACertDir\s*.*", "\\tTLSCACertDir\\t /etc/openldap/cacerts/") ldapconf.replace("^\s*TLSCertFile\s*.*", "\\tTLSCertFile\\t /etc/openldap/cacerts/client.crt") ldapconf.replace("^\s*TLSKeyFile\s*.*", "\\tTLSKeyFile\\t /etc/openldap/cacerts/client.key") # Auth ldapconf.replace("^\s*BaseDN\s*.*", "\\BaseDN\\t \"%s\"" % config.general.get_ldap_dn()) ldapconf.replace( "^\s*SearchFilter\s*.*", "\\tSearchFilter\\t \"(\\&(uid=%u)(employeeType=Sysop))\"") x('echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server.conf ' )
def install_logmgmt(args): ''' Install and configure log management tools on the local host. ''' app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION) version_obj.check_executed() x("mkdir -p /var/lib/logmgmt") shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh", "/var/lib/logmgmt/") x("chmod +x /var/lib/logmgmt/compress_logs.sh") shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron", "/etc/cron.daily/") x("chmod +x /etc/cron.daily/logmgmt_cron") logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron") logMgmtCron.replace("${alert_email}",config.general.get_admin_email()) x("yum -y install php") x("yum -y install php-mysql") x("yum -y install php-gd") x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz") x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz") x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer") x("chown -R apache /var/www/html/loganalyzer") shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php", "/var/www/html/loganalyzer/") logConfig = scOpen("/var/www/html/loganalyzer/config.php") logConfig.replace("${mysql_user}","root") logConfig.replace("${mysql_password}",app.get_mysql_root_password()) x("chown -R apache /var/www/html/loganalyzer") x("rm -rf /tmp/loganalyzer*") shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh", "/var/lib/logmgmt/") x("chmod +x /var/lib/logmgmt/remove_sql.sh") logSql = scOpen("/var/lib/logmgmt/remove_sql.sh") logSql.replace("${mysql_user}","root") logSql.replace("${mysql_password}",app.get_mysql_root_password()) shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf", "/etc/httpd/conf.d/") htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf") htconf.replace("${bind_dn}","cn=sssd,%s" % config.general.get_ldap_dn() ) htconf.replace("${bind_password}","%s" % app.get_ldap_sssd_password() ) htconf.replace("${ldap_url}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) ) x("service httpd restart") version_obj.mark_executed()
def install_logmgmt(args): ''' Install and configure log management tools on the local host. ''' app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION) version_obj.check_executed() x("mkdir -p /var/lib/logmgmt") shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh", "/var/lib/logmgmt/") x("chmod +x /var/lib/logmgmt/compress_logs.sh") shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron", "/etc/cron.daily/") x("chmod +x /etc/cron.daily/logmgmt_cron") logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron") logMgmtCron.replace("${alert_email}", config.general.get_admin_email()) x("yum -y install php") x("yum -y install php-mysql") x("yum -y install php-gd") x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz" ) x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz") x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer") x("chown -R apache /var/www/html/loganalyzer") shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php", "/var/www/html/loganalyzer/") logConfig = scOpen("/var/www/html/loganalyzer/config.php") logConfig.replace("${mysql_user}", "root") logConfig.replace("${mysql_password}", app.get_mysql_root_password()) x("chown -R apache /var/www/html/loganalyzer") x("rm -rf /tmp/loganalyzer*") shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh", "/var/lib/logmgmt/") x("chmod +x /var/lib/logmgmt/remove_sql.sh") logSql = scOpen("/var/lib/logmgmt/remove_sql.sh") logSql.replace("${mysql_user}", "root") logSql.replace("${mysql_password}", app.get_mysql_root_password()) shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf", "/etc/httpd/conf.d/") htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf") htconf.replace("${bind_dn}", "cn=sssd,%s" % config.general.get_ldap_dn()) htconf.replace("${bind_password}", "%s" % app.get_ldap_sssd_password()) htconf.replace( "${ldap_url}", "ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(), config.general.get_ldap_dn())) x("service httpd restart") version_obj.mark_executed()
def configured_sssd(): # If the authentication provider is offline, specifies for how long to allow # cached log-ins (in days). This value is measured from the last successful # online log-in. If not specified, defaults to 0 (no limit). scOpen("/etc/sssd/sssd.conf").remove("^offline_credentials_expiration.*") x("sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf" ) # Enumeration means that the entire set of available users and groups on the # remote source is cached on the local machine. When enumeration is disabled, # users and groups are only cached as they are requested. scOpen("/etc/sssd/sssd.conf").remove("^enumerate=true") scOpen("/etc/sssd/sssd.conf").replace( "\[domain/default\]", "\[domain/default\]\nenumerate=true") # Configure client certificate auth. scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_cert.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_key.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_reqcert.*") scOpen("/etc/sssd/sssd.conf").replace( "\[domain/default\]", "\[domain/default\]\n" + "ldap_tls_cert = /etc/openldap/cacerts/client.pem\n" + "ldap_tls_key = /etc/openldap/cacerts/client.pem\n" + "ldap_tls_reqcert = demand") # Only users with this employeeType are allowed to login to this computer. scOpen("/etc/sssd/sssd.conf").remove("^access_provider.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_access_filter.*") scOpen("/etc/sssd/sssd.conf").replace( "\[domain/default\]", "\[domain/default\]\n" + "access_provider = ldap\n" + "ldap_access_filter = (employeeType=Sysop)") # Login to ldap with a specified user. scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_bind_dn.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok_type.*") scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok.*") scOpen("/etc/sssd/sssd.conf").replace( "\[domain/default\]", "\[domain/default\]\n" + "ldap_default_bind_dn = cn=sssd," + config.general.get_ldap_dn()) scOpen("/etc/sssd/sssd.conf").replace( "\[domain/default\]", "\[domain/default\]\n" + "ldap_default_authtok_type = password") scOpen("/etc/sssd/sssd.conf").replace( "\[domain/default\]", "\[domain/default\]\n" + "ldap_default_authtok = " + app.get_ldap_sssd_password()) # Need to change the modified date before restarting, to tell sssd to reload # the config file. x("touch /etc/sssd/sssd.conf") # Restart sssd and read in all new configs. x("rm /var/lib/sss/db/config.ldb") x("service sssd restart") # Start sssd after reboot. x("chkconfig sssd on")
def configure_sssd(augeas): # If the authentication provider is offline, specifies for how long to allow # cached log-ins (in days). This value is measured from the last successful # online log-in. If not specified, defaults to 0 (no limit). # We want to cache credentials even though noone has logged in. augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'pam']/offline_credentials_expiration", "0") # Enumeration means that the entire set of available users and groups on the # remote source is cached on the local machine. When enumeration is disabled, # users and groups are only cached as they are requested. augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/enumerate", "true") # Configure client certificate auth. augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_cert", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_key", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_reqcert", "demand") # Only users with this employeeType are allowed to login to this computer. augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/access_provider", "ldap") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_access_filter", "(employeeType=Sysop)") # Login to ldap with a specified user. augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_bind_dn", "cn=sssd," + config.general.get_ldap_dn()) augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok_type", "password") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok", app.get_ldap_sssd_password()) #Enable caching of sudo rules augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/sudo_provider", "ldap") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_full_refresh_interval", "86400") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_smart_refresh_interval", "3600") #Set low timeout levels to ensure that cache is used when ldap is slow/down augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_search_timeout", "5") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_enumeration_search_timeout", "5") augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_network_timeout", "5") #sssd section settings augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'sssd']/services", "nss,pam,sudo") # Need to change the modified date before restarting, to tell sssd to reload # the config file. x("touch /etc/sssd/sssd.conf") # Restart sssd and read in all new configs. x("rm /var/lib/sss/db/config.ldb") x("service sssd restart") # Start sssd after reboot. x("chkconfig sssd on")
def _install_nrpe(args): """ The nrpe installation is quite standard - except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins x( "yum install nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable perl-Date-Calc -y" ) # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH)) # Set permissions for read/execute under NRPE-user x("chown -R root:nrpe /etc/nagios/") # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.host(config.general.get_monitor_server()).get_front_ip() app.print_verbose("Setting monitor server:" + monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def _install_nrpe_plugins(): """Install NRPE-plugins (to be executed remoteley) and SELinux-rules.""" # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname()) nrpe_config.replace( "$(SQLPASS)", app.get_mysql_monitor_password().replace("&", "\&").replace("/", "\/")) # Set name of main disk host_config = config.host(net.get_hostname()) if host_config.is_guest(): nrpe_config.replace("${MAINDISK}", "vda") elif host_config.is_firewall() or host_config.is_host(): nrpe_config.replace("${MAINDISK}", "sda") # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 550 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl. # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") # TODO?? #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*") #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl") # New in centos 6.7 x("setsebool -P nagios_run_sudo 1")
def _install_pnp4nagios(): ''' PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png ''' # Get packages from epel repo install.epel_repo() x("yum install -y pnp4nagios icinga-web-module-pnp") # Pnp4 uses the nagios password file, which will not exist general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf", "AuthName \"Nagios Access\"", "AuthName \"Icinga Access\"", False) general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf", "AuthUserFile /etc/nagios/passwd", "AuthUserFile /etc/icinga/passwd", False) # NPCD config prepped to work with icinga instead of nagios x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format( constant.SYCO_USR_PATH)) x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg") # Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it x("touch /var/log/pnp4nagios/perfdata.log") # Since we are using icinga (not nagios) we need to change permissions. # Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good. x("chown -R icinga:icinga /var/log/pnp4nagios") x("chown -R icinga:icinga /var/spool/pnp4nagios") x("chown -R icinga:icinga /var/lib/pnp4nagios") # Set npcd (bulk parser/spooler) to auto-start x(" /sbin/chkconfig --level 3 npcd on") # Setup LDAP-login for PNP4NAgios. general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") x("rm -f /etc/httpd/conf.d/pnp4nagios.conf") x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format( constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf") htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn()) htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password()) htconf.replace( "${LDAP_URL}", "ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(), config.general.get_ldap_dn())) # Restart everything x("service icinga restart") x("service httpd restart") x("service npcd restart")
def _install_nrpe_plugins(): """Install NRPE-plugins (to be executed remoteley) and SELinux-rules.""" # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH)) for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"): x("cp -p {0}* {1}".format(plugin_path, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname()) nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/")) # Set name of main disk host_config = config.host(net.get_hostname()) if host_config.is_guest(): nrpe_config.replace("${MAINDISK}", "vda") elif host_config.is_firewall() or host_config.is_host(): nrpe_config.replace("${MAINDISK}", "sda") # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 550 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl. # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") # Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") # TODO?? #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*") #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py") #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl") # New in centos 6.7 x("setsebool -P nagios_run_sudo 1")
def passwords(args): app.print_verbose("Set all passwords used by syco") app.init_all_passwords() print "root: ", app.get_root_password() print "svn: ", app.get_svn_password() print "ldap_admin: ", app.get_ldap_admin_password() print "ldap_sssd: ", app.get_ldap_sssd_password() print "glassfish_master: ", app.get_glassfish_master_password() print "glassfish_admin: ", app.get_glassfish_admin_password() print "glassfish_user: "******"glassfish") print "mysql_root: ", app.get_mysql_root_password() print "mysql_int: ", app.get_mysql_integration_password() print "mysql_stable: ", app.get_mysql_stable_password() print "mysql_uat: ", app.get_mysql_uat_password() print "mysql_prod: ", app.get_mysql_production_password()
def _setup_ldap_auth(): ''' Configure the httpd conf files to authenticate against syco LDAP-server. ''' fn = "/etc/httpd/conf.d/git.conf" scOpen(fn).replace("${AUTHLDAPBINDDN}", "cn=sssd," + config.general.get_ldap_dn()) scOpen(fn).replace("${AUTHLDAPBINDPASSWORD}", app.get_ldap_sssd_password()) ldapurl = "ldaps://%s:636/ou=people,%s?uid" % ( config.general.get_ldap_hostname(), config.general.get_ldap_dn()) scOpen(fn).replace("${AUTHLDAPURL}", ldapurl) version_obj = version.Version("InstallGit", SCRIPT_VERSION) version_obj.mark_uninstalled()
def configure_sudo(augeas): """ Configure the client to use sudo """ # The database sudoers node doesn't appear to be insertable with a # one liner so we have to echo it in if not augeas.find_entry( "/files/etc/nsswitch.conf/database[. = 'sudoers']"): x("echo \"sudoers: files sss\" >> /etc/nsswitch.conf") else: augeas.set_enhanced( "/files/etc/nsswitch.conf/database[. = 'sudoers']/service[1]", "files") augeas.set_enhanced( "/files/etc/nsswitch.conf/database[. = 'sudoers']/service[2]", "sss") augeas.remove( "/files/etc/nsswitch.conf/database[. = 'sudoers']/service[3]") x("touch /etc/ldap.conf") x("chown root:root /etc/ldap.conf") x("chmod 644 /etc/ldap.conf") augeas.set_enhanced("/files/etc/ldap.conf/uri", "ldaps://%s" % config.general.get_ldap_hostname()) augeas.set_enhanced("/files/etc/ldap.conf/base", config.general.get_ldap_dn()) augeas.set_enhanced("/files/etc/ldap.conf/ssl", "on") augeas.set_enhanced("/files/etc/ldap.conf/tls_cacertdir", "/etc/openldap/cacerts") augeas.set_enhanced("/files/etc/ldap.conf/tls_cert", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced("/files/etc/ldap.conf/tls_key", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced("/files/etc/ldap.conf/sudoers_base", "ou=SUDOers,dc=fareoffice,dc=com") augeas.set_enhanced("/files/etc/ldap.conf/binddn", "cn=sssd,%s" % config.general.get_ldap_dn()) augeas.set_enhanced("/files/etc/ldap.conf/bindpw", app.get_ldap_sssd_password()) # SUDO now uses it's own ldap config file. But some applications don't. x("cp /etc/ldap.conf /etc/sudo-ldap.conf") x("chmod 440 /etc/sudo-ldap.conf") x("chown root:root /etc/sudo-ldap.conf") x("restorecon /etc/sudo-ldap.conf")
def _configure_apache(): ''' Add conf.d files to apache for loganalyzer ''' x("cp -f {0}var/loganalyzer/loganalyzer.conf /etc/httpd/conf.d/".format( app.SYCO_PATH)) htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf") htconf.replace("${BIND_DN}", "cn=sssd,{0}".format(config.general.get_ldap_dn())) htconf.replace("${BIND_PASSWORD}", app.get_ldap_sssd_password()) htconf.replace( "${LDAP_URL}", "ldaps://{0}:636/{1}?uid".format(config.general.get_ldap_hostname(), config.general.get_ldap_dn())) x("service httpd restart")
def _setup_ldap_auth(): ''' Configure the httpd conf files to authenticate against syco LDAP-server. ''' fn = "/etc/httpd/conf.d/git.conf" scOpen(fn).replace("${AUTHLDAPBINDDN}", "cn=sssd," + config.general.get_ldap_dn()) scOpen(fn).replace("${AUTHLDAPBINDPASSWORD}", app.get_ldap_sssd_password()) ldapurl = "ldaps://%s:636/ou=people,%s?uid" % ( config.general.get_ldap_hostname(), config.general.get_ldap_dn() ) scOpen(fn).replace("${AUTHLDAPURL}", ldapurl) version_obj = version.Version("InstallGit", SCRIPT_VERSION) version_obj.mark_uninstalled()
def _install_pnp4nagios(): ''' PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png ''' # Get packages from epel repo install.epel_repo() x("yum install -y pnp4nagios icinga-web-module-pnp") # Pnp4 uses the nagios password file, which will not exist general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthName \"Nagios Access\"","AuthName \"Icinga Access\"", False) general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthUserFile /etc/nagios/passwd","AuthUserFile /etc/icinga/passwd",False) # NPCD config prepped to work with icinga instead of nagios x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(constant.SYCO_USR_PATH)) x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg") # Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it x("touch /var/log/pnp4nagios/perfdata.log") # Since we are using icinga (not nagios) we need to change permissions. # Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good. x("chown -R icinga:icinga /var/log/pnp4nagios") x("chown -R icinga:icinga /var/spool/pnp4nagios") x("chown -R icinga:icinga /var/lib/pnp4nagios") # Set npcd (bulk parser/spooler) to auto-start x(" /sbin/chkconfig --level 3 npcd on") # Setup LDAP-login for PNP4NAgios. general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf") x("rm -f /etc/httpd/conf.d/pnp4nagios.conf") x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf") htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() ) htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() ) htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) ) # Restart everything x("service icinga restart") x("service httpd restart") x("service npcd restart")
def passwords(args): app.print_verbose("Set all passwords used by syco") app.init_all_passwords() print "root: ", app.get_root_password() print "svn: ", app.get_svn_password() print "ldap_admin: ", app.get_ldap_admin_password() print "ldap_sssd: ", app.get_ldap_sssd_password() print "glassfish_master: ", app.get_glassfish_master_password() print "glassfish_admin: ", app.get_glassfish_admin_password() print "glassfish_user: "******"glassfish") print "mysql_root: ", app.get_mysql_root_password() print "mysql_int: ", app.get_mysql_integration_password() print "mysql_stable: ", app.get_mysql_stable_password() print "mysql_uat: ", app.get_mysql_uat_password() print "mysql_prod: ", app.get_mysql_production_password() print "mysql_backup: ", app.get_mysql_backup_password() print "mysql_monitor: ", app.get_mysql_monitor_password() print "switch_icmp: ", app.get_switch_icmp_password()
def _configure_apache(): ''' Add conf.d files to apache for loganalyzer ''' x("cp -f {0}var/loganalyzer/loganalyzer.conf /etc/httpd/conf.d/".format( app.SYCO_PATH )) htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf") htconf.replace("${BIND_DN}","cn=sssd,{0}".format( config.general.get_ldap_dn() )) htconf.replace("${BIND_PASSWORD}", app.get_ldap_sssd_password()) htconf.replace("${LDAP_URL}", "ldaps://{0}:636/{1}?uid".format( config.general.get_ldap_hostname(), config.general.get_ldap_dn() )) x("service httpd restart")
def _install_nrpe_plugins(): ''' Install NRPE-plugins (to be executed remoteley) and SELinux-rules. ''' # Install packages and their dependencies. _install_nrpe_plugins_dependencies() x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH)) # Set the sssd password nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password()) nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname()) # Change ownership of plugins to nrpe (from icinga/nagios) x("chmod -R 750 /usr/lib64/nagios/plugins/") x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/") # Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables # Corresponding .te-files summarize rule content x("mkdir -p /var/lib/syco_selinux_modules") rule_path_list = list_plugin_files("/var/nagios/selinux_rules") for path in rule_path_list: x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path)) x("semodule -i /var/lib/syco_selinux_modules/*.pp") #Fix some SELinux rules on custom plugins. _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk") _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php") _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*") _fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*") _fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py") _fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh") _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py") # Set MySQL password, if running MySQL. nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg") nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
def _configure_icinga_web(icinga_db_pass, web_sqlpassword): ''' Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone. Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the /usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache permissions). ''' # Configure upp database passwords general.use_original_file("/usr/share/icinga-web/app/config/databases.xml") general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga_web:icinga_web", "mysql://icinga-web:{0}".format(web_sqlpassword), False) general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga:icinga", "mysql://icinga:{0}".format(icinga_db_pass), False) # Configure LDAP login general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ") x("rm -f /etc/httpd/conf.d/icinga-web.conf ") x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format( constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ") htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn()) htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password()) htconf.replace( "${LDAP_URL}", "ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(), config.general.get_ldap_dn())) x("/usr/bin/icinga-web-clearcache") # Configure timezone and laguage general.use_original_file( "/usr/share/icinga-web/app/config/translation.xml") general.set_config_property( "/usr/share/icinga-web/app/config/translation.xml", "default_locale=\"en\"", "default_locale=\"en\" default_timezone=\"CET\"", False)
def _setup_ldap(): ''' Configure openvpn to authenticate through LDAP. ''' ldapconf = scOpen("/etc/openvpn/auth/ldap.conf") ldapconf.replace("^\\s*URL\s*.*","\\tURL\\tldaps://%s" % config.general.get_ldap_hostname()) ldapconf.replace("^\s*# Password\s*.*","\\tPassword\\t%s" % app.get_ldap_sssd_password()) ldapconf.replace("^\s*# BindDN\s*.*","\\tBindDN\\tcn=sssd,%s" % config.general.get_ldap_dn()) ldapconf.replace("^\s*TLSEnable\s*.*","\\t# TLSEnable\\t YES") # Deal with certs ldapconf.replace("^\s*TLSCACertFile\s*.*","\\tTLSCACertFile\\t /etc/openldap/cacerts/ca.crt") ldapconf.replace("^\s*TLSCACertDir\s*.*","\\tTLSCACertDir\\t /etc/openldap/cacerts/") ldapconf.replace("^\s*TLSCertFile\s*.*","\\tTLSCertFile\\t /etc/openldap/cacerts/client.crt") ldapconf.replace("^\s*TLSKeyFile\s*.*","\\tTLSKeyFile\\t /etc/openldap/cacerts/client.key") # Auth ldapconf.replace("^\s*BaseDN\s*.*","\\BaseDN\\t \"%s\"" % config.general.get_ldap_dn() ) ldapconf.replace("^\s*SearchFilter\s*.*","\\tSearchFilter\\t \"(\\&(uid=%u)(employeeType=Sysop))\"") x('echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server.conf ')
def _configure_icinga_web(icinga_db_pass, web_sqlpassword): ''' Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone. Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the /usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache permissions). ''' # Configure upp database passwords general.use_original_file("/usr/share/icinga-web/app/config/databases.xml") general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga_web:icinga_web", "mysql://icinga-web:{0}".format(web_sqlpassword), False ) general.set_config_property( "/usr/share/icinga-web/app/config/databases.xml", "mysql://icinga:icinga", "mysql://icinga:{0}".format(icinga_db_pass), False ) # Configure LDAP login general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ") x("rm -f /etc/httpd/conf.d/icinga-web.conf ") x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH)) htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ") htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() ) htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() ) htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) ) x("/usr/bin/icinga-web-clearcache") # Configure timezone and laguage general.use_original_file("/usr/share/icinga-web/app/config/translation.xml") general.set_config_property("/usr/share/icinga-web/app/config/translation.xml", "default_locale=\"en\"","default_locale=\"en\" default_timezone=\"CET\"",False)
def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() if len(args) != 2: raise Exception("syco install-openvpn-server 2.3.7") # Initialize all passwords enable_ldap = config.general.get_option("openvpn.ldap.enable", "false") build_openvpn(args) x('mkdir /etc/openvpn') if enable_ldap: app.get_ldap_sssd_password() x("yum -y install openvpn-auth-ldap") if not os.access("/etc/openvpn/easy-rsa", os.F_OK): copy_easy_rsa() # Install server.conf server_conf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf) scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(server_conf).replace('${OPENVPN_NETWORK}', config.general.get_openvpn_network()) scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes()) ccd_enabled = config.general.get_option("openvpn.ccd.enable", "false").lower() ccd_dir = "" client_routes = "" c2c = "" if ccd_enabled: ccd_dir = "client-config-dir ccd" client_routes = _get_client_routes() c2c = "client-to-client" x('mkdir /etc/openvpn/ccd') scOpen(server_conf).replace('${CCD_DIR}', ccd_dir) scOpen(server_conf).replace('${CLIENT_ROUTES}', str(client_routes)) scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c) scOpen(server_conf).replace('${DHCP_DNS_SERVERS}', _get_dhcp_dns_servers()) scOpen(server_conf).replace('^dh.*dh1024.pem', 'dh dh4096.pem') scOpen(server_conf).add('\n') scOpen(server_conf).add('tls-version-min 1.2') # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace( '[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace( '[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace( '[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace( '[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace( '[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace( '[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') scOpen(fn).replace('[\s]*export HASH_ALGO.*', 'export HASH_ALGO=sha256') scOpen(fn).replace('[\s]*export KEY_SIZE.*', 'export KEY_SIZE=4096') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace( "\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh" ) x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh4096.pem} /etc/openvpn/" ) #Generation TLS key os.chdir("/etc/openvpn/") x("/usr/local/sbin/openvpn --genkey --secret ta.key") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace( "unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() if enable_ldap: _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()
def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords enable_ldap = config.general.get_option("openvpn.ldap.enable", "false") x("yum -y install openvpn") if enable_ldap: app.get_ldap_sssd_password() x("yum -y install openvpn-auth-ldap") if not os.access("/etc/openvpn/easy-rsa", os.F_OK): copy_easy_rsa() # Install server.conf server_conf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf) scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(server_conf).replace('${OPENVPN_NETWORK}', config.general.get_openvpn_network()) scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes()) ccd_enabled = config.general.get_option("openvpn.ccd.enable", "false").lower() ccd_dir = "" client_routes = "" c2c = "" if ccd_enabled: ccd_dir = "client-config-dir ccd" client_routes = _get_client_routes() c2c = "client-to-client" scOpen(server_conf).replace('${CCD_DIR}', ccd_dir) scOpen(server_conf).replace('${CLIENT_ROUTES}', client_routes) scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c) scOpen(server_conf).replace('${DHCP_DNS_SERVERS}', _get_dhcp_dns_servers()) # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh") x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/") #Generation TLS key os.chdir("/etc/openvpn/") x("openvpn --genkey --secret ta.key") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() if enable_ldap: _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()
def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords app.get_ldap_sssd_password() x("yum -y install openvpn openvpn-auth-ldap") if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)): copy_easy_rsa() # Install server.conf serverConf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf) scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network()) scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network()) scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask()) scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network()) scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask()) # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace( '[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace( '[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace( '[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace( '[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace( '[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace( '[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace( "\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh" ) x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/" ) #Generation TLS key os.chdir("/etc/openvpn/") x("openvpn --genkey --secret ta.key") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace( "unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()
def install_openvpn_server(args): ''' The actual installation of openvpn server. ''' app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords app.get_ldap_sssd_password() x("yum -y install openvpn openvpn-auth-ldap") if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)): x("cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa") # Install server.conf serverConf = "/etc/openvpn/server.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf) scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip()) scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network()) scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network()) scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask()) scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network()) scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask()) # Prepare the ca cert generation. fn = "/etc/openvpn/easy-rsa/vars" scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"') scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"') scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"') scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"') scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"') scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"') # Can't find the current version of openssl.cnf. scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*") # Generate CA cert os.chdir("/etc/openvpn/easy-rsa/") x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh") x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/") # To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx" scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no") # To be able to route trafic to internal network net.enable_ip_forward() _setup_ldap() iptables.add_openvpn_chain() iptables.save() x("/etc/init.d/openvpn restart") x("/sbin/chkconfig openvpn on") build_client_certs(args) version_obj.mark_executed()
def configure_sssd(augeas): # If the authentication provider is offline, specifies for how long to allow # cached log-ins (in days). This value is measured from the last successful # online log-in. If not specified, defaults to 0 (no limit). # We want to cache credentials even though noone has logged in. augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'pam']/offline_credentials_expiration", "0") # Enumeration means that the entire set of available users and groups on the # remote source is cached on the local machine. When enumeration is disabled, # users and groups are only cached as they are requested. augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/enumerate", "true") # Configure client certificate auth. augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_cert", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_key", "/etc/openldap/cacerts/client.pem") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_reqcert", "demand") # Only users with this employeeType are allowed to login to this computer. augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/access_provider", "ldap") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_access_filter", "(employeeType=Sysop)") # Login to ldap with a specified user. augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_bind_dn", "cn=sssd," + config.general.get_ldap_dn()) augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok_type", "password") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok", app.get_ldap_sssd_password()) # Enable caching of sudo rules augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/sudo_provider", "ldap") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_full_refresh_interval", "86400") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_smart_refresh_interval", "3600") # Set low timeout levels to ensure that cache is used when ldap is slow/down augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_search_timeout", "5") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_enumeration_search_timeout", "5") augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_network_timeout", "5") # sssd section settings augeas.set_enhanced( "/files/etc/sssd/sssd.conf/target[. = 'sssd']/services", "nss,pam,sudo") # Need to change the modified date before restarting, to tell sssd to reload # the config file. x("touch /etc/sssd/sssd.conf") # Restart sssd and read in all new configs. x("rm /var/lib/sss/db/config.ldb") x("service sssd restart") # Start sssd after reboot. x("chkconfig sssd on")