def run(self, context):
complete = super(postgresql_serverSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
postinst.shellCommand(['/usr/bin/postgresql-setup', 'initdb'])
return complete
def run(self, context):
complete = super(openssh_serverSetup, self).run(context)
ldapHost = context.value('ldapHost')
domain_parts = tuple(context.value('companyDomain').split('.'))
banner = os.path.join(context.value('etcDir'), 'issue.net')
_, new_banner_path = stageFile(banner, context=context)
with open(new_banner_path, 'w') as new_banner:
new_banner.write(
'This server is private property. Authorized use only.\n')
settings = {'Banner': banner}
for key, vals in six.iteritems(
self.managed['openssh-server']['files']):
if key == self.sshd_conf:
settings.update(vals[0][0])
modify_config(self.sshd_conf,
settings=settings,
sep=' ',
context=context)
ldapCertPath = os.path.join(context.value('etcDir'), 'pki', 'tls',
'certs', '%s.crt' % ldapHost)
names = {
'ldapHost': ldapHost,
'domainNat': domain_parts[0],
'domainTop': domain_parts[1],
'ldapCertPath': ldapCertPath
}
modify_config(
self.ldap_conf,
settings={
'URI': 'ldaps://%(ldapHost)s' % names,
'BASE': 'ou=people,dc=%(domainNat)s,dc=%(domainTop)s' % names,
'TLS_CACERT': ldapCertPath,
'TLS_REQCERT': 'demand',
'TIMELIMIT': '15',
'TIMEOUT': '20'
},
sep=' ',
context=context)
config_path = os.path.join('/usr', 'libexec', 'openssh',
'ssh-ldap-wrapper')
_, new_config_path = stageFile(config_path, context)
with open(new_config_path, 'w') as new_config:
new_config.write("""#!/bin/sh
if [ "$1" == "fedora" ] ; then
exit 1
fi
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
""")
postinst.shellCommand(['chmod', '755', config_path])
postinst.shellCommand(['chmod', '644', self.ldap_conf])
return complete
def run(self, context):
complete = super(openssh_serverSetup, self).run(context)
banner = os.path.join(context.SYSCONFDIR, 'issue.net')
_, new_banner_path = stageFile(
banner, context=context)
with open(new_banner_path, 'w') as new_banner:
new_banner.write(
'This server is private property. Authorized use only.\n')
settings = {'Banner': banner}
for key, vals in self.files.iteritems():
if key == self.sshd_conf:
settings.update(vals[0][0])
modify_config(self.sshd_conf,
settings=settings, sep=' ', context=context)
ldapDomain = 'dbs.internal'
domain_parts = tuple(context.value('domainName').split('.'))
ldapCertPath = os.path.join(context.SYSCONFDIR,
'pki', 'tls', 'certs', '%s.crt' % ldapDomain)
names = {
'ldapDomain': ldapDomain,
'domainNat': domain_parts[0],
'domainTop': domain_parts[1],
'ldapCertPath': ldapCertPath
}
modify_config(self.ldap_conf,
settings={
'URI': 'ldaps://%(ldapDomain)s' % names,
'BASE': 'ou=people,dc=%(domainNat)s,dc=%(domainTop)s' % names,
'TLS_CACERT': ldapCertPath,
'TLS_REQCERT': 'demand',
'TIMELIMIT': '15',
'TIMEOUT': '20'
}, sep=' ', context=context)
config_path = os.path.join(
'/usr', 'libexec', 'openssh', 'ssh-ldap-wrapper')
_, new_config_path = stageFile(config_path, context)
with open(new_config_path, 'w') as new_config:
new_config.write(
"""#!/bin/sh
if [ "$1" == "fedora" ] ; then
exit 1
fi
exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
""")
postinst.shellCommand(['chmod', '755', config_path])
postinst.shellCommand(['chmod', '644', self.ldap_conf])
return complete
def run(self, context):
complete = super(postgresql_serverSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
db_host = context.value('dbHost')
vpc_cidr = context.value('vpc_cidr')
pg_user = context.value('dbUser')
postgresql_conf = os.path.join(self.pgdata, 'postgresql.conf')
pg_ident_conf = os.path.join(self.pgdata, 'pg_ident.conf')
pg_hba_conf = os.path.join(self.pgdata, 'pg_hba.conf')
if not os.path.exists(postgresql_conf):
# /var/lib/pgsql/data will be empty unless we run initdb once.
shell_command([self.postgresql_setup, 'initdb'])
listen_addresses = "'localhost'"
for key, val in six.iteritems(
self.managed['%s-server' %
self.daemons[0].replace('-', '')]['files']):
if key == 'listen_addresses':
listen_addresses = ', '.join(
["'%s'" % address[0] for address in val])
postgresql_conf_settings = {'listen_addresses': listen_addresses}
if db_host:
db_ssl_key_file = "/etc/pki/tls/private/%s.key" % db_host
db_ssl_cert_file = "/etc/pki/tls/certs/%s.crt" % db_host
dh_params = "/etc/ssl/certs/dhparam.pem"
if (os.path.exists(db_ssl_key_file)
and os.path.exists(db_ssl_cert_file)):
postgresql_conf_settings.update({
'ssl':
"on",
'ssl_cert_file':
"'%s'" % db_ssl_cert_file,
'ssl_key_file':
"'%s'" % db_ssl_key_file,
'ssl_prefer_server_ciphers':
"on",
#ssl_ca_file = ''
#ssl_crl_file = ''
#ssl_ecdh_curve = 'prime256v1'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
})
if os.path.exists(dh_params):
postgresql_conf_settings.update({
'ssl_dh_params_file':
"'%s'" % dh_params,
})
postinst.shellCommand(
['chown', 'root:postgres', db_ssl_key_file])
postinst.shellCommand(['chmod', '640', db_ssl_key_file])
postinst.shellCommand(
['chmod', '755',
os.path.dirname(db_ssl_key_file)])
modify_config(postgresql_conf,
settings=postgresql_conf_settings,
sep=' = ',
context=context)
# pg_ident
system_to_pg_mapping = {'postgres': 'postgres'}
if pg_user:
system_to_pg_mapping.update({'/^(.*)$': pg_user})
else:
logging.warning("dbUser is '%s'. No regular user will be created"\
" to access the database remotely.")
old_conf_path, new_conf_path = stageFile(pg_ident_conf, context)
with open(new_conf_path, 'w') as new_conf:
with open(old_conf_path) as old_conf:
for line in old_conf.readlines():
look = re.match(r'^mymap\s+(\S+)\s+(\S+)', line.strip())
if look:
system_user = look.group(1)
if system_user in system_to_pg_mapping:
self.write_ident_line(
new_conf, system_user,
system_to_pg_mapping[system_user])
del system_to_pg_mapping[system_user]
else:
new_conf.write(line)
for system_user, pgident_user in six.iteritems(
system_to_pg_mapping):
self.write_ident_line(new_conf, system_user, pgident_user)
# pg_hba
connections = [
['all', 'postgres', vpc_cidr],
# 'all' because we need to add a constraint on auth_user
['all', pg_user, vpc_cidr]
]
old_conf_path, new_conf_path = stageFile(pg_hba_conf, context)
with open(new_conf_path, 'w') as new_conf:
with open(old_conf_path) as old_conf:
source_host = 'host'
if (postgresql_conf_settings.get('ssl')
and postgresql_conf_settings.get('ssl') == "on"):
source_host = 'hostssl'
for line in old_conf.readlines():
look = re.match(r'^local.*peer$', line.strip())
if look:
new_conf.write(line.strip() + ' map=mymap\n')
else:
look = re.match(r'^(host|hostssl|hostnossl)\s+'\
'(?P<db>\S+)\s+(?P<pg_user>\S+)\s+(?P<cidr>\S+)\s+(?P<method>\S+)',
line.strip())
if look:
found = None
remains = []
for conn in connections:
if (conn[0] == look.group('db')
and conn[1] == look.group('pg_user')):
found = conn
else:
remains += [conn]
connections = remains
if found:
new_conf.write(
'%(host)s %(db)s%(pg_user)s%(cidr)smd5\n'
% {
'host': source_host.ljust(10),
'db': found[0].ljust(16),
'pg_user': found[1].ljust(16),
'cidr': found[2].ljust(24)
})
else:
new_conf.write(line)
else:
new_conf.write(line)
if connections:
new_conf.write("# Remote connections\n")
for conn in connections:
new_conf.write(
'%(host)s %(db)s%(pg_user)s%(cidr)smd5\n' % {
'host': source_host.ljust(10),
'db': conn[0].ljust(16),
'pg_user': conn[1].ljust(16),
'cidr': conn[2].ljust(24)
})
self.create_cron_conf(context)
#XXX optimizations?
#https://people.planetpostgresql.org/devrim/index.php?/archives/83-Using-huge-pages-on-RHEL-7-and-PostgreSQL-9.4.html
postinst.shellCommand([
'[ -d %(pgdata)s/base ] ||' % {
'pgdata': self.pgdata
}, self.postgresql_setup, 'initdb'
])
return complete
def run(self, context):
complete = super(openldap_serversSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
ldapHost = context.value('ldapHost')
company_domain = context.value('companyDomain')
password_hash = context.value('ldapPasswordHash')
priv_key = os.path.join(context.value('etcDir'),
'pki', 'tls', 'private', '%s.key' % ldapHost)
config_path = os.path.join(context.value('etcDir'),
'openldap', 'slapd.d', 'cn=config.ldif')
_, new_config_path = stageFile(config_path, context)
modify_config(config_path,
sep=': ', context=context,
settings={
'olcTLSCACertificatePath': os.path.join(
context.value('etcDir'), 'pki', 'tls', 'certs'),
'olcTLSCertificateFile': os.path.join(context.value('etcDir'),
'pki', 'tls', 'certs', '%s.crt' % ldapHost),
'olcTLSCertificateKeyFile': priv_key
})
self._update_crc32(new_config_path)
domain_parts = tuple(company_domain.split('.'))
db_config_path = os.path.join(context.value('etcDir'),
'openldap', 'slapd.d', 'cn=config', 'olcDatabase={0}config.ldif')
_, new_config_path = stageFile(db_config_path, context)
modify_config(db_config_path,
sep=': ', enter_block_sep=None, exit_block_sep=None,
one_per_line=True, context=context, settings={
'olcRootPW': '%s' % password_hash
})
self._update_crc32(new_config_path)
# XXX using hdb on Fedora27 with an encrypted EBS will lead
# to a `BDB0126 mmap: Invalid argument` error. just delete the file!
for db_path in ['olcDatabase={2}hdb.ldif', 'olcDatabase={2}mdb.ldif']:
db_path = os.path.join(context.value('etcDir'),
'openldap', 'slapd.d', 'cn=config', db_path)
_, new_config_path = stageFile(db_path, context)
modify_config(db_path,
sep=': ', enter_block_sep=None, exit_block_sep=None,
one_per_line=True, context=context, settings={
'olcSuffix': 'dc=%s,dc=%s' % domain_parts,
'olcRootDN': 'cn=Manager,dc=%s,dc=%s' % domain_parts,
'olcRootPW': '%s' % password_hash,
'olcAccess': [
'{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
'{0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=%s,dc=%s" write by anonymous auth by * none' % domain_parts,
'{1}to * by dn.base="cn=Manager,dc=%s,dc=%s" write by self write by * read"' % domain_parts]
})
self._update_crc32(new_config_path)
schema_path = os.path.join(context.value('etcDir'),
'openldap', 'schema', 'openssh-ldap.ldif')
_, new_schema_path = stageFile(schema_path, context)
with open(new_schema_path, 'w') as schema_file:
schema_file.write("""dn: cn=openssh-openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
uid ) )
""")
self.create_cron_conf(context)
self.create_syslogng_conf(context)
postinst.create_certificate(ldapHost)
postinst.shellCommand(['chmod', '750', os.path.dirname(priv_key)])
postinst.shellCommand(['chgrp', 'ldap', os.path.dirname(priv_key)])
postinst.shellCommand(['chmod', '640', priv_key])
postinst.shellCommand(['chgrp', 'ldap', priv_key])
postinst.shellCommand(['chmod', '750', os.path.dirname(priv_key)])
postinst.shellCommand(['chown', 'ldap:ldap',
config_path, db_config_path, db_hdb_path])
postinst.shellCommand(['chmod', '600',
config_path, db_config_path, db_hdb_path])
# We need to start the server before adding the schemas.
postinst.shellCommand(['service', 'slapd', 'restart'])
postinst.shellCommand(['systemctl', 'enable', 'slapd.service'])
postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
'-f', '/etc/openldap/schema/cosine.ldif', '-D', '"cn=config"'])
postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
'-f', '/etc/openldap/schema/nis.ldif', '-D', '"cn=config"'])
postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
'-f', '/etc/openldap/schema/inetorgperson.ldif', '-D', '"cn=config"'])
postinst.shellCommand(['ldapadd', '-Y', 'EXTERNAL', '-H', 'ldapi:///',
'-f', '/etc/openldap/schema/openssh-ldap.ldif', '-D', '"cn=config"'])
return complete
def run(self, context):
complete = super(postgresql_serverSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
pg_user = context.value('dbUser')
vpc_cidr = context.value('vpc_cidr')
postgresql_conf = '/var/lib/pgsql/data/postgresql.conf'
pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
pg_hba_conf = '/var/lib/pgsql/data/pg_hba.conf'
listen_addresses = "'localhost'"
for key, val in self.managed['postgresql-server']['files'].iteritems():
if key == 'listen_addresses':
listen_addresses = "'%s'" % val
modify_config(postgresql_conf,
settings={'listen_addresses': listen_addresses},
sep=' = ', context=context)
# pg_ident
system_to_pg_mapping = {
'postgres': 'postgres',
'/^(.*)$': pg_user
}
old_conf_path, new_conf_path = stageFile(pg_ident_conf, context)
with open(new_conf_path, 'w') as new_conf:
with open(old_conf_path) as old_conf:
for line in old_conf.readlines():
look = re.match(r'^mymap\s+(\S+)\s+(\S+)', line.strip())
if look:
system_user = look.group(1)
if system_user in system_to_pg_mapping:
new_conf.write(
'%(map)s%(system_user)s%(pg_user)s\n' % {
'map': 'mymap'.ljust(16),
'system_user': system_user.ljust(24),
'pg_user': system_to_pg_mapping[system_user].ljust(16)})
else:
new_conf.write(line)
# pg_hba
connections = [['postgres', 'postgres', vpc_cidr],
['all', pg_user, vpc_cidr]]
old_conf_path, new_conf_path = stageFile(pg_hba_conf, context)
with open(new_conf_path, 'w') as new_conf:
with open(old_conf_path) as old_conf:
for line in old_conf.readlines():
look = re.match(r'^local.*peer$', line.strip())
if look:
new_conf.write(line.strip() + ' map=mymap\n')
else:
look = re.match(
r'^host\s+(?P<db>\S+)\s+(?P<pg_user>\S+)\s+(?P<cidr>\S+)\s+(?P<method>\S+)',
line.strip())
if look:
found = None
remains = []
for conn in connections:
if (conn[0] == look.group('db')
and conn[1] == look.group('pg_user')):
found = conn
else:
remains += [conn]
connections = remains
if found:
new_conf.write(
'host %(db)s%(pg_user)s%(cidr)smd5\n' % {
'db': found[0].ljust(16),
'pg_user': found[1].ljust(16),
'cidr': found[2].ljust(16)})
else:
new_conf.write(line)
else:
new_conf.write(line)
if len(connections) > 0:
new_conf.write("# Remote connections\n")
for conn in connections:
new_conf.write(
'host %(db)s%(pg_user)s%(cidr)smd5\n' % {
'db': conn[0].ljust(16),
'pg_user': conn[1].ljust(16),
'cidr': conn[2].ljust(16)})
self.create_cron_conf(context)
postinst.shellCommand(['[ -d /var/lib/pgsql/data/base ] ||',
'/usr/bin/postgresql-setup', 'initdb'])
return complete
def run(self, context):
complete = super(openldap_serversSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
domain = 'dbs.internal'
company_domain = context.value('domainName')
password_hash = context.value('ldapPasswordHash')
priv_key = os.path.join(context.SYSCONFDIR,
'pki', 'tls', 'private', '%s.key' % domain)
config_path = os.path.join(context.SYSCONFDIR,
'openldap', 'slapd.d', 'cn=config.ldif')
_, new_config_path = stageFile(config_path, context)
modify_config(config_path,
sep=': ', context=context,
settings={
'olcTLSCACertificatePath': os.path.join(
context.SYSCONFDIR, 'pki', 'tls', 'certs'),
'olcTLSCertificateFile': os.path.join(context.SYSCONFDIR,
'pki', 'tls', 'certs', '%s.crt' % domain),
'olcTLSCertificateKeyFile': priv_key
})
self._update_crc32(new_config_path)
domain_parts = tuple(company_domain.split('.'))
config_path = os.path.join(context.SYSCONFDIR,
'openldap', 'slapd.d', 'cn=config', 'olcDatabase={0}config.ldif')
_, new_config_path = stageFile(config_path, context)
modify_config(config_path,
sep=': ', enter_block_sep=None, exit_block_sep=None,
one_per_line=True, context=context, settings={
'olcRootPW': '{SSHA}%s' % password_hash
})
self._update_crc32(new_config_path)
config_path = os.path.join(context.SYSCONFDIR,
'openldap', 'slapd.d', 'cn=config', 'olcDatabase={2}mdb.ldif')
_, new_config_path = stageFile(config_path, context)
modify_config(config_path,
sep=': ', enter_block_sep=None, exit_block_sep=None,
one_per_line=True, context=context, settings={
'olcSuffix': 'dc=%s,dc=%s' % domain_parts,
'olcRootDN': 'cn=Manager,dc=%s,dc=%s' % domain_parts,
'olcRootPW': '{SSHA}%s' % password_hash,
'olcAccess': [
'{0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
'{0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=%s,dc=%s" write by anonymous auth by * none' % domain_parts,
'{1}to * by dn.base="cn=Manager,dc=%s,dc=%s" write by self write by * read"' % domain_parts]
})
self._update_crc32(new_config_path)
schema_path = os.path.join(context.SYSCONFDIR,
'openldap', 'schema', 'openssh-ldap.ldif')
_, new_schema_path = stageFile(schema_path, context)
with open(new_schema_path, 'w') as schema_file:
schema_file.write("""dn: cn=openssh-openldap,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-openldap
olcAttributeTypes: {0}( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.40 )
olcObjectClasses: {0}( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
uid ) )
""")
postinst.shellCommand(['chmod', '750', os.path.dirname(priv_key)])
postinst.shellCommand(['chgrp', 'ldap', os.path.dirname(priv_key)])
postinst.shellCommand(['chmod', '640', priv_key])
postinst.shellCommand(['chgrp', 'ldap', priv_key])
self.create_syslogng_conf(context)
postinst.shellCommand([
'systemctl', 'enable', 'slapd.service'])
postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
'/etc/openldap/schema/cosine.ldif', '-D', '"cn=config"'])
postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
'/etc/openldap/schema/nis.ldif', '-D', '"cn=config"'])
postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
'/etc/openldap/schema/inetorgperson.ldif', '-D', '"cn=config"'])
postinst.shellCommand(['ldapadd', '-x', '-W', '-H', 'ldap:///', '-f',
'/etc/openldap/schema/openssh-ldap.ldif', '-D', '"cn=config"'])
return complete
def run(self, context):
complete = super(sssdSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
ldapDomain = 'dbs.internal'
ldapCertPath = os.path.join(context.SYSCONFDIR,
'pki', 'tls', 'certs', '%s.crt' % ldapDomain)
domain_parts = tuple(context.value('domainName').split('.'))
names = {
'ldapDomain': ldapDomain,
'domainNat': domain_parts[0],
'domainTop': domain_parts[1],
'ldapCertPath': ldapCertPath
}
_, new_config_path = stageFile(self.sssd_conf, context)
with open(new_config_path, 'w') as new_config:
new_config.write("""[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
reconnection_retries = 3
[pam]
reconnection_retries = 3
[sudo]
[domain/LDAP]
# Debugging:
debug_level = 9
ldap_tls_reqcert = demand
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
#ldap_schema = rfc2307bis
ldap_schema = rfc2307
ldap_search_base = dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://%(ldapDomain)s/
ldap_chpass_uri = ldaps://%(ldapDomain)s/
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = True
ldap_tls_cacert = %(ldapCertPath)s
entry_cache_timeout = 600
ldap_network_timeout = 3
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=%(domainNat)s,dc=%(domainTop)s
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
# Enable group mapping otherwise only the user's primary group will map
# correctly. Without this defined group membership won't work
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=group,dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_name = cn
ldap_group_member = memberUid
""" % names)
postinst.shellCommand(['chmod', '600', self.sssd_conf])
postinst.shellCommand(['authconfig',
'--update', '--enablesssd', '--enablesssdauth'])
postinst.shellCommand(['setsebool',
'-P', 'authlogin_nsswitch_use_ldap', '1'])
postinst.shellCommand([
'systemctl', 'enable', 'sssd.service'])
return complete
def run(self, context):
complete = super(sssdSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
ldapHost = context.value('ldapHost')
domain_parts = tuple(context.value('domainName').split('.'))
ldapCertPath = os.path.join(context.value('etcDir'), 'pki', 'tls',
'certs', '%s.crt' % ldapHost)
names = {
'ldapHost': ldapHost,
'domainNat': domain_parts[0],
'domainTop': domain_parts[1],
'ldapCertPath': ldapCertPath
}
_, new_config_path = stageFile(self.sssd_conf, context)
with open(new_config_path, 'w') as new_config:
new_config.write("""[sssd]
config_file_version = 2
reconnection_retries = 3
services = nss, pam, sudo
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
reconnection_retries = 3
[pam]
reconnection_retries = 3
[sudo]
[domain/LDAP]
# Debugging:
debug_level = 9
ldap_tls_reqcert = demand
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = true
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
#ldap_schema = rfc2307bis
ldap_schema = rfc2307
ldap_search_base = dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldaps://%(ldapHost)s/
ldap_chpass_uri = ldaps://%(ldapHost)s/
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = True
ldap_tls_cacert = %(ldapCertPath)s
entry_cache_timeout = 600
ldap_network_timeout = 3
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=%(domainNat)s,dc=%(domainTop)s
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
# Enable group mapping otherwise only the user's primary group will map
# correctly. Without this defined group membership won't work
ldap_group_object_class = posixGroup
ldap_group_search_base = ou=groups,dc=%(domainNat)s,dc=%(domainTop)s
ldap_group_name = cn
ldap_group_member = memberUid
""" % names)
postinst.shellCommand(['chmod', '600', self.sssd_conf])
postinst.shellCommand(
['authconfig', '--update', '--enablesssd', '--enablesssdauth'])
postinst.shellCommand(
['setsebool', '-P', 'authlogin_nsswitch_use_ldap', '1'])
return complete
def run(self, context):
complete = super(postgresql_serverSetup, self).run(context)
if not complete:
# As long as the default setup cannot find all prerequisite
# executable, libraries, etc. we cannot update configuration
# files here.
return complete
pg_user = context.value('dbUser')
vpc_cidr = context.value('vpc_cidr')
postgresql_conf = '/var/lib/pgsql/data/postgresql.conf'
pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
pg_ident_conf = '/var/lib/pgsql/data/pg_ident.conf'
pg_hba_conf = '/var/lib/pgsql/data/pg_hba.conf'
if not os.path.exists(postgresql_conf):
# /var/lib/pgsql/data will be empty unless we run initdb once.
shell_command(['/usr/bin/postgresql-setup', 'initdb'])
listen_addresses = "'localhost'"
for key, val in six.iteritems(
self.managed['postgresql-server']['files']):
if key == 'listen_addresses':
listen_addresses = ', '.join(
["'%s'" % address for address in val])
modify_config(postgresql_conf,
settings={'listen_addresses': listen_addresses},
sep=' = ',
context=context)
# pg_ident
system_to_pg_mapping = {'postgres': 'postgres', '/^(.*)$': pg_user}
old_conf_path, new_conf_path = stageFile(pg_ident_conf, context)
with open(new_conf_path, 'w') as new_conf:
with open(old_conf_path) as old_conf:
for line in old_conf.readlines():
look = re.match(r'^mymap\s+(\S+)\s+(\S+)', line.strip())
if look:
system_user = look.group(1)
if system_user in system_to_pg_mapping:
new_conf.write(
'%(map)s%(system_user)s%(pg_user)s\n' % {
'map':
'mymap'.ljust(16),
'system_user':
system_user.ljust(24),
'pg_user':
system_to_pg_mapping[system_user].ljust(16)
})
else:
new_conf.write(line)
# pg_hba
connections = [['postgres', 'postgres', vpc_cidr],
['all', pg_user, vpc_cidr]]
old_conf_path, new_conf_path = stageFile(pg_hba_conf, context)
with open(new_conf_path, 'w') as new_conf:
with open(old_conf_path) as old_conf:
for line in old_conf.readlines():
look = re.match(r'^local.*peer$', line.strip())
if look:
new_conf.write(line.strip() + ' map=mymap\n')
else:
look = re.match(
r'^host\s+(?P<db>\S+)\s+(?P<pg_user>\S+)\s+(?P<cidr>\S+)\s+(?P<method>\S+)',
line.strip())
if look:
found = None
remains = []
for conn in connections:
if (conn[0] == look.group('db')
and conn[1] == look.group('pg_user')):
found = conn
else:
remains += [conn]
connections = remains
if found:
new_conf.write(
'host %(db)s%(pg_user)s%(cidr)smd5\n' %
{
'db': found[0].ljust(16),
'pg_user': found[1].ljust(16),
'cidr': found[2].ljust(16)
})
else:
new_conf.write(line)
else:
new_conf.write(line)
if connections:
new_conf.write("# Remote connections\n")
for conn in connections:
new_conf.write(
'host %(db)s%(pg_user)s%(cidr)smd5\n' % {
'db': conn[0].ljust(16),
'pg_user': conn[1].ljust(16),
'cidr': conn[2].ljust(16)
})
self.create_cron_conf(context)
postinst.shellCommand([
'[ -d /var/lib/pgsql/data/base ] ||', '/usr/bin/postgresql-setup',
'initdb'
])
return complete
