Added a script and yaml file to setup ds389 in rancher

SUSE · Oct 25, 2024 · 8873afe · 8873afe
1 parent 67d7676
commit 8873afe
Show file tree

Hide file tree

Showing 2 changed files with 347 additions and 0 deletions.
diff --git a/scripts/authentication/389.yml b/scripts/authentication/389.yml
@@ -0,0 +1,195 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${ds389_ns_name:-ds389}
+...
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${ds389_name:-ds389}-sa
+  namespace: ${ds389_ns_name:-ds389}
+...
+
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dirsrv-tls-secret
+  namespace: ${ds389_ns_name:-ds389}
+data:
+  tls.key: |
+    ${ds389_tls_key:-LS0tLS1CRUdJTiBFTkNSWVBURUQgUFJJVkFURSBLRVktLS0tLQpNSUlKbnpCSkJna3Foa2lHOXcw
+    QkJRMHdQREFiQmdrcWhraUc5dzBCQlF3d0RnUUlMZmtpMDkwcnZsb0NBZ2dBCk1CMEdDV0NHU0FG
+    bEF3UUJLZy4uLkdOWWM3aTlTVkRCb0E9PQotLS0tLUVORCBFTkNSWVBURUQgUFJJVkFURSBLRVkt
+    LS0tLQ==}
+  tls.crt: |
+    ${ds389_tls_cert:-LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ4akNDQTY0Q0NRQ05UK2VQMnZqSnh6QU5C
+    Z2txaGtpRzl3MEJBUXNGQURDQnBERUxNQWtHQTFVRUJoTUMKUmxJeEVqQVFCZ05WQkFnTUMuLi51
+    ZEp3RTdIbm5BN2xwQQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t}
+...
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dirsrv-dm-password
+  namespace: ${ds389_ns_name:-ds389}
+data:
+# Password must be in base64
+  dm-password: ${ds389_dm_pwd_b64:-YWRtaW4xMjM=}
+#  dm-password: admin123 
+...
+
+
+---
+kind: StatefulSet
+apiVersion: apps/v1
+metadata:
+  name: ${ds389_name:-ds389}
+  namespace: ${ds389_ns_name:-ds389}
+spec:
+  serviceName: ${ds389_name:-ds389}-internal-svc
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ${ds389_name:-ds389}
+  template:
+    metadata:
+      labels:
+        app: ${ds389_name:-ds389}
+    spec:
+      serviceAccountName: ${ds389_name:-ds389}-sa
+      securityContext:
+        fsGroup: 499
+      initContainers:
+      # Init container is required to change the permissions after a persistent volume is mounted.
+      # Otherwise dscontainer will be denied to create subdirectories and will fail to start.
+      - name: ${ds389_name:-ds389}-init-container
+        image: busybox
+        command: ["/bin/sh", "-c", "chown -R 499:499 /data"]
+        volumeMounts:
+        - name: ${ds389_name:-ds389}-data
+          mountPath: /data
+      containers:
+        - name: dirsrv-container
+          image: ${ds389_image:-docker.io/389ds/dirsrv}
+          lifecycle:
+            postStart:
+              exec:
+                command: ["/bin/sh", "-c", "sleep 60; dsconf localhost backend create --suffix ${ds389_rootdn:-dc=mydemo,dc=lab} --be-name userroot --create-suffix --create-entries ;
+                          dsconf localhost pwpolicy set --pwdscheme=CRYPT-SHA512 ;
+                          dsconf localhost config replace nsslapd-rootpwstoragescheme=CRYPT-SHA512 ;
+                          dsconf localhost config replace nsslapd-rootpw=${ds389_dm_pwd:-admin123} ;
+                          dsconf localhost plugin referential-integrity enable ;
+                          dsconf localhost plugin memberof enable ;
+                          dsconf localhost config replace nsslapd-allow-anonymous-access=off ;
+                          dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid ldap_user --cn ldap_user --displayName ldap_user --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/ldap_user ;
+                          dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab}  account change_password uid=ldap_user,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ;
+                          dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} user create --uid developer --cn developer --displayName developer --uidNumber 1002 --gidNumber 1002 --homeDirectory /home/developer ;
+                          dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} account change_password uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab} ${ds389_users_pwd:-supersecret123} ;
+                          dsidm localhost --basedn ${ds389_rootdn:-dc=mydemo,dc=lab} group create --cn developers;
+                          dsidm localhost -b ${ds389_rootdn:-dc=mydemo,dc=lab} group add_member developers uid=developer,ou=people,${ds389_rootdn:-dc=mydemo,dc=lab}   "]
+          env:
+          ## Set `cn=Directory Manager`'s password
+          - name: DS_DM_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: dirsrv-dm-password
+                key: dm-password
+          ## Use suffix as a basedn in `dsrc` file
+          - name: DS_SUFFIX_NAME
+            value: "${ds389_rootdn:-dc=mydemo,dc=lab}"
+          ## DS_ERRORLOG_LEVEL - set the log level for `ns-slapd`, default is 266354688
+          - name: DS_ERRORLOG_LEVEL
+            value: "8192"
+          ## DS_MEMORY_PERCENTAGE - set LDBM autotune percentage (`nsslapd-cache-autosize`), default is 25
+          - name: DS_MEMORY_PERCENTAGE
+            value: "10"
+          ## DS_REINDEX` - run database reindex task (`db2index`)
+          - name: DS_REINDEX
+            value: "True"
+          ## DS_STARTUP_TIMEOUT - set container startup timeout in seconds, default is 60 seconds.
+          - name: DS_STARTUP_TIMEOUT
+            value: "120"
+          ports:
+            - containerPort: 3389
+              protocol: TCP
+            - containerPort: 3636
+              protocol: TCP
+          securityContext:
+            runAsUser: 489
+          volumeMounts:
+          - name: ${ds389_name:-ds389}-data
+            mountPath: "/data"
+          - name: dirsrv-tls
+            mountPath: '/data/tls/'
+            readOnly: true
+      volumes:
+      - name: dirsrv-tls
+        secret:
+          secretName: dirsrv-tls-secret
+          items:
+          - key: tls.key
+            path: server.key
+          - key: tls.crt
+            path: server.crt
+  volumeClaimTemplates:
+  - metadata:
+      name: ${ds389_name:-ds389}-data
+    spec:
+      accessModes: [ "ReadWriteOnce" ]
+      resources:
+        requests:
+          storage: ${ds389_vc_size:-5Gi}
+...
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: ${ds389_name:-ds389}
+  name: ${ds389_name:-ds389}-internal-svc
+  namespace: ${ds389_ns_name:-ds389}
+spec:
+  clusterIP: None
+  ports:
+  - name: ${ds389_name:-ds389}-port
+    port: 3389
+    protocol: TCP
+    targetPort: 3389
+  - name: ${ds389_name:-ds389}-tls-port
+    port: 3636
+    protocol: TCP
+    targetPort: 3636
+  selector:
+    app: ${ds389_name:-ds389}
+  type: ClusterIP
+...
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: ${ds389_name:-ds389}
+  name: ${ds389_name:-ds389}-external-svc
+  namespace: ${ds389_ns_name:-ds389}
+spec:
+  ports:
+    - name: ${ds389_name:-ds389}-port
+      port: 3389
+      protocol: TCP
+      targetPort: 3389
+      nodePort: ${ds389_port:-30389}
+    - name: ${ds389_name:-ds389}-tls-port
+      port: 3636
+      protocol: TCP
+      targetPort: 3636
+      nodePort: ${ds389_port_tls:-30636}
+  selector:
+    app: ${ds389_name:-ds389}
+  type: NodePort
+...
+
diff --git a/scripts/authentication/ds389.sh b/scripts/authentication/ds389.sh
@@ -0,0 +1,152 @@
+#!/bin/bash
+
+
+
+_admin_user="cn=Directory Manager"
+_admin_pwd="admin123"
+_uri="ldap://node101.mydemo.lab:30389"
+_connection_str="-D \"${_admin_user}\" -w \"${_admin_pwd}\" -x  -H \"${_uri}\""
+_basedn="dc=mydemo,dc=lab"
+_ldap_user_dn="uid=ldap_user,ou=people,${_basedn}"
+_ldap_user_pwd="supersecret123"
+
+
+
+# Inspired from https://stackoverflow.com/questions/2914220/bash-templating-how-to-build-configuration-files-from-templates-with-bash#11050943
+function process_templates() {
+       eval "cat <<EOF
+$(cat ${template_file} )
+EOF
+"
+}
+
+
+
+## DS389: Restrict permissions
+## This will:
+## -  prevent normal users from reading the whole directory
+function ds389_restrict_permissions() {
+  ldapmodify ${_connection_str} << EOL
+dn: ou=people,${_basedn}
+changetype: modify
+delete: aci
+aci: (targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable anyone user read"; allow (read, search, compare)(userdn="ldap:///anyone");)
+ 
+dn: ou=people,${_basedn}
+changetype: modify
+add: aci
+aci: (targetattr="objectClass || description || nsUniqueId || uid || displayName || loginShell || uidNumber || gidNumber || gecos || homeDirectory || cn || memberOf || mail || nsSshPublicKey || nsAccountLock || userCertificate")(targetfilter="(objectClass=posixaccount)")(version 3.0; acl "Enable self user read"; allow (read, search, compare)(userdn="ldap:///self");)
+EOL
+
+
+}
+
+
+
+## DS389: Grant ldap_user privileges to read the whole directory 
+function ds389_ldap_user-user_private_read() {
+  ldapmodify  ${_connection_str} << EOL
+dn: cn=user_private_read,ou=permissions,${_basedn}
+changetype: modify
+add: member
+member: uid=ldap_user,ou=people,${_basedn}
+EOL
+
+}
+
+
+## DS389: Verify ldap_user has access
+function ds389_ldap_user-access() {
+  ldapsearch -x  -D "${_ldap_user_dn}" -w "${__ldap_user_pwd}" -H "${_uri}"  -b "${_basedn}"
+}
+
+
+
+## DS389: Install 389 Directory server
+function ds389_install() {
+  template_file=${LAB_SETUP_PATH}/cloud-init/template_${_type}
+  process_templates >/tmp/389.yml
+  kubectl apply -f 389.yml 
+  sleep 60
+  ds389_restrict_permissions
+  ds389_ldap_user-user_private_read
+}
+
+
+## DS389: uninstall 389 Directory server
+function ds389_uninstall() {
+  kubectl -n ds389  delete ServiceAccount/ds389-sa Secret/dirsrv-tls-secret Secret/dirsrv-dm-password StatefulSet/ds389 Ingress/ds389 Service/ds389 Namespace/ds389 service/ds389-internal-svc  service/ds389-external-svc; sleep 15 
+}
+
+
+function usage() {
+        echo "Usage:
+$0 [install|uninstall|create-user|delete-user|create-group|delete-group|check-user|check-group|change-passwd] <[user|group]> <password>"
+
+}
+
+
+_arg="$1"
+
+
+if [[ ! ${_arg} ]]
+then
+        echo "ERROR: Missing argument"
+        usage
+        exit 1
+fi
+
+case ${_arg} in
+  install)
+    ds389_install
+    ;;
+  uninstall)
+    ds389_uninstall
+    ;;
+  create-user)
+    [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ;  exit 1)
+    # these are only for rancher, therefore doesn't matter if they have the same UID
+    dsidm localhost --basedn "${_basedn}" user create --uid $2 --cn $2 --displayName $2 --uidNumber 1001 --gidNumber 1001 --homeDirectory /home/${2}
+    ;;
+  delete-user)
+    [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ;  exit 1)
+    ldapmodify ${_connection_str} << EOL
+dn: ou=people,${_basedn}
+changetype: modify
+delete: uid
+uid: $2
+EOL
+    ;;
+  create-group)
+    [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ;  exit 1)
+    dsidm localhost --basedn "${_basedn}" group create --cn $2 ; 
+    ;;
+  delete-group)
+    [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ;  exit 1)
+    ldapmodify ${_connection_str} << EOL
+dn: ou=group,${_basedn}
+changetype: modify
+delete: cn
+cn: $2
+EOL
+    ;;
+  check-user)
+    [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ;  exit 1)
+    dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=people,${_basedn}
+    ;;
+  check-group)
+    [[ "$2" == "" ]] && ( echo "ERROR: Missing group"; usage ;  exit 1)
+    dsidm localhost --basedn "${_basedn}" account get-by-dn uid=${2},ou=group,${_basedn}
+    ;;
+  change-passwd)
+    [[ "$2" == "" ]] && ( echo "ERROR: Missing user"; usage ;  exit 1)
+    [[ "$3" == "" ]] && ( echo "ERROR: Missing password"; usage ;  exit 1)
+    dsidm localhost -b "${_basedn}"  account change_password uid=${2},ou=people,dc=mydemo,dc=lab $3 
+    ;;
+  *)
+    usage
+    exit 1
+    ;;
+esac
+
+