Fix kerberox.
This commit is contained in:
Andreas B. Mundt
Andreas B. Mundt
parent
f3d2d5ca9b
commit
49d81c705d
7 changed files with 80 additions and 62 deletions
|
|
@ -19,7 +19,6 @@
|
|||
file:
|
||||
path: /etc/krb5kdc
|
||||
state: directory
|
||||
recurse: true
|
||||
mode: 0755
|
||||
|
||||
- name: prepare kdc.conf
|
||||
|
|
@ -81,71 +80,83 @@
|
|||
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
||||
|
||||
- name: modify ACLs to account for KDC
|
||||
ldap_attr:
|
||||
ldap_attrs:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcAccess
|
||||
values:
|
||||
- >-
|
||||
to attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
- >-
|
||||
to attrs=shadowLastChange
|
||||
by self write
|
||||
by * read
|
||||
- >-
|
||||
to dn.subtree="cn=kerberos,{{ basedn }}"
|
||||
by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by * none
|
||||
- >-
|
||||
to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData
|
||||
by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by self read
|
||||
by * auth
|
||||
- >-
|
||||
to *
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by * read
|
||||
attributes:
|
||||
olcAccess:
|
||||
- >-
|
||||
to attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
- >-
|
||||
to attrs=shadowLastChange
|
||||
by self write
|
||||
by * read
|
||||
- >-
|
||||
to dn.subtree="cn=kerberos,{{ basedn }}"
|
||||
by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by * none
|
||||
- >-
|
||||
to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData
|
||||
by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by self read
|
||||
by * auth
|
||||
- >-
|
||||
to *
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by * read
|
||||
ordered: true
|
||||
state: exact
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add KDC indexes to LDAP
|
||||
ldap_attr:
|
||||
ldap_attrs:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcDbIndex
|
||||
values:
|
||||
- objectClass eq
|
||||
- cn,uid eq
|
||||
- uidNumber,gidNumber eq
|
||||
- member,memberUid eq
|
||||
- krbPrincipalName pres,sub,eq
|
||||
attributes:
|
||||
olcDbIndex:
|
||||
- objectClass eq
|
||||
- cn,uid eq
|
||||
- uidNumber,gidNumber eq
|
||||
- member,memberUid eq
|
||||
- krbPrincipalName pres,sub,eq
|
||||
state: exact
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add AuthzRegexp to map access via kerberos/GSSAPI
|
||||
ldap_attr:
|
||||
ldap_attrs:
|
||||
dn: "cn=config"
|
||||
name: olcAuthzRegexp
|
||||
values:
|
||||
- "{0}uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=people,{{ basedn }}"
|
||||
- "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
|
||||
attributes:
|
||||
olcAuthzRegexp:
|
||||
- "{0}uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=people,{{ basedn }}"
|
||||
- "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
|
||||
state: exact
|
||||
|
||||
- name: prepare password for kdc # noqa risky-shell-pipe
|
||||
shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
|
||||
shell:
|
||||
>-
|
||||
echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} |
|
||||
xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile ;
|
||||
chmod 0600 /etc/krb5kdc/service.keyfile
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: prepare password for kadmin # noqa risky-shell-pipe
|
||||
shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
|
||||
shell:
|
||||
>-
|
||||
echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} |
|
||||
xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile ;
|
||||
chmod 0600 /etc/krb5kdc/service.keyfile
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: dump kdc master password
|
||||
shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ; chmod 0600 "{{ kdc_master_pwd_file }}"
|
||||
shell:
|
||||
>-
|
||||
echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ;
|
||||
chmod 0600 "{{ kdc_master_pwd_file }}"
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
|
|
@ -200,11 +211,11 @@
|
|||
mode: '0640'
|
||||
notify: restart slapd
|
||||
|
||||
- name: "make 'kerberos' an alias hostname resolvable from the LAN"
|
||||
- name: "make 'kerberos' and 'ldap' alias hostnames resolvable from the LAN"
|
||||
replace:
|
||||
path: /etc/hosts
|
||||
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
|
||||
replace: '\1 kerberos'
|
||||
replace: '\1 kerberos ldap'
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
########################
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue