tls error handling improved. adding ldap security group

Former-commit-id: d749fb8e

tls error handling improved. adding ldap security group
Former-commit-id: d749fb8e
61a4f97f · Andreas Hamacher · b445536b · 61a4f97f · 61a4f97f · 61a4f97f
Commit 61a4f97f authored 4 years ago by Andreas Hamacher
--- a/CICD/heat/gc_HOT.yaml
+++ b/CICD/heat/gc_HOT.yaml
@@ -58,6 +58,11 @@ parameters:
    type: string
    label: Resource ID
    default: 8a029c04-08ce-40f1-a705-d45a2077e27d
+  LDAPSecGroupID:
+    type: string
+    label: Resource ID
+    default: 070a32e2-858b-462a-b2b5-b3a92eec2669
+	

 resources:

@@ -70,9 +75,9 @@ resources:
    flavor: m3.xsmall
    image: { get_param: centos_7_image_id }
    key_name: { get_param: ssh_key }
-    security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID } ]
+    security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
    metadata:
-     ansible_host_groups: [ SQLNodes, NFSNodes ]
+     ansible_host_groups: [ SQLNodes, NFSNodes, LDAPServer ]
     ansible_ssh_user: ec2-user
     project_name: { get_param: project_name }
    networks:
@@ -159,7 +164,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'login%index%' ]]
-      security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
      metadata:
       ansible_host_groups: [ LoginNodes ]
       ansible_ssh_user: ec2-user
@@ -180,7 +185,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'loginU%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
      metadata:
       ansible_host_groups: [ LoginNodes ]
       ansible_ssh_user: ubuntu
@@ -201,7 +206,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'desktopc%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
      metadata:
       ansible_host_groups: [ DesktopNodes, VisNodes, ComputeNodes ]
       ansible_ssh_user: ec2-user
@@ -222,7 +227,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computeU%index%' ]]
-      security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID } ]
+      security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID }, { get_param: LDAPSecGroupID } ]
      metadata:
       ansible_host_groups: [ ComputeNodes ]
       ansible_ssh_user: ubuntu
@@ -243,7 +248,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computec7%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
      metadata:
       ansible_host_groups: [ ComputeNodes ]
       ansible_ssh_user: ec2-user
@@ -264,7 +269,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'gpudesktopu%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
      metadata:
       ansible_host_groups: [ DesktopNodes, GPU, ComputeNodes, K1, VisNodes ]
       ansible_ssh_user: ubuntu
@@ -285,7 +290,7 @@ resources:
      key_name: { get_param: ssh_key }
      name:
       list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computerhel%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
      metadata:
       ansible_host_groups: [ DGXRHELNodes ]
       ansible_ssh_user: cloud-user
@@ -302,7 +307,7 @@ resources:
 #    flavor: m3.xsmall
 #    image: { get_param: ubuntu_1804_image_id }
 #    key_name: { get_param: ssh_key }
-#    security_groups: [ { get_resource_id SSHMonashSecGroup }, { get_resource_id webaccess } ]
+#    security_groups: [ { get_resource_id SSHMonashSecGroup }, { get_resource_id webaccess }, { get_param: LDAPSecGroupID } ]
 #    metadata:
 #     ansible_host_groups: [ PySSHauthz ]
 #     ansible_ssh_user: ubuntu

--- a/CICD/heat/gc_secgroups.hot
+++ b/CICD/heat/gc_secgroups.hot
@@ -37,6 +37,14 @@ resources:
               port_range_min: 111,
               port_range_max: 111,
               remote_mode: "remote_group_id"} ]
+  LDAPSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "heatldapsecgroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 389,
+               port_range_max: 389,
+               remote_mode: "remote_group_id"} ]
  MySQLSecGroup:
   type: "OS::Neutron::SecurityGroup"
   properties:

--- a/CICD/plays/mockldap.yml
+++ b/CICD/plays/mockldap.yml
 ---
- hosts: SQLNodes
+- hosts: LDAPServer
  vars_files: 
  - vars/passwords.yml
  - vars/ldapConfig.yml

--- a/roles/ldapclient/defaults/main.yml
+++ b/roles/ldapclient/defaults/main.yml
 ---
 ldapRfc2307: ""
 ldapRfc2307Pam: ""
+useTLS: True
--- a/roles/ldapclient/tasks/configLdapClient.yml
+++ b/roles/ldapclient/tasks/configLdapClient.yml
@@ -36,10 +36,10 @@
  become_user: root

 - name: "Add LDAP server IP address to /etc/hosts"
-  lineinfile: dest=/etc/hosts line="{{ ldapServerHostIpLine }}" state=present insertafter=EOF
+  lineinfile: dest=/etc/hosts line="{{ hostvars[groups['LDAPServer'][0]]['ansible_host'] }} {{ ldapServerHostName }}" state=present insertafter=EOF
  become: true
  become_user: root
-  when: ldapServerHostIpLine is defined
+  #when: ldapServerHostIpLine is defined

 - name: "Copy sssd.conf to ldap client"
  template: src=sssd.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=600

--- a/roles/ldapclient/templates/sssd.j2
+++ b/roles/ldapclient/templates/sssd.j2
@@ -26,15 +26,13 @@ access_provider = ldap
 ldap_uri = {{ ldapURI }}, {{ ldapROURI }}
 ldap_chpass_uri = {{ ldapURI }}
 {% else %}
-ldap_uri = {{ ldapURI }} 
+ldap_uri = {{ ldapURI }}
 {% endif %}
 ldap_id_use_start_tls = {{ useTLS }}
-{% if useTLS is not defined%}
-ldap_tls_reqcert = never 
-ldap_id_use_start_tls = True
+{% if useTLS %}
+ldap_tls_reqcert = allow
 {% else %}
-ldap_tls_reqcert = always 
-ldap_id_use_start_tls = {{ useTLS }}
+ldap_tls_reqcert = never
 {% endif %}
 {% if ldapCaCertFile is defined %}
 ldap_tls_cacert = {{ ldapCaCertFile }}