From 61a4f97fdffd6034c47b2a630459e28816edc33d Mon Sep 17 00:00:00 2001
From: handreas <andreas.hamacher@monash.edu>
Date: Wed, 29 Apr 2020 07:06:51 +0000
Subject: [PATCH] tls error handling improved. adding ldap security group

Former-commit-id: d749fb8e6e37d7b99bf52aa502fd12870cc2dfc9
---
 CICD/heat/gc_HOT.yaml                       | 25 ++++++++++++---------
 CICD/heat/gc_secgroups.hot                  |  8 +++++++
 CICD/plays/mockldap.yml                     |  2 +-
 roles/ldapclient/defaults/main.yml          |  1 +
 roles/ldapclient/tasks/configLdapClient.yml |  4 ++--
 roles/ldapclient/templates/sssd.j2          | 10 ++++-----
 6 files changed, 31 insertions(+), 19 deletions(-)

diff --git a/CICD/heat/gc_HOT.yaml b/CICD/heat/gc_HOT.yaml
index 75f12b0e..35697358 100644
--- a/CICD/heat/gc_HOT.yaml
+++ b/CICD/heat/gc_HOT.yaml
@@ -58,6 +58,11 @@ parameters:
     type: string
     label: Resource ID
     default: 8a029c04-08ce-40f1-a705-d45a2077e27d
+  LDAPSecGroupID:
+    type: string
+    label: Resource ID
+    default: 070a32e2-858b-462a-b2b5-b3a92eec2669
+	
 
 resources:
 
@@ -70,9 +75,9 @@ resources:
     flavor: m3.xsmall
     image: { get_param: centos_7_image_id }
     key_name: { get_param: ssh_key }
-    security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID } ]
+    security_groups: [ { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: MySQLSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
     metadata:
-     ansible_host_groups: [ SQLNodes, NFSNodes ]
+     ansible_host_groups: [ SQLNodes, NFSNodes, LDAPServer ]
      ansible_ssh_user: ec2-user
      project_name: { get_param: project_name }
     networks:
@@ -159,7 +164,7 @@ resources:
       key_name: { get_param: ssh_key }
       name:
        list_join: [ '-', [ { get_param: "OS::stack_name" }, 'login%index%' ]]
-      security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: PublicSSHSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
       metadata:
        ansible_host_groups: [ LoginNodes ]
        ansible_ssh_user: ec2-user
@@ -180,7 +185,7 @@ resources:
       key_name: { get_param: ssh_key }
       name:
        list_join: [ '-', [ { get_param: "OS::stack_name" }, 'loginU%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
       metadata:
        ansible_host_groups: [ LoginNodes ]
        ansible_ssh_user: ubuntu
@@ -201,7 +206,7 @@ resources:
       key_name: { get_param: ssh_key }
       name:
        list_join: [ '-', [ { get_param: "OS::stack_name" }, 'desktopc%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
       metadata:
        ansible_host_groups: [ DesktopNodes, VisNodes, ComputeNodes ]
        ansible_ssh_user: ec2-user
@@ -222,7 +227,7 @@ resources:
       key_name: { get_param: ssh_key }
       name:
        list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computeU%index%' ]]
-      security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID } ]
+      security_groups: [ default, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: SSHMonashSecGroupID }, { get_param: LDAPSecGroupID } ]
       metadata:
        ansible_host_groups: [ ComputeNodes ]
        ansible_ssh_user: ubuntu
@@ -243,7 +248,7 @@ resources:
       key_name: { get_param: ssh_key }
       name:
        list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computec7%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
       metadata:
        ansible_host_groups: [ ComputeNodes ]
        ansible_ssh_user: ec2-user
@@ -264,7 +269,7 @@ resources:
       key_name: { get_param: ssh_key }
       name:
        list_join: [ '-', [ { get_param: "OS::stack_name" }, 'gpudesktopu%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
       metadata:
        ansible_host_groups: [ DesktopNodes, GPU, ComputeNodes, K1, VisNodes ]
        ansible_ssh_user: ubuntu
@@ -285,7 +290,7 @@ resources:
       key_name: { get_param: ssh_key }
       name:
        list_join: [ '-', [ { get_param: "OS::stack_name" }, 'computerhel%index%' ]]
-      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID } ]
+      security_groups: [ default, { get_param: SSHMonashSecGroupID }, { get_param: SlurmSecGroupID }, { get_param: NFSSecGroupID }, { get_param: LDAPSecGroupID } ]
       metadata:
        ansible_host_groups: [ DGXRHELNodes ]
        ansible_ssh_user: cloud-user
@@ -302,7 +307,7 @@ resources:
 #    flavor: m3.xsmall
 #    image: { get_param: ubuntu_1804_image_id }
 #    key_name: { get_param: ssh_key }
-#    security_groups: [ { get_resource_id SSHMonashSecGroup }, { get_resource_id webaccess } ]
+#    security_groups: [ { get_resource_id SSHMonashSecGroup }, { get_resource_id webaccess }, { get_param: LDAPSecGroupID } ]
 #    metadata:
 #     ansible_host_groups: [ PySSHauthz ]
 #     ansible_ssh_user: ubuntu
diff --git a/CICD/heat/gc_secgroups.hot b/CICD/heat/gc_secgroups.hot
index ad6e7790..43bb8fc0 100644
--- a/CICD/heat/gc_secgroups.hot
+++ b/CICD/heat/gc_secgroups.hot
@@ -37,6 +37,14 @@ resources:
                port_range_min: 111,
                port_range_max: 111,
                remote_mode: "remote_group_id"} ]
+  LDAPSecGroup:
+   type: "OS::Neutron::SecurityGroup"
+   properties:
+     name: "heatldapsecgroup"
+     rules: [ { protocol: tcp,
+               port_range_min: 389,
+               port_range_max: 389,
+               remote_mode: "remote_group_id"} ]
   MySQLSecGroup:
    type: "OS::Neutron::SecurityGroup"
    properties:
diff --git a/CICD/plays/mockldap.yml b/CICD/plays/mockldap.yml
index 8c7fbe29..b11b077a 100644
--- a/CICD/plays/mockldap.yml
+++ b/CICD/plays/mockldap.yml
@@ -1,5 +1,5 @@
 ---
-- hosts: SQLNodes
+- hosts: LDAPServer
   vars_files: 
   - vars/passwords.yml
   - vars/ldapConfig.yml
diff --git a/roles/ldapclient/defaults/main.yml b/roles/ldapclient/defaults/main.yml
index 943ed859..df326328 100644
--- a/roles/ldapclient/defaults/main.yml
+++ b/roles/ldapclient/defaults/main.yml
@@ -1,3 +1,4 @@
 ---
 ldapRfc2307: ""
 ldapRfc2307Pam: ""
+useTLS: True
diff --git a/roles/ldapclient/tasks/configLdapClient.yml b/roles/ldapclient/tasks/configLdapClient.yml
index 7e7dad77..05da27b3 100644
--- a/roles/ldapclient/tasks/configLdapClient.yml
+++ b/roles/ldapclient/tasks/configLdapClient.yml
@@ -36,10 +36,10 @@
   become_user: root
 
 - name: "Add LDAP server IP address to /etc/hosts"
-  lineinfile: dest=/etc/hosts line="{{ ldapServerHostIpLine }}" state=present insertafter=EOF
+  lineinfile: dest=/etc/hosts line="{{ hostvars[groups['LDAPServer'][0]]['ansible_host'] }} {{ ldapServerHostName }}" state=present insertafter=EOF
   become: true
   become_user: root
-  when: ldapServerHostIpLine is defined
+  #when: ldapServerHostIpLine is defined
 
 - name: "Copy sssd.conf to ldap client"
   template: src=sssd.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=600
diff --git a/roles/ldapclient/templates/sssd.j2 b/roles/ldapclient/templates/sssd.j2
index a64b92eb..5139ff68 100644
--- a/roles/ldapclient/templates/sssd.j2
+++ b/roles/ldapclient/templates/sssd.j2
@@ -26,15 +26,13 @@ access_provider = ldap
 ldap_uri = {{ ldapURI }}, {{ ldapROURI }}
 ldap_chpass_uri = {{ ldapURI }}
 {% else %}
-ldap_uri = {{ ldapURI }} 
+ldap_uri = {{ ldapURI }}
 {% endif %}
 ldap_id_use_start_tls = {{ useTLS }}
-{% if useTLS is not defined%}
-ldap_tls_reqcert = never 
-ldap_id_use_start_tls = True
+{% if useTLS %}
+ldap_tls_reqcert = allow
 {% else %}
-ldap_tls_reqcert = always 
-ldap_id_use_start_tls = {{ useTLS }}
+ldap_tls_reqcert = never
 {% endif %}
 {% if ldapCaCertFile is defined %}
 ldap_tls_cacert = {{ ldapCaCertFile }}
-- 
GitLab