diff --git a/pillar/common.sls b/pillar/common.sls index 5895109..b151569 100644 --- a/pillar/common.sls +++ b/pillar/common.sls @@ -40,6 +40,8 @@ salt: environment: production hash_type: sha512 sshd_config: + AuthorizedKeysCommand: /usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh + AuthorizedKeysCommandUser: nobody HostKey: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key @@ -66,6 +68,29 @@ sshd_config: timezone: name: UTC utc: True +sssd: + settings: + sssd: True + sssd_conf: + domains: + infra.opensuse.org: + auth_provider: ldap + id_provider: ldap + ldap_group_search_base = cn=groups,cn=compat,dc=infra,dc=opensuse,dc=org + ldap_search_base: dc=infra,dc=opensuse,dc=org + ldap_tls_reqcert: demand + ldap_uri: ldaps://freeipa.infra.opensuse.org + ldap_user_search_base = cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org + general_settings: + config_file_version: 2 + domains: infra.opensuse.org + services: nss, pam, ssh + services: + nss: + filter_group: root + filter_users: root + pam: {} + ssh: {} sudoers: defaults: generic: @@ -102,7 +127,10 @@ zypper: lsof: {} man: {} mtr: {} + openldap2-client: {} + openssh-helpers: {} screen: {} + sssd-ldap: {} susepaste: {} tcpdump: {} traceroute: {} diff --git a/pillar/role/openvpn.sls b/pillar/role/openvpn.sls index 2602355..792d600 100644 --- a/pillar/role/openvpn.sls +++ b/pillar/role/openvpn.sls @@ -1,23 +1 @@ -sssd: - settings: - sssd: True - sssd_conf: - domains: - freeipa.infra.opensuse.org: - enumerate: False - id_provider: ldap - ldap_group_uuid: entryuuid - ldap_schema: rfc2307bis - ldap_search_base: cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org - ldap_user_uuid: entryuuid - ldap_tls_reqcert: allow - ldap_uri: ldap://freeipa.infra.opensuse.org - general_settings: - config_file_version: 2 - domains: freeipa.infra.opensuse.org - services: nss, pam - services: - nss: - filter_group: root - filter_users: root - pam: {} +# diff --git a/salt/profile/ldap/client/files/etc/openldap/ldap.conf b/salt/profile/ldap/client/files/etc/openldap/ldap.conf new file mode 100644 index 0000000..e985a8e --- /dev/null +++ b/salt/profile/ldap/client/files/etc/openldap/ldap.conf @@ -0,0 +1,15 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +BASE dc=infra,dc=opensuse,dc=org +URI ldaps://freeipa.infra.opensuse.org + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never +TLS_REQCERT demand +TLS_CACERTDIR /etc/ssl/certs/ diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-account-pc b/salt/profile/ldap/client/files/etc/pam.d/common-account-pc new file mode 100644 index 0000000..d5e39cf --- /dev/null +++ b/salt/profile/ldap/client/files/etc/pam.d/common-account-pc @@ -0,0 +1,14 @@ +#%PAM-1.0 +# +# Managed by Salt +# +# Account-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the account modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired. +# +account requisite pam_unix.so try_first_pass +account sufficient pam_localuser.so +account required pam_sss.so use_first_pass diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-auth-pc b/salt/profile/ldap/client/files/etc/pam.d/common-auth-pc new file mode 100644 index 0000000..67561ff --- /dev/null +++ b/salt/profile/ldap/client/files/etc/pam.d/common-auth-pc @@ -0,0 +1,15 @@ +#%PAM-1.0 +# +# Managed by Salt +# +# Authentication-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +auth required pam_env.so +auth sufficient pam_unix.so try_first_pass +auth required pam_sss.so use_first_pass diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-password-pc b/salt/profile/ldap/client/files/etc/pam.d/common-password-pc new file mode 100644 index 0000000..249f70a --- /dev/null +++ b/salt/profile/ldap/client/files/etc/pam.d/common-password-pc @@ -0,0 +1,13 @@ +#%PAM-1.0 +# +# Managed by Salt +# +# Password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. +# +password requisite pam_cracklib.so +password sufficient pam_unix.so use_authtok nullok shadow try_first_pass +password required pam_sss.so use_authtok diff --git a/salt/profile/ldap/client/files/etc/pam.d/common-session-pc b/salt/profile/ldap/client/files/etc/pam.d/common-session-pc new file mode 100644 index 0000000..0f6415b --- /dev/null +++ b/salt/profile/ldap/client/files/etc/pam.d/common-session-pc @@ -0,0 +1,18 @@ +#%PAM-1.0 +# +# Managed by Salt +# +# Session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive +# +session optional pam_mkhomedir.so +session required pam_limits.so +session required pam_unix.so try_first_pass +session optional pam_sss.so +session optional pam_umask.so +session optional pam_systemd.so +session optional pam_env.so diff --git a/salt/profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh b/salt/profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh new file mode 100644 index 0000000..80e4636 --- /dev/null +++ b/salt/profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +# Script that fetches the SSH Public Keys for a given user from LDAP/FreeIPA. +# It takes a FreeIPA/LDAP username as first argument, and returns the SSH +# public keys of that user, one per line. +# Used by sshd (see AuthorizedKeysCommand in sshd_config) for ssh +# authentication via SSH public keys stored in LDAP/FreeIPA + +ldapsearch -x -LLL -b cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org '(&(objectClass=posixAccount)(uid='"$1"'))' 'ipaSshPubKey' | sed -n '/^ /{H;d};/ipaSshPubKey:/x;$g;s/\n *//g;s/ipaSshPubKey: //gp' diff --git a/salt/profile/ldap/client/init.sls b/salt/profile/ldap/client/init.sls index f97afde..d986648 100644 --- a/salt/profile/ldap/client/init.sls +++ b/salt/profile/ldap/client/init.sls @@ -1,2 +1,17 @@ include: - sssd + +{% for file in [account, auth, password, session] %} +/etc/pam.d/session-{{ file }}-pc: + file.managed: + - source: salt://profile/ldap/client/files/etc/pam.d/session-{{ file }}-pc +{% endif %} + +/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh + file.managed: + - source: salt://profile/ldap/client/files/usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh + - mode: 0755 + +/etc/openldap/ldap.conf + file.managed: + - source: salt://profile/ldap/client/files/etc/openldap/ldap.conf diff --git a/salt/role/base.sls b/salt/role/base.sls index e28b8cf..191ffe6 100644 --- a/salt/role/base.sls +++ b/salt/role/base.sls @@ -1,6 +1,7 @@ include: - profile.accounts - profile.apparmor + - profile.ldap.client - profile.regional - profile.salt.minion - profile.zypper diff --git a/salt/role/openvpn.sls b/salt/role/openvpn.sls index 2328ec5..792d600 100644 --- a/salt/role/openvpn.sls +++ b/salt/role/openvpn.sls @@ -1,2 +1 @@ -include: - - profile.ldap.client +#