search

goodrobots / maverick

UAV Autonomous Systems Management
https://goodrobots.github.io/maverick/
MIT License
176 stars 61 forks source link

Implement centralised auth #689

Open fnoop opened 6 years ago

fnoop commented 6 years ago

ie ldap

fnoop commented 6 years ago

https://forge.puppet.com/camptocamp/openldap https://forge.puppet.com/bodgit/openldap https://forge.puppet.com/spacepants/ds_389/readme

fnoop commented 6 years ago

Openldap simpler, easier to setup, better community support, lower resource usage. 389ds better vendor support (redhat), better development rate.

This should be the simplest lowest resource usage implementation available, start with openldap.

fnoop commented 6 years ago

openldap uses openssl and fairly simple deployment model. 389ds mostly part of freeipa, uses nss and is a much more complex/harder deployment model.

fnoop commented 6 years ago

389 is more modern and better development effort. easier to do multimaster replication. should be an option, if not now then for the future, and particularly for larger setups.

fnoop commented 6 years ago

Use https://github.com/camptocamp/puppet-openldap git version as more up to date than puppetforge.

fnoop commented 6 years ago

Use 'dc=maverick, dc=one' DIT base rather than trying to dynamically determine and create base from user domain. Will be much easier to document, support and maintain this way. Should be an option however, for bigger outfits.

fnoop commented 6 years ago

Openldap up and running with dc=maverick,dc=one base. Now add:

fnoop commented 6 years ago

Also configure ldap client

fnoop commented 6 years ago

Now TLS is working using certs generated against the central mavCA:

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x -Z
ldap_start_tls: Connect error (-11)
    additional info: TLS: hostname does not match CN in peer certificate
# extended LDIF
#
# LDAPv3
# base <dc=maverick,dc=one> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# maverick.one
dn: dc=maverick,dc=one
objectClass: top
objectClass: dcObject
objectClass: organization
dc: maverick
o: maverick.one

# admin, maverick.one
dn: cn=admin,dc=maverick,dc=one
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2

However there is a problem with cert hostname:

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
    additional info: TLS: hostname does not match CN in peer certificate
fnoop commented 6 years ago

Excellent reference: http://www.zytrax.com/books/ldap/ch15/

fnoop commented 6 years ago

Security profile set to required TLS:

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x
ldap_bind: Confidentiality required (13)
    additional info: TLS confidentiality required

But to allow flawed cert connection (requiring absolute verification is unnecessary on local selfcert):

[dev] [mav@maverick-up ~/software/maverick/manifests/puppet-modules/openldap]$ ldapsearch -x -Z
ldap_start_tls: Connect error (-11)
    additional info: TLS: hostname does not match CN in peer certificate
# extended LDIF
#
# LDAPv3
# base <dc=maverick,dc=one> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# maverick.one
dn: dc=maverick,dc=one
objectClass: top
objectClass: dcObject
objectClass: organization
dc: maverick
o: maverick.one

# admin, maverick.one
dn: cn=admin,dc=maverick,dc=one
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 3
result: 0 Success

# numResponses: 3
# numEntries: 2
fnoop commented 6 years ago

Now need to work out how to design DIT for users and groups, and how to manage those entries using puppet, and/or maverick-api.

fnoop commented 6 years ago

slapd install fails if maverick ldap config already in place - the package has a post-up script and check.

fnoop commented 6 years ago

Aargh, AVC now getting in the way on ubuntu 18.04:

Jun 14 21:32:33 dom-ubuntu audit[31187]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/srv/maverick/config/security/ldap/cn=config.ldif" pid=3118
Jun 14 21:32:33 dom-ubuntu kernel: audit: type=1400 audit(1529008353.641:55): apparmor="DENIED" operation="open" profile="/usr/sbin/slapd" name="/srv/maverick/config/secur
Jun 14 21:32:33 dom-ubuntu slapd[31187]: ldif_read_file: Permission denied for "/srv/maverick/config/security/ldap/cn=config.ldif"
fnoop commented 5 years ago

Move ldap data (/var/lib/ldap) to /srv/maverick/data/security and ldap config (/etc/ldap) to /srv/maverick/config/security

fnoop commented 5 years ago

On first portion of dev bootstrap:

Notice: /Stage[main]/Maverick_security::Ssl/Exec[create-ca-rootcert]/returns: executed successfully
Error: Could not set 'directory' on ensure: Could not find user openldap (file: /srv/maverick/software/maverick/manifests/maverick-modules/maverick_security/manifests/ldap_server.pp, line: 19)
Error: Could not set 'directory' on ensure: Could not find user openldap (file: /srv/maverick/software/maverick/manifests/maverick-modules/maverick_security/manifests/ldap_server.pp, line: 19)
Wrapped exception:
Could not find user openldap
Error: /Stage[main]/Maverick_security::Ldap_server/File[/etc/ldap/ssl]/ensure: change from 'absent' to 'directory' failed: Could not set 'directory' on ensure: Could not find user openldap (file: /srv/maverick/software/maverick/manifests/maverick-modules/maverick_security/manifests/ldap_server.pp, line: 19)
Notice: /Stage[main]/Maverick_security::Ldap_server/Exec[create-ldapssl-key]: Dependency File[/etc/ldap/ssl] has failures: true