Add Flexibility To the join-domain formula's LDAP Collision-Finder Components

plus3it / join-domain-formula

Salt formula to join systems to an Active Directory domain

Apache License 2.0

13 stars 19 forks source link

Add Flexibility To the join-domain formula's LDAP Collision-Finder Components #190

Closed ferricoxide closed 1 year ago

ferricoxide commented 1 year ago

Currently:

The failure-exit of find-collisions script is treated as fatal
The default for checking TLS-support is true
The use of LDAP+TLS isn't able to be made mandatory

Need to update the script-logic – and supporting SaltStack call of that script – so that each of the above are selectable.

Check for TLS-support (second item) is governed by the Pillar-variable check_tls. The default, when this is absent from Pillar, is set to true in the relevant states' map.jinja file. Need to further add defaults to this file for:

tls_required: tell script whether or not it should allow/attempt fallback to unencrypted-TLS (set default to false)
ldapsearch_errexit: tell script whether a failure to be able to execute an ldapsearch should be treated as fatal or not (set default to false)

ferricoxide commented 1 year ago

Initial testing in a self-managed AD environment with mandatory TLS (and a mix of DCs with and without client-validateable TLS certificates):

anything with ldap_tls_mode set to none will give us failed due insufficient auth-strength selection
anything with ldap_tls_mode set to require will give us Found 1 potentially-good directory servers
anything with ldap_tls_mode set to try will give us Found 1 potentially-good directory servers

Note: The value of ldap_fatal_exit is mostly superfluous, right now, given that, with how the states aren't linked, a failure in the openldap-client state-content won't prevent the sssd state-content from running

ferricoxide commented 1 year ago

Initial testing in a managed Simple AD environment – where the servers have TLS certificates, but they're self-signed and, therefore, not verifiable – produces expected results:

anything with ldap_tls_mode set to none will give us Found 2 potentially-good directory servers
anything with ldap_tls_mode set to require will give us Found no usable directory servers. Aborting...
anything with ldap_tls_mode set to try will give us Found 2 potentially-good directory servers

As noted in prior content, value of ldap_fatal_exit is mostly superfluous, right now, given that, with how the states aren't linked, a failure in the openldap-client state-content won't prevent the sssd state-content from running.

ferricoxide commented 1 year ago

Next effort is to ensure that the value of ldap_fatal_exit properly governs whether subsequent sssd state-tasks are executed or not.

ferricoxide commented 1 year ago

Validated that passing in a ldap_fatal_exit value of false properly governs whether subsequent sssd state-tasks are executed or not. The following are for the previously-mentioned Simple-AD environment (which lacks ability to support LDAP+STARTTLS). As such, require/true is expected to create a process-stopping failure in watchmaker (first image) while require/false is expected to allow the ldapsearch failure to be treated as ignorable and for remaining watchmaker processes to continue unabated (second image):