From 5839530ebc147e1052d952736a6eeea54768ca9d Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 16 Mar 2017 19:21:14 +0100 Subject: [PATCH] library/roles/smartgears/r_connector: Manage the pam ldap configuration. We need to install all the configuration files explicitly because the debian pam configurator does not work non interactively on Ubuntu 14.04. --- smartgears/r_connector/defaults/main.yml | 30 +++++-------- smartgears/r_connector/files/common-account | 26 +++++++++++ smartgears/r_connector/files/common-auth | 27 ++++++++++++ smartgears/r_connector/files/common-password | 34 ++++++++++++++ smartgears/r_connector/files/common-session | 31 +++++++++++++ .../files/common-session-noninteractive | 31 +++++++++++++ smartgears/r_connector/files/ldap-auth-config | 13 ++++++ smartgears/r_connector/files/nsswitch.conf | 14 ++++++ smartgears/r_connector/handlers/main.yml | 4 ++ smartgears/r_connector/tasks/main.yml | 44 ++++++++++++++----- .../r_connector/templates/nslcd.conf.j2 | 33 ++++++++++++++ 11 files changed, 258 insertions(+), 29 deletions(-) create mode 100644 smartgears/r_connector/files/common-account create mode 100644 smartgears/r_connector/files/common-auth create mode 100644 smartgears/r_connector/files/common-password create mode 100644 smartgears/r_connector/files/common-session create mode 100644 smartgears/r_connector/files/common-session-noninteractive create mode 100644 smartgears/r_connector/files/ldap-auth-config create mode 100644 smartgears/r_connector/files/nsswitch.conf create mode 100644 smartgears/r_connector/handlers/main.yml create mode 100644 smartgears/r_connector/templates/nslcd.conf.j2 diff --git a/smartgears/r_connector/defaults/main.yml b/smartgears/r_connector/defaults/main.yml index 23fe51b..af47ee3 100644 --- a/smartgears/r_connector/defaults/main.yml +++ b/smartgears/r_connector/defaults/main.yml @@ -3,9 +3,11 @@ gcube_repository: 'gcube-staging' r_connector_install: False r_connector_ver: 2.1.2-4.3.0-144071 r_connector_name: r-connector -r_connector_filename: '{{ r_connector_name }}-{{ r_connector_ver }}.war' -r_connector_url: 'http://maven.research-infrastructures.eu/nexus/content/repositories/{{ gcube_repository }}/org/gcube/data/analysis/{{ r_connector_name }}/{{ r_connector_ver}}/{{ r_connector_filename }}' -r_connector_war_file: '{{ r_connector_name }}.war' +r_connector_group_id: org.gcube.data.analysis +r_connector_extension: war +r_connector_filename: '{{ r_connector_name }}-{{ r_connector_ver }}.{{ r_connector_extension }}' +r_connector_repository_url: 'http://maven.research-infrastructures.eu/nexus/content/repositories/{{ gcube_repository }}' + r_connector_usershome: /home/ r_connector_userconfig: userconfig.csv r_connector_adduserscript: /usr/local/bin/rusersadd @@ -21,18 +23,10 @@ r_connector_deb_pkgs: - libpam-ldapd - nscd -# nslcd/ldap-bindpw: (password omitted) -# * nslcd/ldap-base: dc=d4science,dc=org -# nslcd/ldap-sasl-mech: -# nslcd/ldap-sasl-realm: -# * nslcd/ldap-reqcert: demand -# nslcd/ldap-sasl-authzid: -# nslcd/ldap-starttls: false -# nslcd/ldap-auth-type: none -# nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt -# nslcd/ldap-sasl-secprops: -# nslcd/ldap-sasl-authcid: -# * nslcd/ldap-uris: ldaps://ldap.d4science.org/ -# nslcd/ldap-binddn: -# * libnss-ldapd/nsswitch: passwd -# libnss-ldapd/clean_nsswitch: false +r_connector_ldap_enabled: True +r_connector_ldap_map_common: + - common-account + - common-auth + - common-password + - common-session + - common-session-noninteractive diff --git a/smartgears/r_connector/files/common-account b/smartgears/r_connector/files/common-account new file mode 100644 index 0000000..66cc62c --- /dev/null +++ b/smartgears/r_connector/files/common-account @@ -0,0 +1,26 @@ +# +# /etc/pam.d/common-account - authorization settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authorization modules that define +# the central access policy for use on the system. The default is to +# only deny service to users whose accounts are expired in /etc/shadow. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. +# + +# here are the per-package modules (the "Primary" block) +account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so +# here's the fallback if no module succeeds +account requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +account required pam_permit.so +# and here are more per-package modules (the "Additional" block) +account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 +# end of pam-auth-update config diff --git a/smartgears/r_connector/files/common-auth b/smartgears/r_connector/files/common-auth new file mode 100644 index 0000000..ac882b3 --- /dev/null +++ b/smartgears/r_connector/files/common-auth @@ -0,0 +1,27 @@ +# +# /etc/pam.d/common-auth - authentication settings common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of the authentication modules that define +# the central authentication scheme for use on the system +# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the +# traditional Unix authentication mechanisms. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +auth [success=2 default=ignore] pam_unix.so nullok_secure +auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass +# here's the fallback if no module succeeds +auth requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +auth required pam_permit.so +# and here are more per-package modules (the "Additional" block) +auth optional pam_cap.so +# end of pam-auth-update config diff --git a/smartgears/r_connector/files/common-password b/smartgears/r_connector/files/common-password new file mode 100644 index 0000000..9fd26a8 --- /dev/null +++ b/smartgears/r_connector/files/common-password @@ -0,0 +1,34 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=2 default=ignore] pam_unix.so obscure sha512 +password [success=1 default=ignore] pam_ldap.so minimum_uid=1000 try_first_pass +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/smartgears/r_connector/files/common-session b/smartgears/r_connector/files/common-session new file mode 100644 index 0000000..8999be8 --- /dev/null +++ b/smartgears/r_connector/files/common-session @@ -0,0 +1,31 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 +# end of pam-auth-update config diff --git a/smartgears/r_connector/files/common-session-noninteractive b/smartgears/r_connector/files/common-session-noninteractive new file mode 100644 index 0000000..0791076 --- /dev/null +++ b/smartgears/r_connector/files/common-session-noninteractive @@ -0,0 +1,31 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# The pam_umask module will set the umask according to the system default in +# /etc/login.defs and user settings, solving the problem of different +# umask settings with different shells, display managers, remote sessions etc. +# See "man pam_umask". +session optional pam_umask.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 +# end of pam-auth-update config diff --git a/smartgears/r_connector/files/ldap-auth-config b/smartgears/r_connector/files/ldap-auth-config new file mode 100644 index 0000000..83d9539 --- /dev/null +++ b/smartgears/r_connector/files/ldap-auth-config @@ -0,0 +1,13 @@ +# +# Clients should be able to authenticate with this profile if following +# Network Authentication in the Ubuntu Server guide. Please note that +# these settings are not suitable for sometimes disconnected (eg laptop) +# systems. The example is taken from LDAPClientAuthentication at: +# https://help.ubuntu.com/community/LDAPClientAuthentication +# +[lac_ldap] +nss_passwd=passwd: files ldap +nss_group=group: files ldap +nss_shadow=shadow: files ldap +nss_netgroup=netgroup: nis + diff --git a/smartgears/r_connector/files/nsswitch.conf b/smartgears/r_connector/files/nsswitch.conf new file mode 100644 index 0000000..17090a0 --- /dev/null +++ b/smartgears/r_connector/files/nsswitch.conf @@ -0,0 +1,14 @@ +passwd: compat ldap +group: compat +shadow: compat + +hosts: files dns +networks: files + +protocols: db files +services: db files +ethers: db files +rpc: db files + +netgroup: nis + diff --git a/smartgears/r_connector/handlers/main.yml b/smartgears/r_connector/handlers/main.yml new file mode 100644 index 0000000..6c4f1b8 --- /dev/null +++ b/smartgears/r_connector/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Restart the NSLCD service + service: name=nslcd state=restarted + diff --git a/smartgears/r_connector/tasks/main.yml b/smartgears/r_connector/tasks/main.yml index 13539e3..026e56c 100644 --- a/smartgears/r_connector/tasks/main.yml +++ b/smartgears/r_connector/tasks/main.yml @@ -7,14 +7,18 @@ - '{{ smartgears_instance_path }}/webapps/r-connector.war' when: smartgears_upgrade + - name: Get the R Connector war + maven_artifact: artifact_id={{ r_connector_name }} version={{ r_connector_ver | default(omit) }} group_id={{ r_connector_group_id }} extension={{ r_connector_extension | default('war') }} repository_url={{ r_connector_repository_url }} dest={{ smartgears_user_home }}/{{ r_connector_filename }} + - name: Create the R connector webapp directory file: dest={{ smartgears_instance_path }}/webapps/r-connector state=directory - name: Get and unpack the R connector war file - unarchive: copy=no src={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/r-connector + unarchive: copy=no src={{ smartgears_user_home }}/{{ r_connector_filename }} dest={{ smartgears_instance_path }}/webapps/{{ r_connector_name }} args: - creates: '{{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml' + creates: '{{ smartgears_instance_path }}/webapps/{{ r_connector_name }}/WEB-INF/web.xml' + - name: Obtain the permission to read the Rstudio secure cookie key become: False file: dest={{ r_connector_rstudio_cookie_key }} mode=640 group={{ smartgears_user }} @@ -23,34 +27,52 @@ template: src=r-web.xml.j2 dest={{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml mode=0440 notify: Restart smartgears - - name: Install the packages required to enable the LDAP PAM authentication - become: False - apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=1800 - with_items: '{{ r_connector_deb_pkgs }}' - - name: Install the R add users script become: False template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555 - tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ] - name: Crete the directory that will host the RConfiguration stuff become: False file: dest={{ r_connector_rprofile_base_dir }} owner={{ d4science_user }} group={{ d4science_user }} state=directory - tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ] - name: Get the svn repository that provides the .Rprofile subversion: repo={{ r_connector_rprofile_svn_url }} dest={{ r_connector_rprofile_path }} - tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ] - name: Install the cron job that regulary updates the Rprofile cron: name="Update the RStudioConfiguration repo" special_time=daily job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1" - tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ] become: True become_user: '{{ smartgears_user }}' when: r_connector_install tags: [ 'smartgears', 'r_connector', 'tomcat' ] +- block: + - name: Install the packages required to enable the LDAP PAM authentication + apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=1800 + with_items: '{{ r_connector_deb_pkgs }}' + + - name: Install the pam ldap configuration. We cannot use the debian tools, they are broken on ubuntu in non interactive mode + copy: src={{ item }} dest=/etc/pam.d/{{ item }} + with_items: '{{ r_connector_ldap_map_common }}' + notify: Restart the NSLCD service + + - name: Install the ldap-auth-config file + copy: src=ldap-auth-config dest=/etc/auth-client-config/profile.d/ldap-auth-config + notify: Restart the NSLCD service + + - name: Install the nsswitch.conf file + copy: src=nsswitch.conf dest=/etc/nsswitch.conf + notify: Restart the NSLCD service + + - name: Install the nslcd configuration + template: src=nslcd.conf.j2 dest=/etc/nslcd.conf mode=0640 owner=root group=nslcd + notify: Restart the NSLCD service + + when: + - r_connector_install + - r_connector_ldap_enabled + tags: [ 'smartgears', 'r_connector', 'tomcat' ] + - block: - name: Remove the installed R connector before upgrading file: dest={{ item }} state=absent diff --git a/smartgears/r_connector/templates/nslcd.conf.j2 b/smartgears/r_connector/templates/nslcd.conf.j2 new file mode 100644 index 0000000..9b1e196 --- /dev/null +++ b/smartgears/r_connector/templates/nslcd.conf.j2 @@ -0,0 +1,33 @@ +# /etc/nslcd.conf +# nslcd configuration file. See nslcd.conf(5) +# for details. + +# The user and group nslcd should run as. +uid nslcd +gid nslcd + +# The location at which the LDAP server(s) should be reachable. +uri {{ r_connector_nslcd_ldap_uri }} + +# The search base that will be used for all queries. +base {{ r_connector_nslcd_ldap_base }} + +# The LDAP protocol version to use. +ldap_version 3 +tls_cacertdir /etc/ssl/certs +tls_cacertfile {{ r_connector_nslcd_cafile }} + +# The DN to bind with for normal lookups. +#binddn cn=annonymous,dc=example,dc=net +#bindpw secret + +# The DN used for password modifications by root. +#rootpwmoddn cn=admin,dc=example,dc=com + +# SSL options +#ssl off +tls_reqcert demand + +# The search scope. +#scope sub +