library/roles/smartgears/r_connector: Manage the pam ldap configuration. We need to install all the configuration files explicitly because the debian pam configurator does not work non interactively on Ubuntu 14.04.

smartgears/r_connector/defaults/main.yml

@@ -3,9 +3,11 @@ gcube_repository: 'gcube-staging'
 r_connector_install: False
 r_connector_ver: 2.1.2-4.3.0-144071
 r_connector_name: r-connector
-r_connector_filename: '{{ r_connector_name }}-{{ r_connector_ver }}.war'
-r_connector_url: 'http://maven.research-infrastructures.eu/nexus/content/repositories/{{ gcube_repository }}/org/gcube/data/analysis/{{ r_connector_name }}/{{ r_connector_ver}}/{{ r_connector_filename }}'
-r_connector_war_file: '{{ r_connector_name }}.war'
+r_connector_group_id: org.gcube.data.analysis
+r_connector_extension: war
+r_connector_filename: '{{ r_connector_name }}-{{ r_connector_ver }}.{{ r_connector_extension }}'
+r_connector_repository_url: 'http://maven.research-infrastructures.eu/nexus/content/repositories/{{ gcube_repository }}'
+
 r_connector_usershome: /home/
 r_connector_userconfig: userconfig.csv
 r_connector_adduserscript: /usr/local/bin/rusersadd
@@ -21,18 +23,10 @@ r_connector_deb_pkgs:
   - libpam-ldapd
   - nscd
 
-#   nslcd/ldap-bindpw: (password omitted)
-# * nslcd/ldap-base: dc=d4science,dc=org
-#   nslcd/ldap-sasl-mech:
-#   nslcd/ldap-sasl-realm:
-# * nslcd/ldap-reqcert: demand
-#   nslcd/ldap-sasl-authzid:
-#   nslcd/ldap-starttls: false
-#   nslcd/ldap-auth-type: none
-#   nslcd/ldap-sasl-krb5-ccname: /var/run/nslcd/nslcd.tkt
-#   nslcd/ldap-sasl-secprops:
-#   nslcd/ldap-sasl-authcid:
-# * nslcd/ldap-uris: ldaps://ldap.d4science.org/
-#   nslcd/ldap-binddn:
-# * libnss-ldapd/nsswitch: passwd
-#   libnss-ldapd/clean_nsswitch: false
+r_connector_ldap_enabled: True
+r_connector_ldap_map_common:
+  - common-account
+  - common-auth
+  - common-password
+  - common-session
+  - common-session-noninteractive

smartgears/r_connector/files/common-account

@@ -0,0 +1,26 @@
+#
+# /etc/pam.d/common-account - authorization settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authorization modules that define
+# the central access policy for use on the system.  The default is to
+# only deny service to users whose accounts are expired in /etc/shadow.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+#
+
+# here are the per-package modules (the "Primary" block)
+account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
+# here's the fallback if no module succeeds
+account	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+account	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+account	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]	pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config

smartgears/r_connector/files/common-auth

@@ -0,0 +1,27 @@
+#
+# /etc/pam.d/common-auth - authentication settings common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of the authentication modules that define
+# the central authentication scheme for use on the system
+# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
+# traditional Unix authentication mechanisms.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+auth	[success=2 default=ignore]	pam_unix.so nullok_secure
+auth	[success=1 default=ignore]	pam_ldap.so minimum_uid=1000 use_first_pass
+# here's the fallback if no module succeeds
+auth	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+auth	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+auth	optional			pam_cap.so 
+# end of pam-auth-update config

smartgears/r_connector/files/common-password

@@ -0,0 +1,34 @@
+#
+# /etc/pam.d/common-password - password-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define the services to be
+# used to change user passwords.  The default is pam_unix.
+
+# Explanation of pam_unix options:
+#
+# The "sha512" option enables salted SHA512 passwords.  Without this option,
+# the default is Unix crypt.  Prior releases used the option "md5".
+#
+# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
+# login.defs.
+#
+# See the pam_unix manpage for other options.
+
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+password	[success=2 default=ignore]	pam_unix.so obscure sha512
+password	[success=1 default=ignore]	pam_ldap.so minimum_uid=1000 try_first_pass
+# here's the fallback if no module succeeds
+password	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+password	required			pam_permit.so
+# and here are more per-package modules (the "Additional" block)
+# end of pam-auth-update config

smartgears/r_connector/files/common-session

@@ -0,0 +1,31 @@
+#
+# /etc/pam.d/common-session - session-related modules common to all services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of sessions of *any* kind (both interactive and
+# non-interactive).
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so 
+session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config

smartgears/r_connector/files/common-session-noninteractive

@@ -0,0 +1,31 @@
+#
+# /etc/pam.d/common-session-noninteractive - session-related modules
+# common to all non-interactive services
+#
+# This file is included from other service-specific PAM config files,
+# and should contain a list of modules that define tasks to be performed
+# at the start and end of all non-interactive sessions.
+#
+# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
+# To take advantage of this, it is recommended that you configure any
+# local modules either before or after the default block, and use
+# pam-auth-update to manage selection of other modules.  See
+# pam-auth-update(8) for details.
+
+# here are the per-package modules (the "Primary" block)
+session	[default=1]			pam_permit.so
+# here's the fallback if no module succeeds
+session	requisite			pam_deny.so
+# prime the stack with a positive return value if there isn't one already;
+# this avoids us returning an error just because nothing sets a success code
+# since the modules above will each just jump around
+session	required			pam_permit.so
+# The pam_umask module will set the umask according to the system default in
+# /etc/login.defs and user settings, solving the problem of different
+# umask settings with different shells, display managers, remote sessions etc.
+# See "man pam_umask".
+session optional			pam_umask.so
+# and here are more per-package modules (the "Additional" block)
+session	required	pam_unix.so 
+session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
+# end of pam-auth-update config

smartgears/r_connector/files/ldap-auth-config

@@ -0,0 +1,13 @@
+#
+# Clients should be able to authenticate with this profile if following
+# Network Authentication in the Ubuntu Server guide.  Please note that
+# these settings are not suitable for sometimes disconnected (eg laptop)
+# systems.  The example is taken from LDAPClientAuthentication at:
+# https://help.ubuntu.com/community/LDAPClientAuthentication
+# 
+[lac_ldap]
+nss_passwd=passwd: files ldap
+nss_group=group: files ldap
+nss_shadow=shadow: files ldap
+nss_netgroup=netgroup: nis
+

smartgears/r_connector/files/nsswitch.conf

@@ -0,0 +1,14 @@
+passwd:         compat ldap
+group:          compat
+shadow:         compat
+
+hosts:          files dns
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+

smartgears/r_connector/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Restart the NSLCD service
+  service: name=nslcd state=restarted
+

smartgears/r_connector/tasks/main.yml

@@ -7,14 +7,18 @@
         - '{{ smartgears_instance_path }}/webapps/r-connector.war'
       when: smartgears_upgrade
 
+    - name: Get the R Connector war
+      maven_artifact: artifact_id={{ r_connector_name }} version={{ r_connector_ver | default(omit) }} group_id={{ r_connector_group_id }} extension={{ r_connector_extension | default('war') }} repository_url={{ r_connector_repository_url }} dest={{ smartgears_user_home }}/{{ r_connector_filename }}
+
     - name: Create the R connector webapp directory
       file: dest={{ smartgears_instance_path }}/webapps/r-connector state=directory
 
     - name: Get and unpack the R connector war file
-      unarchive: copy=no src={{ r_connector_url }} dest={{ smartgears_instance_path }}/webapps/r-connector
+      unarchive: copy=no src={{ smartgears_user_home }}/{{ r_connector_filename }} dest={{ smartgears_instance_path }}/webapps/{{ r_connector_name }}
       args:
-        creates: '{{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml'
+        creates: '{{ smartgears_instance_path }}/webapps/{{ r_connector_name }}/WEB-INF/web.xml'
       
+
     - name: Obtain the permission to read the Rstudio secure cookie key
       become: False
       file: dest={{ r_connector_rstudio_cookie_key }} mode=640 group={{ smartgears_user }}
@@ -23,34 +27,52 @@
       template: src=r-web.xml.j2 dest={{ smartgears_instance_path }}/webapps/r-connector/WEB-INF/web.xml mode=0440
       notify: Restart smartgears 
 
-    - name: Install the packages required to enable the LDAP PAM authentication
-      become: False
-      apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=1800
-      with_items: '{{ r_connector_deb_pkgs }}'
-
     - name: Install the R add users script
       become: False
       template: src=rusersadd.j2 dest={{ r_connector_adduserscript }} owner=root group=root mode=0555
-      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
 
     - name: Crete the directory that will host the RConfiguration stuff
       become: False
       file: dest={{ r_connector_rprofile_base_dir }} owner={{ d4science_user }} group={{ d4science_user }} state=directory
-      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
 
     - name: Get the svn repository that provides the .Rprofile
       subversion: repo={{ r_connector_rprofile_svn_url }} dest={{ r_connector_rprofile_path }}
-      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
 
     - name: Install the cron job that regulary updates the Rprofile
       cron: name="Update the RStudioConfiguration repo" special_time=daily job="cd {{ r_connector_rprofile_path }} ; svn update >/dev/null 2>&1"
-      tags: [ 'smartgears', 'r_connector', 'tomcat', 'rusersadd' ]
 
   become: True
   become_user: '{{ smartgears_user }}'
   when: r_connector_install
   tags: [ 'smartgears', 'r_connector', 'tomcat' ]
 
+- block:
+    - name: Install the packages required to enable the LDAP PAM authentication
+      apt: pkg={{ item }} state=present update_cache=yes cache_valid_time=1800
+      with_items: '{{ r_connector_deb_pkgs }}'
+
+    - name: Install the pam ldap configuration. We cannot use the debian tools, they are broken on ubuntu in non interactive mode
+      copy: src={{ item }} dest=/etc/pam.d/{{ item }}
+      with_items: '{{ r_connector_ldap_map_common }}'
+      notify: Restart the NSLCD service
+
+    - name: Install the ldap-auth-config file
+      copy: src=ldap-auth-config dest=/etc/auth-client-config/profile.d/ldap-auth-config
+      notify: Restart the NSLCD service
+
+    - name: Install the nsswitch.conf file
+      copy: src=nsswitch.conf dest=/etc/nsswitch.conf
+      notify: Restart the NSLCD service
+
+    - name: Install the nslcd configuration
+      template: src=nslcd.conf.j2 dest=/etc/nslcd.conf mode=0640 owner=root group=nslcd
+      notify: Restart the NSLCD service
+
+  when:
+    - r_connector_install
+    - r_connector_ldap_enabled
+  tags: [ 'smartgears', 'r_connector', 'tomcat' ]
+
 - block:
     - name: Remove the installed R connector before upgrading
       file: dest={{ item }} state=absent

smartgears/r_connector/templates/nslcd.conf.j2

@@ -0,0 +1,33 @@
+# /etc/nslcd.conf
+# nslcd configuration file. See nslcd.conf(5)
+# for details.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The location at which the LDAP server(s) should be reachable.
+uri {{ r_connector_nslcd_ldap_uri }}
+
+# The search base that will be used for all queries.
+base {{ r_connector_nslcd_ldap_base }}
+
+# The LDAP protocol version to use.
+ldap_version 3
+tls_cacertdir /etc/ssl/certs
+tls_cacertfile {{ r_connector_nslcd_cafile }}
+
+# The DN to bind with for normal lookups.
+#binddn cn=annonymous,dc=example,dc=net
+#bindpw secret
+
+# The DN used for password modifications by root.
+#rootpwmoddn cn=admin,dc=example,dc=com
+
+# SSL options
+#ssl off
+tls_reqcert demand
+
+# The search scope.
+#scope sub
+