vincent/homelab
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

feat: implemant openldap and migration

Browse Source
This commit is contained in:
vincent 2024-01-21 16:51:20 +01:00
parent 80f489422a
commit f8bc026165
13 changed files with 989 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ansible/group_vars/all/sssd
View File

@ -1,5 +1,5 @@
sssd_configure: true sssd_configure: true
# sssd_configure is False by default - by default nothing is done by this role. # sssd_configure is False by default - by default nothing is done by this role.
ldap_search_base: "dc=ducamps,dc=win" ldap_search_base: "dc=ducamps,dc=eu"
ldap_uri: "ldaps://ldap.ducamps.eu" ldap_uri: "ldaps://ldaps.service.consul"
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win" ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=eu"

20
ansible/group_vars/all/vault_sssd
View File

@ -1,11 +1,11 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
34356264306639303930393736376562653636383538623131343939323563653938616534623163 61653964333030326633346130613633373333663037316165313436336235376362346237383463
6536366261666662376533393836626664373766313439660a363331326231303638626165393164 3835663564663137643565636431353465386338363665620a343031373230623564616635373337
63323063623365393566643230653964393565636430303365653233323931646236366664346430 38653431623135313436643737633932656236666562623837303262323838663564343862653835
3162383233656139320a323133323262386638363738346336613862626539386538633864613131 3332346662383935300a646437326262613231616137393664633963623832393633646530613037
30306539376639303365323665613732616138346530346162633761386466626238373065316230 35326335333432383939346132356465313164336434316439633236396465333366666435353535
38396662363364336134306130616661643835616161313535613331303133383334393333653335 35646465313336336466653964303533373133613861626634623363623036643363323063616630
66363538313631373736396333363837376664616166663665343030336232346237333965303861 64636135323431653235643364316238666135626230316537363132313138656532306636333734
36613763666135393531653637616463333461343232366137656336383239623166633338646561 64356532653432613535623761303634353964633162333465393135653338323437336362616164
39336563636665396666663339306534643661366264623061626661343762373037383037373561 63313430303438323535346331386463393535376564346564643363626434626432333031653838
3431656130306133323436616531343034366665636434333362 3332616466306466336161393066633239363463363863323739

31
nomad-job/openldap/memberofOverlay.ldif Normal file
View File

@ -0,0 +1,31 @@
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModuleLoad: refint
olcModulePath: /opt/bitnami/openldap/lib/openldap
dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof
olcRefintAttribute: member
olcRefintAttribute: manager
olcRefintAttribute: owner

164
nomad-job/openldap/openldap.nomad.hcl Normal file
View File

@ -0,0 +1,164 @@
job "openldap" {
datacenters = ["homelab"]
priority = 90
type = "service"
meta {
forcedeploy = "1"
}
constraint {
attribute = "${attr.cpu.arch}"
value = "amd64"
}
vault {
policies = ["ldap"]
}
group "openldap" {
network {
mode = "host"
port "ldap" {
static = 389
to = 1389
}
port "ldaps" {
static = 636
to = 1636
}
}
task "selfsignedCertificate" {
lifecycle {
hook= "prestart"
sidecar = false
}
driver= "docker"
config{
image= "stakater/ssl-certs-generator"
mount {
type = "bind"
source = "..${NOMAD_ALLOC_DIR}/data"
target = "/certs"
}
}
env {
SSL_DNS="ldaps.service.consul,ldap.service.consul"
}
}
task "openldap" {
driver = "docker"
service {
name = "ldap"
port = "ldap"
tags = [
]
}
service {
name = "ldaps"
port = "ldaps"
tags = [
]
}
config {
image = "bitnami/openldap"
ports = ["ldap", "ldaps"]
volumes = [
"/mnt/diskstation/nomad/openldap:/bitnami/openldap",
]
}
env {
LDAP_ADMIN_USERNAME = "admin"
LDAP_ROOT = "dc=ducamps,dc=eu"
LDAP_EXTRA_SCHEMAS = "cosine, inetorgperson"
LDAP_CUSTOM_SCHEMA_DIR = "/local/schema"
LDAP_CUSTOM_LDIF_DIR = "/local/ldif"
LDAP_CONFIGURE_PPOLICY = "yes"
LDAP_ALLOW_ANON_BINDING = "no"
LDAP_LOGLEVEL = 64
LDAP_ENABLE_TLS = "yes"
LDAP_TLS_CERT_FILE = "${NOMAD_ALLOC_DIR}/data/cert.pem"
LDAP_TLS_KEY_FILE = "${NOMAD_ALLOC_DIR}/data/key.pem"
LDAP_TLS_CA_FILE = "${NOMAD_ALLOC_DIR}/data/ca.pem"
}
#memberOf issue
#https://github.com/bitnami/containers/issues/28335
# https://tylersguides.com/guides/openldap-memberof-overlay
template {
data = file("memberofOverlay.ldif")
destination = "local/schema/memberofOverlay.ldif"
}
template {
data = file("smbkrb5pwd.ldif")
destination = "local/smbkrb5pwd.ldif"
}
template {
data = file("rfc2307bis.ldif")
destination = "local/schema/rfc2307bis.ldif"
}
template {
data = file("samba.ldif")
destination = "local/schema/samba.ldif"
}
template {
data = file("tree.ldif")
destination = "local/ldif/tree.ldif"
}
resources {
memory = 300
}
}
}
group ldpp-user-manager{
network{
mode = "host"
port "http" {
to = 80
}
}
task ldap-user-manager {
driver = "docker"
service {
name = "ldap-user-manager"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`ldap.ducamps.eu`)",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=ldap.ducamps.win",
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
]
}
config {
image = "wheelybird/ldap-user-manager"
ports = ["http"]
}
template {
data = <<EOH
SERVER_HOSTNAME="ldap.ducamps.eu"
LDAP_URI="ldaps://ldaps.service.consul"
LDAP_BASE_DN="dc=ducamps,dc=eu"
LDAP_ADMIN_BIND_DN="cn=admin,dc=ducamps,dc=eu"
LDAP_GROUP_MEMBERSHIP_ATTRIBUTE = "member"
{{ with secret "secrets/data/nomad/ldap"}}
LDAP_ADMIN_BIND_PWD="{{ .Data.data.admin}}"
{{end}}
LDAP_IGNORE_CERT_ERRORS="true"
LDAP_REQUIRE_STARTTLS="false"
LDAP_ADMINS_GROUP="LDAP Operators"
LDAP_USER_OU="users"
NO_HTTPS="true"
EMAIL_DOMAIN="ducamps.eu"
EOH
destination = "secrets/env"
env = true
}
}
}
}

159
nomad-job/openldap/rfc2307bis.ldif Normal file
View File

@ -0,0 +1,159 @@
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 6b6ad917
dn: cn=rfc2307bis,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: rfc2307bis
olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field;
the common name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absol
ute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to
the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
.1.26 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY int
egerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
7 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMat
ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
E-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMat
ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
E-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY intege
rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S
INGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integ
erMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY intege
rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S
INGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerM
atch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SIN
GLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExac
tMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Net
group triple' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Service
port number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.
3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Ser
vice protocol name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.15 )
olcAttributeTypes: {15}( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP p
rotocol number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'ONC RPC
number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {17}( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IPv4 add
resses as a dotted decimal omitting leading zeros or IPv6 add
resses as defined in RFC2373' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcAttributeTypes: {18}( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP ne
twork omitting leading zeros, eg. 192.168' EQUALITY caseIgnoreIA5Match SYNT
AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {19}( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP ne
tmask omitting leading zeros, eg. 255.255.255.0' EQUALITY caseIgnoreIA5Matc
h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC addres
s in maximal, colon separated hex notation, eg. 00:00:92:90:e
e:e2' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {21}( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.boo
tparamd parameter' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.26 )
olcAttributeTypes: {22}( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image n
ame' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {23}( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Name of a
generic NIS map' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.15{64} )
olcAttributeTypes: {24}( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'A generic
NIS entry' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10
24} SINGLE-VALUE )
olcAttributeTypes: {25}( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS publ
ic key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING
LE-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secr
et key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING
LE-VALUE )
olcAttributeTypes: {27}( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {28}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'auto
mount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
5 SINGLE-VALUE )
olcAttributeTypes: {29}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automoun
t Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
INGLE-VALUE )
olcAttributeTypes: {30}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC '
Automount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.15 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction
of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ u
idNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ ge
cos $ description ) )
olcObjectClasses: {1}( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional
attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPass
word $ description $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarni
ng $ shadowInactive $ shadowExpire $ shadowFlag ) )
olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction o
f a group of accounts' SUP top AUXILIARY MUST gidNumber MAY ( userPassword
$ memberUid $ description ) )
olcObjectClasses: {3}( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an
Internet Protocol service. Maps an IP port and protocol (suc
h as tcp or udp) to one or more names; the distinguished valu
e of the cn attribute denotes the services canonical
name' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtoco
l ) MAY description )
olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o
f an IP protocol. Maps a protocol number to one or more names
. The distinguished value of the cn attribute denotes the pro
tocol canonical name' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber ) MAY
description )
olcObjectClasses: {5}( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an
Open Network Computing (ONC) [RFC1057] Remote Procedure Call
(RPC) binding. This class maps an ONC RPC number to a name.
The distinguished value of the cn attribute denotes
the RPC service canonical name' SUP top STRUCTURAL MUST ( cn $ oncRpcNumbe
r ) MAY description )
olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a
host, an IP device. The distinguished value of the cn attribu
te denotes the hosts canonical name. Device SHOULD be used as a
structural class' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( userPa
ssword $ l $ description $ manager ) )
olcObjectClasses: {7}( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of
a network. The distinguished value of the cn attribute denot
es the network canonical name' SUP top STRUCTURAL MUST ipNetworkNumber MAY
( cn $ ipNetmaskNumber $ l $ description $ manager ) )
olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction
of a netgroup. May refer to other netgroups' SUP top STRUCTUR
AL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
olcObjectClasses: {9}( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstrac
tion of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description )
olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in
a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) )
olcObjectClasses: {11}( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device
with a MAC address; device SHOULD be used as a structural cl
ass' SUP top AUXILIARY MAY macAddress )
olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic
e with boot parameters; device SHOULD be used as a structural
class' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) )
olcObjectClasses: {13}( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object
with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $
nisSecretKey ) MAY ( uidNumber $ description ) )
olcObjectClasses: {14}( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associ
ates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain )
olcObjectClasses: {15}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTU
RAL MUST automountMapName MAY description )
olcObjectClasses: {16}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount in
formation' SUP top STRUCTURAL MUST ( automountKey $ automountInformation )
MAY description )
olcObjectClasses: {17}( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' DESC 'A group
with members (DNs)' SUP top STRUCTURAL MUST cn MAY ( businessCategory $ se
eAlso $ owner $ ou $ o $ description $ member ) )

225
nomad-job/openldap/samba.ldif Normal file
View File

@ -0,0 +1,225 @@
dn: cn=samba,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: samba
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M
D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26{32} SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac
count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
{16} SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T
imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC
'Timestamp of when the user is allowed to update the password' EQUALITY integ
erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC
'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.
3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti
mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T
imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC '
Timestamp of when the user will be logged off automatically' EQUALITY integer
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D
ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
6.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
{42} SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC
'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
1.15{255} SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC
'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.15{128} )
olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.15{1050} )
olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
26{64} )
olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
LE-VALUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC
'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
LE-VALUE )
olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{256} )
olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
INGLE-VALUE )
olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.27 SINGLE-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
.1.26 SINGLE-VALUE )
olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.15 )
olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
.121.1.26 )
olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
inimum password age, in seconds (default: 0 => allow immediate password chang
e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC
'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
assword' DESC 'Previous clear text password (used for trusted domain password
s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'T
ype of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
LE-VALUE )
olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' D
ESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.
6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DE
SC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.27 SINGLE-VALUE )
olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC
'Fully qualified name of the domain with which a trust exists' EQUALITY case
IgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'Ne
tBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.
121.1.15{128} )
olcAttributeTypes: {52}( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing'
DESC 'Authentication information for the outgoing portion of a trust' EQUALIT
Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
olcAttributeTypes: {53}( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming'
DESC 'Authentication information for the incoming portion of a trust' EQUALIT
Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier
' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExact
IA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustIn
fo' DESC 'Forest trust information for a trusted domain object' EQUALITY case
ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset'
DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptio
nTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SY
NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY (
cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $
sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
pType ) MAY ( displayName $ description $ sambaSIDList ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC
'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
sClearTextPassword )
olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange
) )
olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
er ) )
olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
idNumber ) )
olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba
Configuration Section' SUP top AUXILIARY MAY description )
olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC
'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
n $ description ) )
olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC
'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp
e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla
tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti
fier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncr
yptionTypes) )

15
nomad-job/openldap/smbkrb5pwd.ldif Normal file
View File

@ -0,0 +1,15 @@
dn: cn=module,cn=config
changetype: add
cn: module
objectClass: olcModuleList
olcModuleLoad: smbkrb5pwd
# olcModuleLoad: smbkrb5pwd_srv
dn: olcOverlay=smbkrb5pwd,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: top
objectClass: olcOverlayConfig
objectClass: olcSmbKrb5PwdConfig
olcOverlay: smbkrb5pwd
olcSmbKrb5PwdEnable: samba

368
nomad-job/openldap/tree.ldif Normal file
View File

@ -0,0 +1,368 @@
version: 1
dn: dc=ducamps,dc=eu
objectClass: dcObject
objectClass: organization
dc: ducamps
o: ducamps
dn: ou=users,dc=ducamps,dc=eu
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=ducamps,dc=eu
objectClass: organizationalUnit
ou: groups
dn: cn=lastGID,dc=ducamps,dc=eu
objectClass: device
objectClass: top
cn: lastGID
description: Records the last GID used to create a Posix group. This prevent
s the re-use of a GID from a deleted group.
serialNumber: 1000019
dn: cn=lastUID,dc=ducamps,dc=eu
objectClass: device
objectClass: top
cn: lastUID
description: Records the last UID used to create a Posix account. This preve
nts the re-use of a UID from a deleted account.
serialNumber: 1000006
dn: uid=hubert,ou=users,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: hubert
gidNumber: 1000001
homeDirectory: /home/hubert
sn: hubert
uid: hubert
uidNumber: 1000003
displayName: hubert
loginShell: /bin/sh
mail: hubertducamps@gmail.com
shadowExpire: -1
shadowFlag: 0
shadowInactive: 0
shadowLastChange: 19136
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
dn: uid=olivier,ou=users,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: olivier
gidNumber: 1000001
homeDirectory: /home/olivier
sn: olivier
uid: olivier
uidNumber: 1000002
displayName: olivier
loginShell: /bin/sh
mail: olivier@ducamps.eu
shadowExpire: -1
shadowFlag: 0
shadowInactive: 0
shadowLastChange: 18857
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
dn: uid=vincent,ou=users,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: vincent
gidNumber: 1000001
homeDirectory: /home/vincent
sn: vincent
uid: vincent
uidNumber: 1000001
displayName: vincent
loginShell: /bin/zsh
mail: vincent@ducamps.eu
shadowExpire: -1
shadowFlag: 0
shadowInactive: 0
shadowLastChange: 19213
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
dn: uid=vaultServiceAccount,ou=users,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: vaultServiceAccount
gidNumber: 1000001
homeDirectory: /home/vaultServiceAccount
sn: vaultServiceAccount
uid: vaultServiceAccount
uidNumber: 1000005
displayName: vaultServiceAccount
loginShell: /bin/sh
shadowExpire: -1
shadowFlag: 0
shadowInactive: 0
shadowLastChange: 19213
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
dn: uid=supysonicServiceAccount,ou=users,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: supysonicServiceAccount
gidNumber: 1000001
homeDirectory: /home/supysonicServiceAccount
sn: supysonicServiceAccount
uid: supysonicServiceAccount
uidNumber: 1000006
displayName: supysonicServiceAccount
loginShell: /bin/sh
shadowExpire: -1
shadowFlag: 0
shadowInactive: 0
shadowLastChange: 19437
shadowMax: 99999
shadowMin: 100000
shadowWarning: 7
dn: cn=na_a,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: na_a
gidNumber: 1000011
member: cn=Directory Consumers,ou=groups,dc=ducamps,dc=eu
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: na_a
memberUid: vincent
dn: cn=NAS_user,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: NAS_user
gidNumber: 1000013
member: uid=hubert,ou=users,dc=ducamps,dc=eu
member: uid=loic,ou=users,dc=ducamps,dc=eu
member: uid=olivier,ou=users,dc=ducamps,dc=eu
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: NAS_user
memberUid: admin
memberUid: hubert
memberUid: loic
memberUid: olivier
memberUid: vincent
dn: cn=NAS_ebook,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: NAS_ebook
gidNumber: 1000006
member: uid=vincent,ou=users,dc=ducamps,dc=eu
description: group owner of ebook folder
displayName: NAS_ebook
memberUid: admin
memberUid: vincent
dn: cn=NAS_media,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: NAS_media
gidNumber: 1000003
member: uid=vincent,ou=users,dc=ducamps,dc=eu
description: group owner of media folder
displayName: media
memberUid: admin
memberUid: vincent
dn: cn=NAS_music,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: NAS_music
gidNumber: 1000005
member: uid=vincent,ou=users,dc=ducamps,dc=eu
description: group owner of Music folder
displayName: NAS_music
memberUid: admin
memberUid: vincent
dn: cn=NAS_photo,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: NAS_photo
gidNumber: 1000004
member: uid=hubert,ou=users,dc=ducamps,dc=eu
member: uid=olivier,ou=users,dc=ducamps,dc=eu
member: uid=vincent,ou=users,dc=ducamps,dc=eu
description: group owner of photo folder
displayName: photo
memberUid: admin
memberUid: hubert
memberUid: olivier
memberUid: vincent
dn: cn=serverAdmin,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: serverAdmin
gidNumber: 1000016
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: server_admin
memberUid: vincent
dn: cn=vault_admin,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: vault_admin
gidNumber: 1000014
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: vaultaccess
memberUid: vincent
dn: cn=NAS_download,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: NAS_download
gidNumber: 1000007
member: uid=olivier,ou=users,dc=ducamps,dc=eu
member: uid=vincent,ou=users,dc=ducamps,dc=eu
description: group owner du dossier download
displayName: NAS_download
memberUid: olivier
memberUid: vincent
dn: cn=JellyfinUsers,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: JellyfinUsers
gidNumber: 1000012
member: uid=hubert,ou=users,dc=ducamps,dc=eu
member: uid=loic,ou=users,dc=ducamps,dc=eu
member: uid=olivier,ou=users,dc=ducamps,dc=eu
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: JellyfinUsers
memberUid: admin
memberUid: loic
memberUid: olivier
memberUid: vincent
dn: cn=administrators,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: administrators
gidNumber: 1000002
member: uid=vincent,ou=users,dc=ducamps,dc=eu
description: System default admin group
displayName: administrators
memberUid: vincent
dn: cn=LDAP Operators,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: Directory Operators
cn: LDAP Operators
gidNumber: 1000000
member: uid=vincent,ou=users,dc=ducamps,dc=eu
description: Directory default admin group
displayName: Directory Operators
memberUid: vincent
dn: cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: SupysonicUsers
gidNumber: 1000018
member: uid=hubert,ou=users,dc=ducamps,dc=eu
member: uid=olivier,ou=users,dc=ducamps,dc=eu
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: SupysonicUsers
memberUid: hubert
memberUid: olivier
memberUid: vincent
dn: cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: SupysonicAdmins
gidNumber: 1000019
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: SupysonicAdmins
memberUid: vincent
dn: cn=workstationAdmin,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: workstationAdmin
gidNumber: 1000017
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: workstation_admin
memberUid: vincent
dn: cn=JellyfinAdministrator,ou=groups,dc=ducamps,dc=eu
objectClass: extensibleObject
objectClass: groupOfNames
objectClass: posixGroup
objectClass: top
cn: JellyfinAdministrator
gidNumber: 1000015
member: uid=vincent,ou=users,dc=ducamps,dc=eu
displayName: JellyfinAdministrator
memberUid: vincent

8
nomad-job/supysonic.nomad
View File

@ -105,10 +105,10 @@ http {
SUPYSONIC_DAEMON_ENABLED = "true" SUPYSONIC_DAEMON_ENABLED = "true"
SUPYSONIC_WEBAPP_LOG_LEVEL = "DEBUG" SUPYSONIC_WEBAPP_LOG_LEVEL = "DEBUG"
SUPYSONIC_DAEMON_LOG_LEVEL = "INFO" SUPYSONIC_DAEMON_LOG_LEVEL = "INFO"
SUPYSONIC_LDAP_SERVER = "LDAP://ldap.ducamps.eu" SUPYSONIC_LDAP_SERVER = "LDAPS://ldaps.service.consul"
SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=win" SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=eu"
SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=CN=SupysonicUsers,cn=groups,dc=ducamps,dc=win))" SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu))"
SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=CN=SupysonicAdmins,cn=groups,dc=ducamps,dc=win))" SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu))"
} }
template { template {

9
terraform/dns/records.tf
View File

@ -78,7 +78,7 @@ resource "hetznerdns_record" "rootalias" {
resource "powerdns_record" "mail" { resource "powerdns_record" "mail" {
zone= powerdns_zone.ducampseu.name zone= powerdns_zone.ducampseu.name
type= "MX" type= "MX"
name= "${powerdns_zone.ducampseu.name}" name= powerdns_zone.ducampseu.name
ttl= 1700 ttl= 1700
records = ["10 ${var.localEndpoint}"] records = ["10 ${var.localEndpoint}"]
} }
@ -113,10 +113,3 @@ resource "powerdns_record" "diskstation" {
ttl= 1700 ttl= 1700
records = ["192.168.1.10"] records = ["192.168.1.10"]
} }
resource "powerdns_record" "ldap" {
zone= powerdns_zone.ducampseu.name
type= "A"
name= "ldap.${powerdns_zone.ducampseu.name}"
ttl= 1700
records = ["192.168.1.10"]
}

3
terraform/dns/variable.tf
View File

@ -34,7 +34,8 @@ variable cnameList{
"vault", "vault",
"vikunja", "vikunja",
"www", "www",
"mail" "mail",
"ldap"
] ]
} }

9
terraform/vault/ldap.tf
View File

@ -1,12 +1,13 @@
resource "vault_ldap_auth_backend" "ldap" { resource "vault_ldap_auth_backend" "ldap" {
path = "ldap" path = "ldap"
url = "ldap://ldap.ducamps.eu" url = "ldaps://ldaps.service.consul"
userdn = "dc=ducamps,dc=win" userdn = "dc=ducamps,dc=eu"
userattr = "uid" userattr = "uid"
discoverdn = false discoverdn = false
groupdn = "cn=groups,dc=ducamps,dc=win" insecure_tls = true
groupdn = "ou=groups,dc=ducamps,dc=eu"
groupfilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))" groupfilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
binddn = "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win" binddn = "uid=vaultserviceaccount,ou=users,dc=ducamps,dc=eu"
groupattr = "cn" groupattr = "cn"
bindpass = var.ldap_bindpass bindpass = var.ldap_bindpass
} }

3
terraform/vault/nomad.tf
View File

@ -24,7 +24,8 @@ locals {
"alertmanager", "alertmanager",
"vault-backup", "vault-backup",
"pdns", "pdns",
"torrent" "torrent",
"ldap"
] ]
} }