Azure
/
azurehpc
зеркало из https://github.com/Azure/azurehpc.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #373 from Azure/ldap_example 

ldap setup
This commit is contained in:
edwardsp 2020-10-05 09:57:32 +01:00 коммит произвёл GitHub
Родитель 606344acee 74751a4b53
Коммит 303705ed64
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
4 изменённых файлов: 697 добавлений и 0 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

156
examples/simple_hpc_pbs_ldap/config.json Normal file
Просмотреть файл

@ -0,0 +1,156 @@
{
"location": "variables.location",
"resource_group": "variables.resource_group",
"install_from": "headnode",
"admin_user": "variables.admin_user",
"variables": {
"hpc_image": "OpenLogic:CentOS-HPC:7.7:latest",
"location": "<NOT-SET>",
"resource_group": "<NOT-SET>",
"vm_type": "<NOT-SET>",
"compute_instances": 2,
"low_priority": false,
"vnet_resource_group": "variables.resource_group",
"admin_user": "hpcadmin"
},
"vnet": {
"resource_group": "variables.vnet_resource_group",
"name": "hpcvnet",
"address_prefix": "10.2.0.0/20",
"subnets": {
"compute": "10.2.4.0/22"
}
},
"resources": {
"headnode": {
"type": "vm",
"vm_type": "Standard_D8s_v3",
"accelerated_networking": true,
"public_ip": true,
"image": "variables.hpc_image",
"subnet": "compute",
"data_disks": [1024, 1024],
"storage_sku": "Premium_LRS",
"tags": [
"cndefault",
"ldapserver",
"nfsserver",
"pbsserver",
"loginnode",
"localuser",
"disable-selinux"
]
},
"compute": {
"type": "vmss",
"vm_type": "variables.vm_type",
"instances": "variables.compute_instances",
"low_priority": "variables.low_priority",
"image": "variables.hpc_image",
"subnet": "compute",
"tags": [
"nfsclient",
"ldapclient",
"pbsclient",
"cndefault",
"localuser",
"disable-selinux"
]
}
},
"install": [
{
"script": "disable-selinux.sh",
"tag": "disable-selinux",
"sudo": true
},
{
"script": "cndefault.sh",
"tag": "cndefault",
"sudo": true
},
{
"script": "create_raid0.sh",
"tag": "nfsserver",
"args": ["/dev/md10", "/dev/sd[c-d]"],
"sudo": true
},
{
"script": "make_filesystem.sh",
"tag": "nfsserver",
"args": ["/dev/md10", "xfs", "/share"],
"sudo": true
},
{
"script": "install-nfsserver.sh",
"tag": "nfsserver",
"args": ["/share"],
"sudo": true
},
{
"script": "nfsclient.sh",
"args": [
"$(<hostlists/tags/nfsserver)"
],
"tag": "nfsclient",
"sudo": true
},
{
"script": "ldap_server.sh",
"tag": "ldapserver",
"sudo": true
},
{
"script": "ldap_add_user.sh",
"tag": "ldapserver",
"args": [
"--username", "hpcuser",
"--user-id", "2000",
"--sudo",
"--ssh-key", "$(</home/{{variables.admin_user}}/.ssh/id_rsa.pub)"
],
"sudo": true
},
{
"script": "ldap_client.sh",
"args": [
"--ldap-server",
"$(<hostlists/tags/ldapserver)"
],
"tag": "ldapclient",
"sudo": true
},
{
"script": "pbsdownload.sh",
"tag": "loginnode",
"sudo": false
},
{
"script": "pbsserver.sh",
"copy": [
"pbspro_19.1.1.centos7/pbspro-server-19.1.1-0.x86_64.rpm"
],
"tag": "pbsserver",
"sudo": true
},
{
"script": "pbsclient.sh",
"args": [
"$(<hostlists/tags/pbsserver)"
],
"copy": [
"pbspro_19.1.1.centos7/pbspro-execution-19.1.1-0.x86_64.rpm"
],
"tag": "pbsclient",
"sudo": true
},
{
"script": "node_healthchecks.sh",
"tag": "pbsclient",
"sudo": true,
"args": [
],
"deps" : ["install-azcopy.sh","healthchecks.json"]
}
]
}

191
scripts/ldap_add_user.sh Executable file
Просмотреть файл

@ -0,0 +1,191 @@
#!/bin/bash
script_name=$(basename "$0")
server_hostname=$HOSTNAME
ldap_base_dn="DC=${server_hostname},DC=local"
function display_help {
cat <<EOF
$script_name
Add an LDAP user.
Usage:
$script_name --username USERNAME --user-id USER_ID
[--ldap-admin LDAP_ADMIN]
[--ldap-password-file LDAP_PASSWORD_FILE]
[--sudo] [--ssh-key SSH_KEY] [--home-root HOME_DIR]
[--password PASSWORD] [--ssh-key SSH_KEY]
Options:
-h, --help Show this help message.
--ldap-admin LDAP_ADMIN
The LDAP admin username
[default: admin]
--ldap-password-file LDAP_PASSWORD_FILE
A file containing the LDAP admin password
[default: /root/ldap_admin_password.txt]
--home-root HOME_DIR The root for home directories.
[default: /share/home]
--username USERNAME The users name to add
--password PASSWORD The users password (empty means random string)
[default: <empty-string>]
--user-id USER_ID The UID (also used for GID) to use
--ssh-key SSH_KEY An additional public key to add to authorized_keys
--sudo Give user sudo privilidges
EOF
}
password=
ldap_admin_username=admin
ldap_admin_password_file=/root/ldap_admin_password.txt
home_root=/share/home
username=
password=$(slappasswd -g)
user_id=
add_sudo=
ssh_key=
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h|--help)
display_help
exit 0
;;
--ldap-admin)
ldap_admin_username="$2"
shift 2
;;
--ldap-password-file)
ldap_admin_password_file="$2"
shift 2
;;
--home-root)
home_root="$2"
shift 2
;;
--username)
username="$2"
shift 2
;;
--password)
password="$2"
shift 2
;;
--user-id)
user_id="$2"
shift 2
;;
--ssh-key)
ssh_key="$2"
shift 2
;;
--sudo)
add_sudo=yes
shift
;;
*)
# unknown option
echo "ERROR: unknown option - $1"
echo
display_help
exit 1
;;
esac
done
if [ -z "$username" -o -z "$user_id" ]; then
echo "ERROR: missing mandatory argument(s)"
echo
display_help
exit 1
fi
user_ldif="ldap_user_${username}.ldif"
cat <<EOF >$user_ldif
dn: uid=${username},ou=People,${ldap_base_dn}
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
cn: $username
sn: $username
uid: $username
uidNumber: $user_id
gidNumber: $user_id
loginShell: /bin/bash
homeDirectory: ${home_root}/${username}
userPassword: $(/sbin/slappasswd -h "{SSHA}" -s $password)
EOF
ldapadd -x -W -y $ldap_admin_password_file -D "cn=${ldap_admin_username},$ldap_base_dn" -f $user_ldif
group_ldif="ldap_group_${username}.ldif"
cat <<EOF >$group_ldif
dn: cn=${username},ou=group,${ldap_base_dn}
objectClass: top
objectClass: posixGroup
gidNumber: $user_id
cn: $username
EOF
ldapadd -x -W -y $ldap_admin_password_file -D "cn=${ldap_admin_username},$ldap_base_dn" -f $group_ldif
if [ "$add_sudo" != "" ]; then
sudo_ldif="ldap_sudo_${username}.ldif"
cat <<EOF >$sudo_ldif
dn: cn=${username},ou=Sudoers,${ldap_base_dn}
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoUser: $username
sudoCommand: ALL
sudoOption: !authenticate
EOF
ldapadd -x -W -y $ldap_admin_password_file -D "cn=${ldap_admin_username},$ldap_base_dn" -f $sudo_ldif
fi
if [ ! -d $home_root/$username ]; then
mkdir -p $home_root/$username
chown $username:$username $home_root/$username
chmod 750 $home_root/$username
cp /etc/skel/.bashrc $home_root/$username
cp /etc/skel/.bash_profile $home_root/$username
cp /etc/skel/.bash_logout $home_root/$username
chown $username:$username $home_root/$username/.bashrc
chown $username:$username $home_root/$username/.bash_profile
chown $username:$username $home_root/$username/.bash_logout
mkdir $home_root/$username/.ssh
cat <<EOF >$home_root/$username/.ssh/config
Host *
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
LogLevel ERROR
EOF
ssh-keygen -f $home_root/$username/.ssh/id_rsa -t rsa -N ''
if [ "$ssh_key" != "" ]; then
echo "$ssh_key" >$home_root/$username/.ssh/authorized_keys
fi
cat $home_root/$username/.ssh/id_rsa.pub >>$home_root/$username/.ssh/authorized_keys
chown $username:$username $home_root/$username/.ssh
chown $username:$username $home_root/$username/.ssh/*
chmod 700 $home_root/$username/.ssh
chmod 600 $home_root/$username/.ssh/id_rsa
chmod 644 $home_root/$username/.ssh/id_rsa.pub
chmod 644 $home_root/$username/.ssh/config
chmod 644 $home_root/$username/.ssh/authorized_keys
fi

120
scripts/ldap_client.sh Executable file
Просмотреть файл

@ -0,0 +1,120 @@
#!/bin/bash
script_name=$(basename "$0")
function display_help {
cat <<EOF
$script_name
Set up the LDAP client.
Usage:
$script_name --ldap-server HOST [--home-root HOME_DIR]
Options:
-h, --help Show this help message.
--ldap-server HOST The LDAP server
--home-root HOME_DIR The root for home directories.
[default: /share/home]
EOF
}
ldap_server=
home_root=/share/home
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h|--help)
display_help
exit 0
;;
--ldap-server)
ldap_server="$2"
shift 2
;;
--home-root)
home_root="$2"
shift 2
;;
*)
# unknown option
echo "ERROR: unknown option - $1"
echo
display_help
exit 1
;;
esac
done
if [ -z "$ldap_server" ]; then
echo "ERROR: missing mandatory argument(s)"
echo
display_help
exit 1
fi
ldap_base_dn="DC=${ldap_server},DC=local"
yum install -y openldap-clients nss-pam-ldapd sssd
# Configure Ldap
echo "URI ldap://$ldap_server" >> /etc/openldap/ldap.conf
echo "BASE $ldap_base_dn" >> /etc/openldap/ldap.conf
cat <<EOF >/etc/sssd/sssd.conf
[domain/default]
enumerate = True
autofs_provider = ldap
cache_credentials = True
ldap_search_base = $ldap_base_dn
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_sudo_search_base = ou=Sudoers,$ldap_base_dn
ldap_uri = ldap://$ldap_server
ldap_id_use_start_tls = True
use_fully_qualified_names = False
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs, sudo
full_name_format = %2\$s\%1\$s
domains = default
[nss]
homedir_substring = $home_root
[pam]
[sudo]
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
EOF
chmod 600 /etc/sssd/sssd.conf
systemctl enable sssd
systemctl restart sssd
echo | openssl s_client -connect $ldap_server:389 -starttls ldap > /root/open_ssl_ldap
mkdir /etc/openldap/cacerts
cat /root/open_ssl_ldap | openssl x509 >/etc/openldap/cacerts/openldap-server.pem
authconfig --disablesssd --disablesssdauth --disableldap --disableldapauth --disablekrb5 --disablekrb5kdcdns --disablekrb5realmdns --disablewinbind --disablewinbindauth --disablewinbindkrb5 --disableldaptls --disablerfc2307bis --updateall
sss_cache -E
authconfig --enablesssd --enablesssdauth --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://$ldap_server --ldapbasedn=$ldap_base_dn --enablelocauthorize --enablemkhomedir --enablecachecreds --updateall
echo "sudoers: files sss" >> /etc/nsswitch.conf

230
scripts/ldap_server.sh Executable file
Просмотреть файл

@ -0,0 +1,230 @@
#!/bin/bash
script_name=$(basename "$0")
function display_help {
cat <<EOF
$script_name
Set up the LDAP server.
Usage:
$script_name [--home-root HOME_DIR] [--ldap-admin LDAP_ADMIN]
[--ldap-password-file LDAP_PASSWORD_FILE]
Options:
-h, --help Show this help message.
--ldap-admin LDAP_ADMIN
The LDAP admin username
[default: admin]
--ldap-password-file LDAP_PASSWORD_FILE
A file location to write the LDAP admin password
[default: /root/ldap_admin_password.txt]
--home-root HOME_DIR The root for home directories.
[default: /share/home]
EOF
}
home_root=/share/home
ldap_admin_username=admin
ldap_admin_password_file=/root/ldap_admin_password.txt
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h|--help)
display_help
exit 0
;;
--ldap-admin)
ldap_admin_username="$2"
shift 2
;;
--ldap-password-file)
ldap_admin_password_file="$2"
shift 2
;;
--home-root)
home_root="$2"
shift 2
;;
*)
# unknown option
echo "ERROR: unknown option - $1"
echo
display_help
exit 1
;;
esac
done
yum install -y openldap openldap-clients openldap-servers openldap-devel sssd
server_hostname=$HOSTNAME
ldap_base_dn="DC=${server_hostname},DC=local"
home_root=/share/home
systemctl enable slapd
systemctl start slapd
ldap_password=$(slappasswd -g)
echo -n "$ldap_password" >$ldap_admin_password_file
chmod 600 $ldap_admin_password_file
echo "URI ldap://$server_hostname" >>/etc/openldap/ldap.conf
echo "BASE $ldap_base_dn" >>/etc/openldap/ldap.conf
openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "/CN=$server_hostname" \
-keyout /etc/openldap/certs/${server_hostname}.key -out /etc/openldap/certs/${server_hostname}.crt
chown ldap:ldap /etc/openldap/certs/${server_hostname}.key /etc/openldap/certs/${server_hostname}.crt
chmod 600 /etc/openldap/certs/${server_hostname}.key /etc/openldap/certs/${server_hostname}.crt
cat <<EOF >ldap_db.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: $ldap_base_dn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=${ldap_admin_username},$ldap_base_dn
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: $(/sbin/slappasswd -h "{SSHA}" -s $ldap_password)
EOF
cat <<EOF >ldap_update_ssl_cert.ldif
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/certs/${server_hostname}.crt
-
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/certs/${server_hostname}.key
EOF
cat <<EOF >ldap_change_user_password.ldif
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by group.exact="ou=admins,$ldap_base_dn" write by * none
-
add: olcAccess
olcAccess: {1}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" write by dn.base="ou=admins,$ldap_base_dn" write by * read
EOF
cat <<EOF >ldap_sudoers.ldif
dn: cn=sudo,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sudo
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.1 NAME 'sudoUser' DESC 'User(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.2 NAME 'sudoHost' DESC 'Host(s) who may run sudo' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.3 NAME 'sudoCommand' DESC 'Command(s) to be executed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.4 NAME 'sudoRunAs' DESC 'User(s) impersonated by sudo (deprecated)' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.5 NAME 'sudoOption' DESC 'Options(s) followed by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.6 NAME 'sudoRunAsUser' DESC 'User(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: ( 1.3.6.1.4.1.15953.9.1.7 NAME 'sudoRunAsGroup' DESC 'Group(s) impersonated by sudo' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcObjectClasses: ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL DESC 'Sudoer Entries' MUST ( cn ) MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ description ) )
EOF
/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_db.ldif
/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_update_ssl_cert.ldif
/bin/ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap_change_user_password.ldif
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f ldap_sudoers.ldif
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
/bin/ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
cat <<EOF >ldap_base.ldif
dn: $ldap_base_dn
dc: ${server_hostname}
objectClass: top
objectClass: domain
dn: cn=${ldap_admin_username},$ldap_base_dn
objectClass: organizationalRole
cn: ${ldap_admin_username}
description: LDAP Manager
dn: ou=People,$ldap_base_dn
objectClass: organizationalUnit
ou: People
dn: ou=Group,$ldap_base_dn
objectClass: organizationalUnit
ou: Group
dn: ou=Sudoers,$ldap_base_dn
objectClass: organizationalUnit
dn: ou=admins,$ldap_base_dn
objectClass: organizationalUnit
ou: Group
EOF
/bin/ldapadd -x -W -y $ldap_admin_password_file -D "cn=${ldap_admin_username},$ldap_base_dn" -f ldap_base.ldif
authconfig \
--enablesssd \
--enablesssdauth \
--enableldap \
--enableldapauth \
--ldapserver="ldap://$server_hostname" \
--ldapbasedn="$ldap_base_dn" \
--enablelocauthorize \
--enablemkhomedir \
--enablecachecreds \
--updateall
echo "sudoers: files sss" >> /etc/nsswitch.conf
# Configure SSSD
cat <<EOF >/etc/sssd/sssd.conf
[domain/default]
enumerate = True
autofs_provider = ldap
cache_credentials = True
ldap_search_base = $ldap_base_dn
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
ldap_tls_cacert = /etc/openldap/certs/${server_hostname}.crt
ldap_sudo_search_base = ou=Sudoers,$ldap_base_dn
ldap_uri = ldap://$server_hostname
ldap_id_use_start_tls = True
use_fully_qualified_names = False
ldap_tls_cacertdir = /etc/openldap/certs/
[sssd]
services = nss, pam, autofs, sudo
full_name_format = %2\$s\%1\$s
domains = default
[nss]
homedir_substring = $home_root
[pam]
[sudo]
ldap_sudo_full_refresh_interval=86400
ldap_sudo_smart_refresh_interval=3600
[autofs]
[ssh]
[pac]
[ifp]
[secrets]
EOF
chmod 600 /etc/sssd/sssd.conf
systemctl enable sssd
systemctl restart sssd