A tool for converting miqldap auth to external auth with sssd #15640
Conversation
jvlcek
force-pushed
the
miqldap_to_sssd
branch
from
a917977 to
c6b8dca
Compare
jvlcek
changed the title
|
@miq-bot remove_label wip |
|
PR 134 is also needed for PR. |
|
@abellotti, @gtanzillo and @jrafanie I remove WIP. |
| "Do the MiqLdap to SSSD conversion but skip the normalizing of the userids", | ||
| :short => "s", | ||
| :default => false, | ||
| :type => :flag |
There was a problem hiding this comment.
In a followup, let's create a separate executable in the bin directory that will invoke this script and allow a user to just run "only_change_userids"
There was a problem hiding this comment.
@jrafanie Thank you! I've updated PR ManageIQ/manageiq-appliance#134 to include the requested executable script.
| class ConfigureSELinux | ||
| def configure | ||
| LOGGER.debug("Invokded #{self.class}\##{__method__}") | ||
| enable_non_standard_ldap_port("10636") |
There was a problem hiding this comment.
should only enable an ldap port if not 389 and not 636
jvlcek
force-pushed
the
miqldap_to_sssd
branch
from
443e1c4 to
26bd19f
Compare
|
Some comments on commit jvlcek@26bd19f spec/tools/miqldap_to_sssd/configure_appliance_settings_spec.rb
tools/miqldap_to_sssd/configure_apache.rb
|
|
Checked commit jvlcek@26bd19f with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 tools/miqldap_to_sssd/configure_database.rb
|
|
@gtanzillo As discussed in the code walkthrough, I've update PR 134 to include a second script, normalize_userid_to_upn, that will allow the userid field of the user records to be normalized to UPN format independently of the conversion from miqldap to sssd. I've also updated the configuration of selinux to be done only for non-standard ldap ports. I've performed the following testing for upstream and downstream:
I've squashed all of my commits down to 1. With these changes I believe this PR and PR PR 134 are ready to be merged. Thank you @abellotti, @gtanzillo and @jrafanie for all the help! |
|
Great work @jvlcek, I KNOW this was tons of research, investigation, coding and testing that you did for all the different configurations. Thank you for this tool !! |
MiQ is delivered with the built in LDAP client, MiqLdap. Maintaining an MiQ proprietary LDAP
client is unnecessary as there are multiple mechanisms built into the operating system that provide an interface to an LDAP directory.
This PR provides a tool that will convert an MiQ appliances authentication configuration from
using the MiQ proprietary LDAP client to using SSSD packaged into the operating system.
The user records created in the DB by the MiqLdap client were assigned a userid of either
a Distinguished Name when backed to an LDAP directory or a User Principal Name
when backed to an Active Directory, configured as an LDAP directory. This tool also, optionally,
changes all userids to User Principal Name format.
Related PR, 15535 updates external authentication to always store the user record in the DB with a userid in
User Principal Name format. This tool can be used to convert MiQ authentication
from mode: LDAP(S) to SSSD however until PR 15535 is merged duplicate user records will be created.
Steps for Testing/QA [Optional]
Configure MiQ for both authentication modes of LDAP and LDAPS against both an
LDAP directory and an Active Directory.
Login with a valid user confirm the user record is created in the DB.
Run this tool to convert the authentication mode to external auth with SSSD
Login with the same valid user from step 2 and confirm there is only 1 user record with
a userid in User Principal Name format.