Send credentials via environment variables. Support DNS forwarders without DNSSEC. Support latest version of BIND.

freeipa/client/init.sls

@@ -67,7 +67,7 @@ freeipa_cleanup_cookiejar:
     - require:
       - cmd: freeipa_host_add
     - require_in:
-      -cmd: freeipa_client_install
+      - cmd: freeipa_client_install
     - onchanges:
       - cmd: freeipa_host_add
 freeipa_cleanup_keytab:
@@ -76,7 +76,7 @@ freeipa_cleanup_keytab:
     - require:
       - cmd: freeipa_host_add
     - require_in:
-      -cmd: freeipa_client_install
+      - cmd: freeipa_client_install
     - onchanges:
       - cmd: freeipa_host_add
 freeipa_kdestroy:
@@ -85,7 +85,7 @@ freeipa_kdestroy:
     - require:
       - cmd: freeipa_host_add
     - require_in:
-      -cmd: freeipa_client_install
+      - cmd: freeipa_client_install
     - onchanges:
       - file: freeipa_push_principal
 {%- endif %}

freeipa/common.sls

@@ -1,13 +1,18 @@
 {%- from "freeipa/map.jinja" import client,server with context %}
+{%- set openssh_server_enabled = salt.pillar.get('openssh:server:enabled', False) %}
 
+{%- if openssh_server_enabled %}
 include:
 - openssh.server
+{%- endif %}
 
 sssd_service:
   service.running:
     - name: sssd
+    {%- if openssh_server_enabled %}
     - watch_in:
       - service: openssh_server_service
+    {%- endif %}
     - watch:
       - file: sssd_conf
 
@@ -68,4 +73,3 @@ pam_auth_update:
       - file: pam_mkhomedir_config
 {%- endif %}
 {%- endif %}
-

freeipa/files/krb5.conf

@@ -1,5 +1,13 @@
-{%- from "freeipa/map.jinja" import client, ipa_servers with context -%}
+{%- from "freeipa/map.jinja" import client, server, ipa_servers with context -%}
 includedir /var/lib/sss/pubconf/krb5.include.d/
+{%- if server.get('enabled', False) %}
+includedir /etc/krb5.conf.d/
+
+[logging]
+  default = FILE:/var/log/krb5libs.log
+  kdc = FILE:/var/log/krb5kdc.log
+  admin_server = FILE:/var/log/kadmind.log
+{%- endif %}
 
 [libdefaults]
   default_realm = {{ client.realm }}
@@ -8,6 +16,8 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
   rdns = false
   ticket_lifetime = 24h
   forwardable = yes
+  udp_preference_limit = 0
+  default_ccache_name = KEYRING:persistent:%{uid}
 
 [realms]
   {{ client.realm }} = {
@@ -18,17 +28,18 @@ includedir /var/lib/sss/pubconf/krb5.include.d/
     admin_server = {{ ipa_servers[0] }}:749
     default_domain = {{ client.domain }}
     pkinit_anchors = FILE:/etc/ipa/ca.crt
+    pkinit_pool = FILE:/etc/ipa/ca.crt
   }
 
 [domain_realm]
   .{{ client.domain }} = {{ client.realm }}
   {{ client.domain }} = {{ client.realm }}
-{%- if grains['fqdn'] in  ipa_servers %}
+{%- if grains['fqdn'] in ipa_servers %}
 
 [dbmodules]
-{{ client.realm }} = {
-  db_library = ipadb.so
-}
+  {{ client.realm }} = {
+    db_library = ipadb.so
+  }
 {%- endif %}
 
 {#-

freeipa/files/ldap.conf

@@ -1,5 +1,6 @@
 {%- from "freeipa/map.jinja" import client, server, ipa_servers with context -%}
 
+SASL_NOCANON on
 TLS_CACERT /etc/ipa/ca.crt
 URI{% for server in ipa_servers %} ldaps://{{ server }}{% endfor %}
 {%- if client.get('enabled', False) %}

freeipa/files/named.conf

@@ -10,17 +10,21 @@ options {
     statistics-file     "data/named_stats.txt";
     memstatistics-file  "data/named_mem_stats.txt";
 
-    forward first;
-    forwarders { };
+    forward {{ server.get('dns', {}).get('forward', 'first') }};
+    forwarders { 
+        {%- for forwarder in server.get('dns', {}).get('forwarders', []) %}
+        {{ forwarder }};
+        {%- endfor %}
+    };
 
     // Any host is permitted to issue recursive queries
     allow-recursion { {{ server.get('dns', {}).get('recursion', 'localhost') }}; };
 
     tkey-gssapi-keytab "/etc/named.keytab";
     pid-file "/run/named/named.pid";
 
-    dnssec-enable yes;
-    dnssec-validation yes;
+    dnssec-enable {% if server.get('dns', {}).get('dnssec', {}).get('enable', True) %}yes{% else %}no{% endif %};
+    dnssec-validation {% if server.get('dns', {}).get('dnssec', {}).get('validation', True) %}yes{% else %}no{% endif %};
 
     /* Path to ISC DLV key */
     bindkeys-file "/etc/named.iscdlv.key";
@@ -55,16 +59,14 @@ include "/etc/named.root.key";
 {%- endif %}
 
 dyndb "ipa" "/usr/lib64/bind/ldap.so" {
-        uri "ldapi://%2fvar%2frun%2fslapd-{{ server.realm|replace('.', '-') }}.socket";
-        base "cn=dns, dc={{ server.realm|replace('.', '-') }}";
-        server_id "{{ hostname }}";
-        auth_method "sasl";
-        sasl_mech "GSSAPI";
-        sasl_user "DNS/{{ hostname }}";
+    uri "ldapi://%2fvar%2frun%2fslapd-{{ server.realm|replace('.', '-') }}.socket";
+    base "cn=dns, dc={{ server.domain|replace('.', ',dc=') }}";
+    server_id "{{ hostname }}";
+    auth_method "sasl";
+    sasl_mech "GSSAPI";
+    sasl_user "DNS/{{ hostname }}";
 };
 
-include "/etc/named.root.key";
-
 {%- for keyname, key in server.get('dns', {}).get('key', {}).iteritems() %}
 key "{{ keyname }}" {
     algorithm {{ key.algorithm }};

freeipa/files/sssd.conf

@@ -14,7 +14,11 @@ krb5_realm = {{ client.realm }}
 ipa_domain = {{ client.domain }}
 ipa_hostname = {{ client.get('hostname', grains['fqdn']) }}
 ipa_server = {{ '_srv_, ' if client.get('lookup', {}).get('kdc', False) else '' }}{{ ipa_servers|join(', ') }}
-ipa_dyndns_update = True
+{%- if pillar.freeipa.server is defined %}
+ipa_server_mode = True
+{%- else %}
+ipa_dyndns_update = {{ client.get('ipa_dyndns_update', True) }}
+{%- endif %}
 
 id_provider = ipa
 auth_provider = ipa
@@ -43,6 +47,10 @@ homedir_substring = /home
 
 [ifp]
 
+[secrets]
+
+[session_recording]
+
 {#-
 vim: syntax=jinja
 -#}

freeipa/server/common.sls

@@ -15,7 +15,7 @@ freeipa_server_pkgs:
   file.managed:
     - contents: {{ server.ldap.password }}
     - mode: 640
-    - owner: root
+    - user: root
     {%- if pillar.get('sensu', {}).get('client', {}).get('enabled', False) %}
     - group: sensu
     - require:
@@ -25,13 +25,15 @@ freeipa_server_pkgs:
 ldap_secure_binds:
   cmd.run:
     - name: |
-          ldapmodify -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -Z << EOF
+          ldapmodify -h localhost -D 'cn=directory manager' -w "$FREEIPA_LDAP_PASSWORD" -Z << EOF
           dn: cn=config
           changetype: modify
           replace: nsslapd-minssf
           nsslapd-minssf: {{ server.ldap.get('minssf', 0) }}
           EOF
-    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -b 'cn=config' -Z | grep 'nsslapd-minssf: {{ server.ldap.get('minssf', 0) }}'"
+    - env:
+      - FREEIPA_LDAP_PASSWORD: {{ server.ldap.password }}
+    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w \"$FREEIPA_LDAP_PASSWORD\" -b 'cn=config' -Z | grep 'nsslapd-minssf: {{ server.ldap.get('minssf', 0) }}'"
     - require:
       - cmd: freeipa_server_install
       - file: ldap_conf
@@ -40,13 +42,15 @@ ldap_secure_binds:
 ldap_logs_audit:
   cmd.run:
     - name: |
-          ldapmodify -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -Z << EOF
+          ldapmodify -h localhost -D 'cn=directory manager' -w "$FREEIPA_LDAP_PASSWORD" -Z << EOF
           dn: cn=config
           changetype: modify
           replace: nsslapd-auditlog-logging-enabled
           nsslapd-auditlog-logging-enabled: {% if server.ldap.logging.audit %}on{% else %}off{% endif %}
           EOF
-    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -b 'cn=config' -Z | grep 'nsslapd-auditlog-logging-enabled: {% if server.ldap.logging.audit %}on{% else %}off{% endif %}'"
+    - env:
+      - FREEIPA_LDAP_PASSWORD: {{ server.ldap.password }}
+    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w \"$FREEIPA_LDAP_PASSWORD\" -b 'cn=config' -Z | grep 'nsslapd-auditlog-logging-enabled: {% if server.ldap.logging.audit %}on{% else %}off{% endif %}'"
     - require:
       - cmd: freeipa_server_install
       - file: ldap_conf
@@ -56,13 +60,15 @@ ldap_logs_audit:
 ldap_logs_access:
   cmd.run:
     - name: |
-          ldapmodify -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -Z << EOF
+          ldapmodify -h localhost -D 'cn=directory manager' -w "$FREEIPA_LDAP_PASSWORD" -Z << EOF
           dn: cn=config
           changetype: modify
           replace: nsslapd-accesslog-logging-enabled
           nsslapd-accesslog-logging-enabled: {% if server.ldap.logging.access %}on{% else %}off{% endif %}
           EOF
-    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -b 'cn=config' -Z | grep 'nsslapd-accesslog-logging-enabled: {% if server.ldap.logging.access %}on{% else %}off{% endif %}'"
+    - env:
+      - FREEIPA_LDAP_PASSWORD: {{ server.ldap.password }}
+    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w \"$FREEIPA_LDAP_PASSWORD\" -b 'cn=config' -Z | grep 'nsslapd-accesslog-logging-enabled: {% if server.ldap.logging.access %}on{% else %}off{% endif %}'"
     - require:
       - cmd: freeipa_server_install
       - file: ldap_conf
@@ -72,13 +78,15 @@ ldap_logs_access:
 ldap_disable_anonymous:
   cmd.run:
     - name: |
-          ldapmodify -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -Z << EOF
+          ldapmodify -h localhost -D 'cn=directory manager' -w "$FREEIPA_LDAP_PASSWORD" -Z << EOF
           dn: cn=config
           changetype: modify
           replace: nsslapd-allow-anonymous-access
           nsslapd-allow-anonymous-access: off
           EOF
-    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -b 'cn=config' -Z | grep 'nsslapd-allow-anonymous-access: off'"
+    - env:
+      - FREEIPA_LDAP_PASSWORD: {{ server.ldap.password }}
+    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w \"$FREEIPA_LDAP_PASSWORD\" -b 'cn=config' -Z | grep 'nsslapd-allow-anonymous-access: off'"
     - require:
       - cmd: freeipa_server_install
       - file: ldap_conf

freeipa/server/dns.sls

@@ -13,7 +13,7 @@ named_config:
     - name: {{ server.named_conf }}
     - source: salt://freeipa/files/named.conf
     - template: jinja
-    - owner: root
+    - user: root
     - group: named
     - mode: 640
     - require:
@@ -32,7 +32,7 @@ freeipa_zones_dir:
 freeipa_dnszone_{{ name }}:
   cmd.run:
     - name: >
-        echo {{ server.admin.password }} | kinit admin &&
+        echo "$FREEIPA_ADMIN_PASSWORD" | kinit admin &&
         ipa dnszone-add "{{ name }}"
         {%- if zone.admin is defined %} --admin-email={{ zone.admin|replace('@', '.') }}.{%- endif %}
         {%- if zone.refresh is defined %} --refresh={{ zone.refresh }}{%- endif %}
@@ -45,7 +45,9 @@ freeipa_dnszone_{{ name }}:
         {%- if zone.transfer is defined %} --allow-transfer="{{ zone.transfer|join(';') }}"{%- endif %}
         {%- if zone.nameservers is defined %} --name-server="{{ zone.nameservers[0] }}."{%- endif %}
         ; ret=$?; [ $ret -eq 0 ] && touch /var/lib/ipa/zones/{{ name }}-created.lock ;kdestroy; exit $ret
-    - unless: "test -f /var/lib/ipa/zones/{{ name }}-created.lock || (echo {{ server.admin.password }} | kinit admin && ipa dnszone-find --name={{ name }}; ret=$?; [ $ret -eq 0 ] && touch /var/lib/ipa/zones/{{ name }}-created.lock; kdestroy; exit $ret)"
+    - unless: "test -f /var/lib/ipa/zones/{{ name }}-created.lock || (echo \"$FREEIPA_ADMIN_PASSWORD\" | kinit admin && ipa dnszone-find --name={{ name }}; ret=$?; [ $ret -eq 0 ] && touch /var/lib/ipa/zones/{{ name }}-created.lock; kdestroy; exit $ret)"
+    - env:
+      - FREEIPA_ADMIN_PASSWORD: {{ server.admin.password }}
     - env:
       - KRB5CCNAME: /tmp/krb5cc_salt
     - require:
@@ -57,13 +59,15 @@ freeipa_dnszone_{{ name }}:
 freeipa_dnszone_{{ name }}_transfer:
   cmd.run:
     - name: |
-          ldapmodify -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -Z << EOF
+          ldapmodify -h localhost -D 'cn=directory manager' -w "$FREEIPA_LDAP_PASSWORD" -Z << EOF
           dn: idnsname={{ name }}.,cn=dns,dc={{ server.domain|replace('.', ',dc=') }}
           changetype: modify
           replace: idnsAllowTransfer
           idnsAllowTransfer: {{ zone.transfer|join(';') }};
           EOF
-    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -b 'idnsname={{ name }}.,cn=dns,dc={{ server.domain|replace('.', ',dc=') }}' -Z | grep 'idnsAllowTransfer: {{ zone.transfer|join(';') }}'"
+    - env:
+      - FREEIPA_LDAP_PASSWORD: {{ server.ldap.password }}
+    - unless: "ldapsearch -h localhost -D 'cn=directory manager' -w \"$FREEIPA_LDAP_PASSWORD\" -b 'idnsname={{ name }}.,cn=dns,dc={{ server.domain|replace('.', ',dc=') }}' -Z | grep 'idnsAllowTransfer: {{ zone.transfer|join(';') }}'"
     - watch:
       - cmd: freeipa_dnszone_{{ name }}
 {%- endif %}
@@ -72,14 +76,15 @@ freeipa_dnszone_{{ name }}_transfer:
 freeipa_dnszone_{{ name }}_nameservers:
   cmd.wait:
     - name: >
-        echo {{ server.admin.password }} | kinit admin &&
+        echo "$FREEIPA_ADMIN_PASSWORD" | kinit admin &&
         ipa dnsrecord-mod "{{ name }}" '@'
         {%- for server in zone.nameservers %}
         --ns-rec="{{ server }}."
         {%- endfor %}
         ; ret=$?; kdestroy; exit $ret
     - env:
       - KRB5CCNAME: /tmp/krb5cc_salt
+      - FREEIPA_ADMIN_PASSWORD: {{ server.admin.password }}
     - watch:
       - cmd: freeipa_dnszone_{{ name }}
 {%- endif %}

freeipa/server/master.sls

@@ -11,18 +11,23 @@ freeipa_server_install:
         --realm {{ server.realm }}
         --domain {{ server.domain }}
         --hostname {% if server.hostname is defined %}{{ server.hostname }}{% else %}{{ grains['fqdn'] }}{% endif %}
-        --ds-password {{ server.ldap.password }}
-        --admin-password {{ server.admin.get('password', server.ldap.password) }}
+        --ds-password "$FREEIPA_LDAP_PASSWORD"
+        --admin-password "$FREEIPA_ADMIN_PASSWORD"
         --ssh-trust-dns
         {%- if not server.get('ntp', {}).get('enabled', True) %} --no-ntp{%- endif %}
         {%- if server.get('dns', {}).get('zonemgr', False) %} --zonemgr {{ server.dns.zonemgr }}{%- endif %}
         {%- if server.get('dns', {}).get('enabled', True) %} --setup-dns{%- endif %}
+        --forward-policy={{ server.get('dns', {}).get('forward', 'first') }}
         {%- if server.get('dns', {}).get('forwarders', []) %}{%- for forwarder in server.dns.forwarders %} --forwarder={{ forwarder }}{%- endfor %}{%- else %} --no-forwarders{%- endif %}
+        {%- if not server.get('dns', {}).get('dnssec', {}).get('validation', True) %} --no-dnssec-validation{%- endif %}
         {%- if server.get('mkhomedir', True) %} --mkhomedir{%- endif %}
         --auto-reverse
         --no-host-dns
         --allow-zone-overlap
         --unattended
+    - env:
+      - FREEIPA_LDAP_PASSWORD: {{ server.ldap.password }}
+      - FREEIPA_ADMIN_PASSWORD: {{ server.admin.get('password', server.ldap.password) }}
     - creates: /etc/ipa/default.conf
     - require:
       - pkg: freeipa_server_pkgs

freeipa/server/replica.sls

@@ -5,19 +5,21 @@ include:
 
 {#
  Replica needs to be prepared first on master using
-   ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 -p {{ server.ldap.password }}
+   ipa-replica-prepare ipareplica.example.com --ip-address 192.168.1.2 -p "$FREEIPA_LDAP_PASSWORD"
  and stored in /var/lib/ipa/replica-info-ipareplica.example.com.gpg
  #}
 
 freeipa_server_install:
   cmd.run:
     - name: >
         ipa-replica-install
-        -w {{ server.admin.password }}
+        -w "$FREEIPA_ADMIN_PASSWORD"
         --ssh-trust-dns
         {%- if not server.get('ntp', {}).get('enabled', True) %} --no-ntp{%- endif %}
         {%- if server.get('dns', {}).get('enabled', True) %} --setup-dns{%- endif %}
+        --forward-policy={{ server.get('dns', {}).get('forward', 'first') }}
         {%- if server.get('dns', {}).get('forwarders', []) %}{%- for forwarder in server.dns.forwarders %} --forwarder={{ forwarder }}{%- endfor %}{%- else %} --no-forwarders{%- endif %}
+        {%- if not server.get('dns', {}).get('dnssec', {}).get('validation', True) %} --no-dnssec-validation{%- endif %}
         {%- if server.get('mkhomedir', True) %} --mkhomedir{%- endif %}
         {%- if server.get('no_host_dns', false) %} --no-host-dns{%- endif %}
         {%- if server.get('ca', true) %} --setup-ca{%- endif %}
@@ -29,11 +31,14 @@ freeipa_server_install:
         --domain {{ server.domain }}
         --realm {{ server.realm }}
         --server {{ server.servers.0 }}
-        --hostname {{ grains['fqdn'] }}
+        --hostname {{ server.get('hostname', grains['fqdn']) }}
         {%- else %}
-        --password {{ server.ldap.password }}
+        --password "$FREEIPA_LDAP_PASSWORD"
         /var/lib/ipa/replica-info-{{ server.get('hostname', grains['fqdn']) }}.gpg
         {%- endif %}
+    - env:
+      - FREEIPA_LDAP_PASSWORD: {{ server.ldap.password }}
+      - FREEIPA_ADMIN_PASSWORD: {{ server.admin.password }}
     - creates: /etc/ipa/default.conf
     - require:
       - pkg: freeipa_server_pkgs