Fix secrets for slapd

Fix the secrets for the slapd daemon running on the training nodes.
satkinson · Nov 12, 2020 · 8a07d00 · 8a07d00
1 parent 56e7f7a
commit 8a07d00
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -119,22 +119,29 @@ Review that file before running the playbook.
 
 ## Changing Training Password
 
-The password used by trainees for SSH and when authenticating to the IdP
-needs to be set in two (2) places:
+The password used by trainees for SSH, authenticating to the IdP,
+and for the LDAP users, needs to be set in three (3) places:
 
 1. The file `roles/common/tasks/users.yml`. Use the `mkpasswd` Linux utility to hash the
 password:
     ```
     mkpasswd --method=sha-512
     ```
 
-1. The file `roles/idp/files/config-always-01.ldif`. Use the `slappasswd` Linux utilty to
+1. The LDIF files `roles/idp/files/config-always-01.ldif` and
+`roles/training/files/config-always-01.ldif`. Use the `slappasswd` Linux utilty to
 hash the password and then edit the file using `ansible-vault edit`:
 
     ```
     /usr/sbin/slappasswd -c '$6$rounds=5000$%.86s'
     ```
 
+1. The file `roles/training/vars/main.yml`. To encrypt the file use
+
+    ```
+    ansible-vault encrypt_string 'PASSWORD' --name olc_root_dn_password
+    ```
+
 ## Provision the COmanage Training Infrastructure
 
 To provision the infrastructure execute the playbook:

diff --git a/roles/training/files/config-always-01.ldif b/roles/training/files/config-always-01.ldif
@@ -16,7 +16,7 @@ objectClass: account
 objectClass: simpleSecurityObject
 uid: registry_user
 description: COmanage Registry user
-userPassword: {CRYPT}$6$rounds=5000$NONtmZNhW3kDoLfx$qbPetT/IJsOQmS0DqsklGkMKzTHysESz5/66NcEWWZ2ZhS4xo3BcLUbyiV5i4nwyNwxi.fKtj01iFQtBbo3y11
+userPassword: {CRYPT}$6$rounds=5000$q9CuhbEWltzW70Kq$9sRyYMpx5UC9.wyBonMb97Bq9XekZtJJIC8du73SffiAQ7fWp5raNrUXtasQWzlFnP0gyS3vKIedpenwU1qcG/
 
 dn: ou=people,o=Training,dc=comanage,dc=incommon,dc=training
 changetype: add

diff --git a/roles/training/vars/main.yml b/roles/training/vars/main.yml
@@ -1,14 +1,14 @@
 ---
    force_update_stack_file: no
    force_update_structure_ldif_file: no
-   olc_root_pw: "{CRYPT}$6$rounds=5000$NONtmZNhW3kDoLfx$qbPetT/IJsOQmS0DqsklGkMKzTHysESz5/66NcEWWZ2ZhS4xo3BcLUbyiV5i4nwyNwxi.fKtj01iFQtBbo3y11"
+   olc_root_pw: "{CRYPT}$6$rounds=5000$q9CuhbEWltzW70Kq$9sRyYMpx5UC9.wyBonMb97Bq9XekZtJJIC8du73SffiAQ7fWp5raNrUXtasQWzlFnP0gyS3vKIedpenwU1qcG/"
    olc_root_dn_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
-          39366562316237336539383637633263626163663337303965326336623465636638656437383764
-          6330366633326538366565366330353930613265313263320a356435613832336364356539363130
-          66343361316665626164306662383233346365373464303832633232373233343535333930613462
-          3831666436363563620a393262653439313332333534383834373466313638623961656632346466
-          3632
+          37666466386132616164663431356162636266623966663033303766383638623462653138346130
+          6536666262306433623532343339653839303433656638610a346437303633666237663139356439
+          36363435336531333439363062356132646434313535343330353730363330373231343032636462
+          3331626266316565350a646434363364663539363337613965643565653637383662393761363135
+          3035
    comanage_registry_email_account_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           36323531383463636232386363643566383636373965393134323832623630356534383035393133