From 8a07d00d10d7cf92d012a3954884150a33651de6 Mon Sep 17 00:00:00 2001 From: Scott Koranda Date: Thu, 12 Nov 2020 08:23:57 -0600 Subject: [PATCH] Fix secrets for slapd Fix the secrets for the slapd daemon running on the training nodes. --- README.md | 13 ++++++++++--- roles/training/files/config-always-01.ldif | 2 +- roles/training/vars/main.yml | 12 ++++++------ 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 9bb6074..135a7f8 100644 --- a/README.md +++ b/README.md @@ -119,8 +119,8 @@ Review that file before running the playbook. ## Changing Training Password -The password used by trainees for SSH and when authenticating to the IdP -needs to be set in two (2) places: +The password used by trainees for SSH, authenticating to the IdP, +and for the LDAP users, needs to be set in three (3) places: 1. The file `roles/common/tasks/users.yml`. Use the `mkpasswd` Linux utility to hash the password: @@ -128,13 +128,20 @@ password: mkpasswd --method=sha-512 ``` -1. The file `roles/idp/files/config-always-01.ldif`. Use the `slappasswd` Linux utilty to +1. The LDIF files `roles/idp/files/config-always-01.ldif` and +`roles/training/files/config-always-01.ldif`. Use the `slappasswd` Linux utilty to hash the password and then edit the file using `ansible-vault edit`: ``` /usr/sbin/slappasswd -c '$6$rounds=5000$%.86s' ``` +1. The file `roles/training/vars/main.yml`. To encrypt the file use + + ``` + ansible-vault encrypt_string 'PASSWORD' --name olc_root_dn_password + ``` + ## Provision the COmanage Training Infrastructure To provision the infrastructure execute the playbook: diff --git a/roles/training/files/config-always-01.ldif b/roles/training/files/config-always-01.ldif index 064c8f4..9217864 100644 --- a/roles/training/files/config-always-01.ldif +++ b/roles/training/files/config-always-01.ldif @@ -16,7 +16,7 @@ objectClass: account objectClass: simpleSecurityObject uid: registry_user description: COmanage Registry user -userPassword: {CRYPT}$6$rounds=5000$NONtmZNhW3kDoLfx$qbPetT/IJsOQmS0DqsklGkMKzTHysESz5/66NcEWWZ2ZhS4xo3BcLUbyiV5i4nwyNwxi.fKtj01iFQtBbo3y11 +userPassword: {CRYPT}$6$rounds=5000$q9CuhbEWltzW70Kq$9sRyYMpx5UC9.wyBonMb97Bq9XekZtJJIC8du73SffiAQ7fWp5raNrUXtasQWzlFnP0gyS3vKIedpenwU1qcG/ dn: ou=people,o=Training,dc=comanage,dc=incommon,dc=training changetype: add diff --git a/roles/training/vars/main.yml b/roles/training/vars/main.yml index 79df49f..7b60f89 100644 --- a/roles/training/vars/main.yml +++ b/roles/training/vars/main.yml @@ -1,14 +1,14 @@ --- force_update_stack_file: no force_update_structure_ldif_file: no - olc_root_pw: "{CRYPT}$6$rounds=5000$NONtmZNhW3kDoLfx$qbPetT/IJsOQmS0DqsklGkMKzTHysESz5/66NcEWWZ2ZhS4xo3BcLUbyiV5i4nwyNwxi.fKtj01iFQtBbo3y11" + olc_root_pw: "{CRYPT}$6$rounds=5000$q9CuhbEWltzW70Kq$9sRyYMpx5UC9.wyBonMb97Bq9XekZtJJIC8du73SffiAQ7fWp5raNrUXtasQWzlFnP0gyS3vKIedpenwU1qcG/" olc_root_dn_password: !vault | $ANSIBLE_VAULT;1.1;AES256 - 39366562316237336539383637633263626163663337303965326336623465636638656437383764 - 6330366633326538366565366330353930613265313263320a356435613832336364356539363130 - 66343361316665626164306662383233346365373464303832633232373233343535333930613462 - 3831666436363563620a393262653439313332333534383834373466313638623961656632346466 - 3632 + 37666466386132616164663431356162636266623966663033303766383638623462653138346130 + 6536666262306433623532343339653839303433656638610a346437303633666237663139356439 + 36363435336531333439363062356132646434313535343330353730363330373231343032636462 + 3331626266316565350a646434363364663539363337613965643565653637383662393761363135 + 3035 comanage_registry_email_account_password: !vault | $ANSIBLE_VAULT;1.1;AES256 36323531383463636232386363643566383636373965393134323832623630356534383035393133