httpd_configmap_generator 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 97e1e062ab6b1f55d36ffe1de318f82892c78d8e
-  data.tar.gz: 7a88bb96641736bb254238122b722547b61c5ec2
+  metadata.gz: 31a8b82ae49621578d09976757d636c2826580cc
+  data.tar.gz: a6621e89efda84c979e6635234382984a92dd258
 SHA512:
-  metadata.gz: a2476f19b3e2ec40ce2a14cee8946850db609d2dbd5e215129fed1981d807cf34985bf13bc37c31277c0214ce3f97b10761ec4d13b17fb6ac757909acf9777d8
-  data.tar.gz: 2b34b65675ab369a0821723e08259d06efa1619b168a3e80d019f696eb091dd8301e910454d14afe06611b6202afbdbfd884fe91360ffdbf128c0f584ed8dc05
+  metadata.gz: 7897d522c43687e7f0d29ae2519d7c0893d88fed0065e8e5158801a113e6a3af727e9418cf939117a506973eb4e53804b8b1fb890b57ad8e8f2478e62b0033cb
+  data.tar.gz: 19163527198bf275ed8990258796ba1f003386ff93ca323ff7a00d44bda2ba6852f25b5ab15698e1073704f37024636d4aff7739f84a4d8e1922ee352486fb8f

data/README-ldap.md

@@ -0,0 +1,62 @@
+# Httpd Configmap Generator - LDAP
+
+This documents how to run the httpd\_configmap\_generator tool to configure external authentication
+for an LDAP server.
+
+
+## Usage for the `ldap` auth-type:
+
+```
+$ httpd_configmap_generator ldap --help
+Options:
+  -h, --host=<s>                           Application Domain
+  -o, --output=<s>                         Configuration map file to create
+  -c, --cert-file=<s>                      Cert File
+  -l, --ldap-host=<s>                      LDAP Directory Host FQDN
+  -a, --ldap-mode=<s>                      ldap | ldaps
+  -p, --ldap-basedn=<s>                    LDAP Directory Base DN
+  -f, --force                              Force configuration if configured already
+  -d, --debug                              Enable debugging
+  -g, --ldap-group-name=<s>                LDAP Directory Group Name (default: cn)
+  -r, --ldap-group-member=<s>              Attribute containing the names of the
+                                           group's members (default: member)
+  -u, --ldap-group-object-class=<s>        The object class of a group entry in
+                                           LDAP (default: groupOfNames)
+  -i, --ldap-id-use-start-tls,
+      --no-ldap-id-use-start-tls           Connection use tls? (default: true)
+  -t, --ldap-port=<s>                      LDAP Directory Port
+  -s, --ldap-tls-reqcert=<s>               The checks to perform on server
+                                           certificates. (Default: allow)
+  -e, --ldap-user-gid-number=<s>           LDAP attribute corresponding to the
+                                           user's gid (default: gidNumber)
+  -n, --ldap-user-name=<s>                 LDAP Directory User Name (default: cn)
+  -b, --ldap-user-object-class=<s>         Object class of a user entry in LDAP
+                                           (default: posixAccount)
+  -m, --ldap-user-uid-number=<s>           LDAP attribute corresponding to the
+                                           user's id (default: uidNumber)
+  --ldap-user-search-base=<s>              The user DN search scope
+  --ldap-group-search-base=<s>             The group DN search scope
+  -x, --support-non-posix                  Supports non-posix user records
+  --help                                   Shows this message
+```
+
+### Example:
+
+```
+$ httpd_configmap_generator ldap \
+    --force                                                 \
+    --host=application.example.com                          \
+    --ldap-mode=ldap                                        \
+    --ldap-host=ldap-server.example.com                     \
+    --ldap-port=10389                                       \
+    --ldap-basedn=dc=example,dc=com                         \
+    --ldap-group-name=cn                                    \
+    --ldap-group-search-base=ou=groups,dc=example,dc=com    \
+    --ldap-group-object-class=groupOfNames                  \
+    --ldap-user-name=uid                                    \
+    --ldap-user-search-base=ou=users,dc=example,dc=com      \
+    --ldap-user-object-class=person                         \
+    --cert-file=/etc/openldap/cacerts/apacheds-cert.pem     \
+    --debug                                                 \
+    -o /tmp/external-ldap.yaml
+```

data/README-saml.md

@@ -56,10 +56,10 @@ $ httpd_configmap_generator saml     \
 In the above example, the auth configmap file would include the following files:
 
 * /etc/httpd/saml2/
-  - miqsp-metadata.xml
-  - miqsp-cert.cert
-  - miqsp-key.key
+  - sp-metadata.xml
+  - sp-cert.cert
+  - sp-key.key
   - idp-metadata.xml
 
-For Keycloak, the `miqsp-metadata.xml` file can be imported to create the Client ID for
+For Keycloak, the `sp-metadata.xml` file can be imported to create the Client ID for
 the `application.example.com` application domain.

data/README.md

@@ -28,7 +28,7 @@ httpd_configmap_generator 0.1.1 - External Authentication Configuration script
 
 Usage: httpd_configmap_generator auth_type | update | export [--help | options]
 
-supported auth_type: active-directory, ipa, saml
+supported auth_type: active-directory, ipa, ldap, saml
 
 httpd_configmap_generator options are:
   -V, --version    Version of the httpd_configmap_generator command
@@ -43,11 +43,12 @@ $ httpd_configmap_generator ipa --help
 
 ## Supported Authentication Types
 
-|auth-type         | Identity Provider/Environment                  | for usage: |
-|------------------|------------------------------------------------|------------|
-| active-directory | Active Directory domain realm join             | [README-active-directory](README-active-directory.md) |
-| ipa              | IPA, IPA 2-factor authentication, IPA/AD Trust | [README-ipa](README-ipa.md) |
-| saml             | Keycloak, etc.                                 | [README-saml](README-saml.md) |
+|auth-type         | Identity Provider/Environment                    | for usage:                                            |
+|------------------|--------------------------------------------------|-------------------------------------------------------|
+| active-directory | Active Directory domain realm join               | [README-active-directory](README-active-directory.md) |
+| ipa              | IPA, IPA 2-factor authentication, IPA/AD Trust   | [README-ipa](README-ipa.md)                           |
+| ldap             | Ldap directories                                 | [README-ldap](README-ldap.md)                         |
+| saml             | Keycloak, etc.                                   | [README-saml](README-saml.md)                         |
 
 ___
 
@@ -128,7 +129,7 @@ $ httpd_configmap_generator update \
 ```
 $ httpd_configmap_generator update \
   --input=/tmp/original-auth-configmap.yaml \
-  --add-file=http://aab-keycloak:8080/auth/realms/miq/protocol/saml/description,/etc/httpd/saml2/idp-metadata.xml,644:root:root \
+  --add-file=http://aab-keycloak:8080/auth/realms/testrealm/protocol/saml/description,/etc/httpd/saml2/idp-metadata.xml,644:root:root \
   --output=/tmp/updated-auth-configmap.yaml
 ```
 
@@ -214,7 +215,7 @@ Example for generating a configuration map for IPA:
 
 ```
 $ docker exec $CONFIGMAP_GENERATOR_ID httpd_configmap_generator ipa \
-    --host=miq-appliance.example.com    \
+    --host=appliance.example.com        \
     --ipa-server=ipaserver.example.com  \
     --ipa-domain=example.com            \
     --ipa-realm=EXAMPLE.COM             \
@@ -261,18 +262,26 @@ ___
 
 #### If running without OCI systemd hooks (Minishift)
 
-The httpd-configmap-generator service account must be added to the miq-sysadmin SCC before the Httpd Auth Config pod can run.
+The httpd-configmap-generator service account must be added to the httpd-scc-sysadmin SCC before the Httpd Configmap Generator can run.
 
 ##### As Admin
 
+Create the httpd-scc-sysadmin SCC:
+
+```
+$ oc create -f templates/httpd-scc-sysadmin.yaml
+```
+
+Include the httpd-configmap-generator service account with the new SCC:
+
 ```
-$ oc adm policy add-scc-to-user miq-sysadmin system:serviceaccount:<your-namespace>:httpd-configmap-generator
+$ oc adm policy add-scc-to-user httpd-scc-sysadmin system:serviceaccount:<your-namespace>:httpd-configmap-generator
 ```
 
-Verify that the httpd-configmap-generator service account is now included in the miq-sysadmin SCC:
+Verify that the httpd-configmap-generator service account is now included in the httpd-scc-sysadmin SCC:
 
 ```
-$ oc describe scc miq-sysadmin | grep Users
+$ oc describe scc httpd-scc-sysadmin | grep Users
 Users:        system:serviceaccount:<your-namespace>:httpd-configmap-generator
 ```
 
@@ -284,7 +293,7 @@ Users:        system:serviceaccount:<your-namespace>:httpd-configmap-generator
 $ oc adm policy add-scc-to-user anyuid system:serviceaccount:<your-namespace>:httpd-configmap-generator
 ```
 
-Verify that the httpd-configmap-generator service account is now included in the miq-sysadmin SCC:
+Verify that the httpd-configmap-generator service account is included in the anyuid SCC:
 
 ```
 $ oc describe scc anyuid | grep Users
@@ -339,7 +348,7 @@ Example configuration:
 
 ```
 $ oc rsh $CONFIGMAP_GENERATOR_POD httpd_configmap_generator ipa \
-    --host=miq-appliance.example.com    \
+    --host=appliance.example.com        \
     --ipa-server=ipaserver.example.com  \
     --ipa-domain=example.com            \
     --ipa-realm=EXAMPLE.COM             \

data/lib/httpd_configmap_generator.rb

@@ -2,6 +2,7 @@ require "httpd_configmap_generator/version"
 require "httpd_configmap_generator/base"
 require "httpd_configmap_generator/active_directory"
 require "httpd_configmap_generator/ipa"
+require "httpd_configmap_generator/ldap"
 require "httpd_configmap_generator/saml"
 require "httpd_configmap_generator/update"
 require "httpd_configmap_generator/export"

data/lib/httpd_configmap_generator/base.rb

@@ -1,8 +1,8 @@
 require "pathname"
 require "httpd_configmap_generator/base/command"
-require "httpd_configmap_generator/base/config"
+require "httpd_configmap_generator/base/config_helper"
 require "httpd_configmap_generator/base/config_map"
-require "httpd_configmap_generator/base/file"
+require "httpd_configmap_generator/base/file_helper"
 require "httpd_configmap_generator/base/kerberos"
 require "httpd_configmap_generator/base/network"
 require "httpd_configmap_generator/base/pam"
@@ -11,6 +11,13 @@ require "httpd_configmap_generator/base/sssd"
 
 module HttpdConfigmapGenerator
   class Base
+    include Command
+    include ConfigHelper
+    include FileHelper
+    include Kerberos
+    include Network
+    include Pam
+
     APACHE_USER          = "apache".freeze
     HTTP_KEYTAB          = "/etc/http.keytab".freeze
     IPA_COMMAND          = "/usr/bin/ipa".freeze

data/lib/httpd_configmap_generator/base/command.rb

@@ -2,27 +2,29 @@ require "awesome_spawn"
 
 module HttpdConfigmapGenerator
   class Base
-    def command_run(executable, options = {})
-      if opts && opts[:debug]
-        debug_msg("Running Command: #{AwesomeSpawn.build_command_line(executable, options)}")
+    module Command
+      def command_run(executable, options = {})
+        if opts && opts[:debug]
+          debug_msg("Running Command: #{AwesomeSpawn.build_command_line(executable, options)}")
+        end
+        AwesomeSpawn.run(executable, options)
       end
-      AwesomeSpawn.run(executable, options)
-    end
 
-    def command_run!(executable, options = {})
-      if opts && opts[:debug]
-        debug_msg("Running Command: #{AwesomeSpawn.build_command_line(executable, options)}")
+      def command_run!(executable, options = {})
+        if opts && opts[:debug]
+          debug_msg("Running Command: #{AwesomeSpawn.build_command_line(executable, options)}")
+        end
+        AwesomeSpawn.run!(executable, options)
       end
-      AwesomeSpawn.run!(executable, options)
-    end
 
-    def log_command_error(err)
-      err_msg("Command Error: #{err}")
-      if err.kind_of?(AwesomeSpawn::CommandResultError)
-        err_msg("stdout: #{err.result.output}")
-        err_msg("stderr: #{err.result.error}")
-      else
-        err_msg(err.backtrace)
+      def log_command_error(err)
+        err_msg("Command Error: #{err}")
+        if err.kind_of?(AwesomeSpawn::CommandResultError)
+          err_msg("stdout: #{err.result.output}")
+          err_msg("stderr: #{err.result.error}")
+        else
+          err_msg(err.backtrace)
+        end
       end
     end
   end

data/lib/httpd_configmap_generator/base/config_helper.rb

@@ -0,0 +1,15 @@
+require "active_support"
+require "active_support/core_ext" # for Time.current
+
+module HttpdConfigmapGenerator
+  class Base
+    module ConfigHelper
+      def config_file_backup(path)
+        if File.exist?(path)
+          timestamp = Time.current.strftime(TIMESTAMP_FORMAT)
+          FileUtils.copy(path, "#{path}.#{timestamp}")
+        end
+      end
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/config_map.rb

@@ -84,30 +84,42 @@ module HttpdConfigmapGenerator
       file_specs = []
       file_list.each do |file_to_add|
         file_spec = file_to_add.split(",").map(&:strip)
-        case file_spec.length
-        when 1
-          file = file_spec.first
-          file_entry = file_entry_spec(file)
-        when 2
-          source_file, target_file = file_spec
-          raise "Must specify a mode for URL file sources" if source_file =~ URI.regexp(%w(http https))
-          file_entry = file_entry_spec(source_file, target_file)
-        when 3
-          source_file, target_file, mode = file_spec
-          if source_file =~ URI.regexp(%w(http https))
-            fetch_network_file(source_file, target_file)
-            file_entry = file_entry_spec(target_file, target_file, mode)
+        file_entry =
+          case file_spec.length
+          when 1
+            file_entry_spec(file_spec.first)
+          when 2
+            source_file, target_file = file_spec
+            file_entry_for_source_target(source_file, target_file)
+          when 3
+            source_file, target_file, mode = file_spec
+            file_entry_for_source_target_mode(source_file, target_file, mode)
           else
-            file_entry = file_entry_spec(source_file, target_file, mode)
+            raise "Invalid file specification #{file_to_add}"
           end
-        else
-          raise "Invalid file specification #{file_to_add}"
-        end
         file_specs << file_entry
       end
       file_specs.sort_by { |file_spec| file_spec[:basename] }
     end
 
+    def file_entry_for_source_target(source_file, target_file)
+      raise "Must specify a mode for URL file sources" if source_file =~ URI.regexp(%w(http https))
+      file_entry = file_entry_spec(source_file, target_file)
+      file_entry[:source_file] = source_file
+      file_entry
+    end
+
+    def file_entry_for_source_target_mode(source_file, target_file, mode)
+      if source_file =~ URI.regexp(%w(http https))
+        fetch_network_file(source_file, target_file)
+        file_entry = file_entry_spec(target_file, target_file, mode)
+      else
+        file_entry = file_entry_spec(source_file, target_file, mode)
+        file_entry[:source_file] = source_file
+      end
+      file_entry
+    end
+
     def file_entry_spec(source_file, target_file = nil, mode = nil)
       target_file = source_file.dup unless target_file
       unless mode
@@ -152,7 +164,7 @@ module HttpdConfigmapGenerator
 
     def include_files(file_specs)
       file_specs.each do |file_spec|
-        content = File.read(file_spec[:target])
+        content = File.read(file_spec[:source_file] || file_spec[:target])
         content = Base64.encode64(content) if file_spec[:binary]
         # encode(:universal_newline => true) will convert \r\n to \n, necessary for to_yaml to render properly.
         config_map[DATA_SECTION].merge!(file_basename(file_spec) => content.encode(:universal_newline => true))

data/lib/httpd_configmap_generator/base/file_helper.rb

@@ -0,0 +1,67 @@
+require "pathname"
+
+module HttpdConfigmapGenerator
+  class Base
+    module FileHelper
+      def template_directory
+        @template_directory ||=
+          Pathname.new(Gem::Specification.find_by_name("httpd_configmap_generator").full_gem_path).join("templates")
+      end
+
+      def cp_template(file, src_dir, dest_dir = "/")
+        src_path  = path_join(src_dir, file)
+        dest_path = path_join(dest_dir, file.gsub(".erb", ""))
+        if src_path.to_s.include?(".erb")
+          File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding))
+        else
+          FileUtils.cp(src_path, dest_path)
+        end
+      end
+
+      def delete_target_file(file_path)
+        if File.exist?(file_path)
+          if opts[:force]
+            info_msg("File #{file_path} exists, forcing a delete")
+            File.delete(file_path)
+          else
+            raise "File #{file_path} already exist"
+          end
+        end
+      end
+
+      def create_target_directory(file_path)
+        dirname = File.dirname(file_path)
+        return if File.exist?(dirname)
+        debug_msg("Creating directory #{dirname} ...")
+        FileUtils.mkdir_p(dirname)
+      end
+
+      def rm_file(file, dir = "/")
+        path = path_join(dir, file)
+        File.delete(path) if File.exist?(path)
+      end
+
+      def path_join(*args)
+        path = Pathname.new(args.shift)
+        args.each { |path_seg| path = path.join("./#{path_seg}") }
+        path
+      end
+
+      def file_binary?(file)
+        data = File.read(file)
+        ascii = control = binary = total = 0
+        data[0..512].each_byte do |c|
+          total += 1
+          if c < 32
+            control += 1
+          elsif c >= 32 && c <= 128
+            ascii += 1
+          else
+            binary += 1
+          end
+        end
+        control.to_f / ascii > 0.1 || binary.to_f / ascii > 0.05
+      end
+    end
+  end
+end

data/lib/httpd_configmap_generator/base/kerberos.rb

@@ -1,13 +1,15 @@
 module HttpdConfigmapGenerator
   class Base
-    def enable_kerberos_dns_lookups
-      info_msg("Configuring Kerberos DNS Lookups")
-      config_file_backup(KERBEROS_CONFIG_FILE)
-      krb5config = File.read(KERBEROS_CONFIG_FILE)
-      krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'   if krb5config[/(\s*)dns_lookup_kdc(\s*)=/]
-      krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true' if krb5config[/(\s*)dns_lookup_realm(\s*)=/]
-      debug_msg("- Updating #{KERBEROS_CONFIG_FILE}")
-      File.write(KERBEROS_CONFIG_FILE, krb5config)
+    module Kerberos
+      def enable_kerberos_dns_lookups
+        info_msg("Configuring Kerberos DNS Lookups")
+        config_file_backup(KERBEROS_CONFIG_FILE)
+        krb5config = File.read(KERBEROS_CONFIG_FILE)
+        krb5config[/(\s*)dns_lookup_kdc(\s*)=(\s*)(.*)/, 4] = 'true'   if krb5config[/(\s*)dns_lookup_kdc(\s*)=/]
+        krb5config[/(\s*)dns_lookup_realm(\s*)=(\s*)(.*)/, 4] = 'true' if krb5config[/(\s*)dns_lookup_realm(\s*)=/]
+        debug_msg("- Updating #{KERBEROS_CONFIG_FILE}")
+        File.write(KERBEROS_CONFIG_FILE, krb5config)
+      end
     end
   end
 end

data/lib/httpd_configmap_generator/base/network.rb

@@ -1,37 +1,39 @@
 module HttpdConfigmapGenerator
   class Base
-    HOSTNAME_COMMAND = "/usr/bin/hostname".freeze
+    module Network
+      HOSTNAME_COMMAND = "/usr/bin/hostname".freeze
 
-    def realm
-      domain.upcase
-    end
+      def realm
+        domain.upcase
+      end
 
-    def domain
-      domain_from_host(opts[:host])
-    end
+      def domain
+        domain_from_host(opts[:host])
+      end
 
-    def domain_from_host(host)
-      host.gsub(/^([^.]+\.)/, '') if host.present? && host.include?('.')
-    end
+      def domain_from_host(host)
+        host.gsub(/^([^.]+\.)/, '') if host.present? && host.include?('.')
+      end
 
-    def host_reachable?(host)
-      require "net/ping"
-      Net::Ping::External.new(host).ping
-    end
+      def host_reachable?(host)
+        require "net/ping"
+        Net::Ping::External.new(host).ping
+      end
 
-    def update_hostname(host)
-      command_run!(HOSTNAME_COMMAND, :params => [host]) if command_run(HOSTNAME_COMMAND).output.strip != host
-    end
+      def update_hostname(host)
+        command_run!(HOSTNAME_COMMAND, :params => [host]) if command_run(HOSTNAME_COMMAND).output.strip != host
+      end
 
-    def fetch_network_file(source_file, target_file)
-      require "net/http"
+      def fetch_network_file(source_file, target_file)
+        require "net/http"
 
-      delete_target_file(target_file)
-      create_target_directory(target_file)
-      info_msg("Downloading #{source_file} ...")
-      result = Net::HTTP.get_response(URI(source_file))
-      raise "Failed to fetch URL file source #{source_file}" unless result.kind_of?(Net::HTTPSuccess)
-      File.write(target_file, result.body)
+        delete_target_file(target_file)
+        create_target_directory(target_file)
+        info_msg("Downloading #{source_file} ...")
+        result = Net::HTTP.get_response(URI(source_file))
+        raise "Failed to fetch URL file source #{source_file}" unless result.kind_of?(Net::HTTPSuccess)
+        File.write(target_file, result.body)
+      end
     end
   end
 end

data/lib/httpd_configmap_generator/base/pam.rb

@@ -1,9 +1,11 @@
 module HttpdConfigmapGenerator
   class Base
-    def configure_pam
-      info_msg("Configuring PAM")
-      debug_msg("- Creating #{PAM_CONFIG}")
-      cp_template(PAM_CONFIG, template_directory)
+    module Pam
+      def configure_pam
+        info_msg("Configuring PAM")
+        debug_msg("- Creating #{PAM_CONFIG}")
+        cp_template(PAM_CONFIG, template_directory)
+      end
     end
   end
 end

data/lib/httpd_configmap_generator/base/sssd.rb

@@ -43,7 +43,7 @@ module HttpdConfigmapGenerator
 
     def section(key)
       if key =~ /^domain\/.*$/
-        key = sssd.entries.collect(&:key).select { |k| k.downcase == key.downcase }.first
+        key = sssd.entries.collect(&:key).select { |k| k.downcase == key.downcase }.first || key
       end
       sssd.section(key)
     end

data/lib/httpd_configmap_generator/ldap.rb

@@ -0,0 +1,185 @@
+module HttpdConfigmapGenerator
+  class Ldap < Base
+    AUTHCONFIG_COMMAND = "/usr/sbin/authconfig".freeze
+    LDAP_MODES = %w(ldap ldaps).freeze
+
+    AUTH = {
+      :type    => "external",
+      :subtype => "ldap"
+    }.freeze
+
+    def required_options
+      super.merge(
+        :cert_file   => { :description => "Cert File" },
+        :ldap_host   => { :description => "LDAP Directory Host FQDN" },
+        :ldap_mode   => { :description => "ldap | ldaps" },
+        :ldap_basedn => { :description => "LDAP Directory Base DN" },
+      )
+    end
+
+    def optional_options
+      super.merge(
+        :ldap_group_name         => { :description => "LDAP Directory Group Name",
+                                      :default     => "cn" },
+        :ldap_group_member       => { :description => "Attribute containing the names of the group's members",
+                                      :default     => "member" },
+        :ldap_group_object_class => { :description => "The object class of a group entry in LDAP",
+                                      :default     => "groupOfNames" },
+        :ldap_id_use_start_tls   => { :description => "Connection use tls?",
+                                      :default     => true },
+        :ldap_port               => { :description => "LDAP Directory Port" },
+        :ldap_tls_reqcert        => { :description => "The checks to perform on server certificates.",
+                                      :default     => "allow" },
+        :ldap_user_gid_number    => { :description => "LDAP attribute corresponding to the user's gid",
+                                      :default     => "gidNumber" },
+        :ldap_user_name          => { :description => "LDAP Directory User Name",
+                                      :default     => "cn"},
+        :ldap_user_object_class  => { :description => "Object class of a user entry in LDAP",
+                                      :default     => "posixAccount" },
+        :ldap_user_uid_number    => { :description => "LDAP attribute corresponding to the user's id",
+                                      :default     => "uidNumber" },
+        :ldap_user_search_base   => { :description => "The user DN search scope" },
+        :ldap_group_search_base  => { :description => "The group DN search scope" },
+        :support_non_posix       => { :description => "Suppoert non-posix user records",
+                                      :default     => false },
+      )
+    end
+
+    def persistent_files
+      %w(/etc/nsswitch.conf
+         /etc/openldap/ldap.conf
+         /etc/pam.d/fingerprint-auth-ac
+         /etc/pam.d/httpd-auth
+         /etc/pam.d/password-auth-ac
+         /etc/pam.d/postlogin-ac
+         /etc/pam.d/smartcard-auth-ac
+         /etc/pam.d/system-auth-ac
+         /etc/sssd/sssd.conf
+         /etc/sysconfig/authconfig
+         /etc/sysconfig/network) + [opts[:cert_file]]
+    end
+
+    def configure(opts)
+      update_hostname(opts[:host])
+
+      init_search_base
+      run_auth_config
+      configure_pam
+      configure_sssd
+      chmod_chown_cert_file
+      config_map = ConfigMap.new(opts)
+      config_map.generate(AUTH[:type], realm, persistent_files)
+      config_map.save(opts[:output])
+    rescue => err
+      log_command_error(err)
+      raise err
+    end
+
+    def unconfigure
+      return unless configured?
+      raise "Unable to unconfigure authentication against LDAP"
+    end
+
+    def configured?
+      File.exist?(SSSD_CONFIG)
+    end
+
+    def domain
+      opts[:ldap_basedn].split(",").collect do |p|
+        p.split('dc=')[1]
+      end.compact.join('.')
+    end
+
+    private
+
+    def ldapserver_url
+      opts[:ldap_port] ||= opts[:ldap_mode].downcase == "ldaps" ? 636 : 389
+      "#{opts[:ldap_mode]}://#{opts[:ldap_host]}:#{opts[:ldap_port]}"
+    end
+
+    def init_search_base
+      opts[:ldap_user_search_base] = opts[:ldap_basedn] if opts[:ldap_user_search_base]  == ""
+      opts[:ldap_group_search_base] = opts[:ldap_basedn] if opts[:ldap_group_search_base] == ""
+    end
+
+    def configure_sssd
+      info_msg("Configuring SSSD Service")
+      sssd = Sssd.new(opts)
+      sssd.load(SSSD_CONFIG)
+
+      sssd.configure_domain("default")
+      domain_section = sssd.section("domain/default")
+      domain_section["ldap_group_member"] = opts[:ldap_group_member]
+      domain_section["ldap_group_name"] = opts[:ldap_group_name]
+      domain_section["ldap_group_object_class"] = opts[:ldap_group_object_class]
+      domain_section["ldap_group_search_base"] = opts[:ldap_group_search_base]
+      domain_section["ldap_id_use_start_tls"] = opts[:ldap_id_use_start_tls]
+      domain_section["ldap_network_timeout"] = "3"
+      domain_section["ldap_pwd_policy"] = "none"
+      domain_section["ldap_tls_cacert"] = opts[:cert_file]
+      domain_section["ldap_tls_reqcert"] = opts[:ldap_tls_reqcert]
+      domain_section["ldap_user_gid_number"] = opts[:ldap_user_gid_number]
+      domain_section["ldap_user_name"] = opts[:ldap_user_name]
+      domain_section["ldap_user_object_class"] = opts[:ldap_user_object_class]
+      domain_section["ldap_user_search_base"] = opts[:ldap_user_search_base]
+      domain_section["ldap_user_uid_number"] = opts[:ldap_user_uid_number]
+      domain_section.delete("ldap_tls_cacertdir")
+
+      sssd_section = sssd.section("sssd")
+      sssd_section["config_file_version"] = "2"
+      sssd_section["domains"] = domain
+      sssd_section["default_domain_suffix"] = domain
+      sssd_section["sbus_timeout"] = "30"
+      sssd_section["services"] = "nss, pam, ifp"
+
+      sssd.add_service("pam")
+
+      sssd.configure_ifp
+
+      if opts[:support_non_posix]
+        sssd.section("pam")["pam_app_services"] = "httpd-auth"
+
+        debug_msg("- Setting application section to [application/#{domain}]")
+        domain_section.key = "application/#{domain}"
+
+        debug_msg("- Adding domain section to [domain/#{domain}]")
+        sssd.section("domain/#{domain}")
+      else
+        debug_msg("- Setting domain section to [domain/#{domain}]")
+        domain_section.key = "domain/#{domain}"
+      end
+
+      debug_msg("- Creating #{SSSD_CONFIG}")
+      sssd.save(SSSD_CONFIG)
+    end
+
+    def chmod_chown_cert_file
+      FileUtils.chown('root', 'root', opts[:cert_file])
+      FileUtils.chmod(0o600, opts[:cert_file])
+    end
+
+    def run_auth_config
+      params = {
+        :ldapserver=        => ldapserver_url,
+        :ldapbasedn=        => opts[:ldap_basedn],
+        :enablesssd         => nil,
+        :enablesssdauth     => nil,
+        :enablelocauthorize => nil,
+        :enableldap         => nil,
+        :enableldapauth     => nil,
+        :disableldaptls     => nil,
+        :enablerfc2307bis   => nil,
+        :enablecachecreds   => nil,
+        :update             => nil
+      }
+
+      command_run!(AUTHCONFIG_COMMAND, :params => params)
+    end
+
+    def validate_options(opts)
+      super(opts)
+      raise "ldap-mode must be one of #{LDAP_MODES.join(", ")}" unless LDAP_MODES.include?(opts[:ldap_mode].downcase)
+      raise "TLS certificate File #{opts[:cert_file]} not found" unless File.exist?(opts[:cert_file])
+    end
+  end
+end

data/lib/httpd_configmap_generator/saml.rb

@@ -2,7 +2,7 @@ module HttpdConfigmapGenerator
   class Saml < Base
     MELLON_CREATE_METADATA_COMMAND = "/usr/libexec/mod_auth_mellon/mellon_create_metadata.sh".freeze
     SAML2_CONFIG_DIRECTORY = "/etc/httpd/saml2".freeze
-    MIQSP_METADATA_FILE    = "#{SAML2_CONFIG_DIRECTORY}/miqsp-metadata.xml".freeze
+    SP_METADATA_FILE       = "#{SAML2_CONFIG_DIRECTORY}/sp-metadata.xml".freeze
     IDP_METADATA_FILE      = "#{SAML2_CONFIG_DIRECTORY}/idp-metadata.xml".freeze
     AUTH = {
       :type    => "saml",
@@ -24,9 +24,9 @@ module HttpdConfigmapGenerator
 
     def persistent_files
       file_list = %w(
-        /etc/httpd/saml2/miqsp-key.key
-        /etc/httpd/saml2/miqsp-cert.cert
-        /etc/httpd/saml2/miqsp-metadata.xml
+        /etc/httpd/saml2/sp-key.key
+        /etc/httpd/saml2/sp-cert.cert
+        /etc/httpd/saml2/sp-metadata.xml
       )
       file_list += [IDP_METADATA_FILE] if opts[:keycloak_add_metadata]
       file_list
@@ -53,7 +53,7 @@ module HttpdConfigmapGenerator
     end
 
     def configured?
-      File.exist?(MIQSP_METADATA_FILE)
+      File.exist?(SP_METADATA_FILE)
     end
 
     def unconfigure
@@ -76,18 +76,18 @@ module HttpdConfigmapGenerator
       info_msg("Renaming mellon config files")
       Dir.chdir(SAML2_CONFIG_DIRECTORY) do
         Dir.glob("https_*.*") do |mellon_file|
-          miq_saml2_file = nil
+          saml2_file = nil
           case mellon_file
           when /^https_.*\.key$/
-            miq_saml2_file = "miqsp-key.key"
+            saml2_file = "sp-key.key"
           when /^https_.*\.cert$/
-            miq_saml2_file = "miqsp-cert.cert"
+            saml2_file = "sp-cert.cert"
           when /^https_.*\.xml$/
-            miq_saml2_file = "miqsp-metadata.xml"
+            saml2_file = "sp-metadata.xml"
           end
-          if miq_saml2_file
-            debug_msg("- renaming #{mellon_file} to #{miq_saml2_file}")
-            File.rename(mellon_file, miq_saml2_file)
+          if saml2_file
+            debug_msg("- renaming #{mellon_file} to #{saml2_file}")
+            File.rename(mellon_file, saml2_file)
           end
         end
       end

data/lib/httpd_configmap_generator/version.rb

@@ -1,3 +1,3 @@
 module HttpdConfigmapGenerator
-  VERSION = "0.1.2".freeze
+  VERSION = "0.2.0".freeze
 end

data/templates/httpd-scc-sysadmin.yaml

@@ -0,0 +1,38 @@
+allowHostDirVolumePlugin: false
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegedContainer: false
+allowedCapabilities:
+apiVersion: v1
+defaultAddCapabilities:
+- SYS_ADMIN
+fsGroup:
+  type: RunAsAny
+groups:
+- system:cluster-admins
+kind: SecurityContextConstraints
+metadata:
+  annotations:
+    kubernetes.io/description: httpd-scc-sysadmin provides all features of the anyuid SCC but allows users to have SYS_ADMIN capabilities. This is the required scc for Pods requiring to run with systemd and the message bus.
+  creationTimestamp:
+  name: httpd-scc-sysadmin
+priority: 10
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+- MKNOD
+- SYS_CHROOT
+runAsUser:
+  type: RunAsAny
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+users:
+volumes:
+- configMap
+- downwardAPI
+- emptyDir
+- persistentVolumeClaim
+- secret

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: httpd_configmap_generator
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.2.0
 platform: ruby
 authors:
 - Httpd Auth Config Developers
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-26 00:00:00.000000000 Z
+date: 2017-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
@@ -151,6 +151,7 @@ files:
 - LICENSE
 - README-active-directory.md
 - README-ipa.md
+- README-ldap.md
 - README-saml.md
 - README.md
 - Rakefile
@@ -162,9 +163,9 @@ files:
 - lib/httpd_configmap_generator/active_directory.rb
 - lib/httpd_configmap_generator/base.rb
 - lib/httpd_configmap_generator/base/command.rb
-- lib/httpd_configmap_generator/base/config.rb
+- lib/httpd_configmap_generator/base/config_helper.rb
 - lib/httpd_configmap_generator/base/config_map.rb
-- lib/httpd_configmap_generator/base/file.rb
+- lib/httpd_configmap_generator/base/file_helper.rb
 - lib/httpd_configmap_generator/base/kerberos.rb
 - lib/httpd_configmap_generator/base/network.rb
 - lib/httpd_configmap_generator/base/pam.rb
@@ -172,11 +173,13 @@ files:
 - lib/httpd_configmap_generator/base/sssd.rb
 - lib/httpd_configmap_generator/export.rb
 - lib/httpd_configmap_generator/ipa.rb
+- lib/httpd_configmap_generator/ldap.rb
 - lib/httpd_configmap_generator/saml.rb
 - lib/httpd_configmap_generator/update.rb
 - lib/httpd_configmap_generator/version.rb
 - templates/etc/pam.d/httpd-auth
 - templates/httpd-configmap-generator-template.yaml
+- templates/httpd-scc-sysadmin.yaml
 homepage: https://github.com/ManageIQ/httpd_configmap_generator
 licenses:
 - Apache-2.0

data/lib/httpd_configmap_generator/base/config.rb

@@ -1,13 +0,0 @@
-require "active_support"
-require "active_support/core_ext" # for Time.current
-
-module HttpdConfigmapGenerator
-  class Base
-    def config_file_backup(path)
-      if File.exist?(path)
-        timestamp = Time.current.strftime(TIMESTAMP_FORMAT)
-        FileUtils.copy(path, "#{path}.#{timestamp}")
-      end
-    end
-  end
-end

data/lib/httpd_configmap_generator/base/file.rb

@@ -1,65 +0,0 @@
-require "pathname"
-
-module HttpdConfigmapGenerator
-  class Base
-    def template_directory
-      @template_directory ||=
-        Pathname.new(Gem::Specification.find_by_name("httpd_configmap_generator").full_gem_path).join("templates")
-    end
-
-    def cp_template(file, src_dir, dest_dir = "/")
-      src_path  = path_join(src_dir, file)
-      dest_path = path_join(dest_dir, file.gsub(".erb", ""))
-      if src_path.to_s.include?(".erb")
-        File.write(dest_path, ERB.new(File.read(src_path), nil, '-').result(binding))
-      else
-        FileUtils.cp(src_path, dest_path)
-      end
-    end
-
-    def delete_target_file(file_path)
-      if File.exist?(file_path)
-        if opts[:force]
-          info_msg("File #{file_path} exists, forcing a delete")
-          File.delete(file_path)
-        else
-          raise "File #{file_path} already exist"
-        end
-      end
-    end
-
-    def create_target_directory(file_path)
-      dirname = File.dirname(file_path)
-      return if File.exist?(dirname)
-      debug_msg("Creating directory #{dirname} ...")
-      FileUtils.mkdir_p(dirname)
-    end
-
-    def rm_file(file, dir = "/")
-      path = path_join(dir, file)
-      File.delete(path) if File.exist?(path)
-    end
-
-    def path_join(*args)
-      path = Pathname.new(args.shift)
-      args.each { |path_seg| path = path.join("./#{path_seg}") }
-      path
-    end
-
-    def file_binary?(file)
-      data = File.read(file)
-      ascii = control = binary = total = 0
-      data[0..512].each_byte do |c|
-        total += 1
-        if c < 32
-          control += 1
-        elsif c >= 32 && c <= 128
-          ascii += 1
-        else
-          binary += 1
-        end
-      end
-      control.to_f / ascii > 0.1 || binary.to_f / ascii > 0.05
-    end
-  end
-end