[COOK-411] - Updating to use tls_checkpeer option

Signed-off-by: Sean OMeara <someara@opscode.com>
sous-chefs · Oct 25, 2013 · 1642486 · 1642486
1 parent 0af6158
commit 1642486
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 11 deletions.
diff --git a/.kitchen.yml b/.kitchen.yml
@@ -40,3 +40,17 @@ suites:
       ssl_cert: "/etc/ldap/ssl/ldap.example.com.pem"
       ssl_key: "/etc/ldap/ssl/ldap.example.com.pem"
       cafile: "/etc/ldap/ssl/ldap.example.com.pem"
+- name: tls_disabled
+  run_list:
+  - recipe[openldap::server]
+  - recipe[openldap::auth]
+  - recipe[minitest-handler]
+  attributes:
+   openldap:
+     server: localhost
+     rootpw: "{SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/" # secretsauce
+     tls_enabled: false
+     passwd_ou: peeps
+     shadow_ou: ninjas
+     group_ou: pirates
+     automount_ou: barge
diff --git a/README.md b/README.md
@@ -22,6 +22,9 @@ Be aware of the attributes used by this cookbook and adjust the defaults for you
 
 - `openldap[:basedn]` - basedn
 - `openldap[:server]` - the LDAP server fully qualified domain name, default `'ldap'.node[:domain]`.
+- `openldap[:tls_enabled]` - specifies whether TLS will be used at all. Setting this to fals will result in your credentials being sent in clear-text.
+- `openldap[:tls_checkpeer]` - specifies whether the client should verify the server's TLS certificate. Highly recommended to set tls_checkpeer to true for production uses in order to avoid man-in-the-middle attacks. Defaults to false for testing and backwards compatibility.
+- `openldap[:pam_password]` - specifies the password change protocol to use. Defaults to md5.
 
 ### Server node attributes
 

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -19,7 +19,7 @@
 default['openldap']['basedn'] = "dc=localdomain"
 default['openldap']['server'] = "ldap.localdomain"
 default['openldap']['tls_enabled'] = true
-default['openldap']['password_mechanism'] = 'md5'
+default['openldap']['pam_password'] = 'md5'
 
 default['openldap']['passwd_ou'] = 'people'
 default['openldap']['shadow_ou'] = 'people'
@@ -52,6 +52,8 @@
 end
 
 default['openldap']['preseed_dir'] = "/var/cache/local/preseeding"
+default['openldap']['tls_checkpeer'] = false
+default['openldap']['pam_password'] = 'md5'
 
 default['openldap']['manage_ssl'] = true
 default['openldap']['ssl_dir'] = "#{openldap['dir']}/ssl"

diff --git a/files/default/test/server_test.rb b/files/default/test/server_test.rb
@@ -9,12 +9,16 @@
   end
 
   it 'ldap references the ssl certs' do
-    file("#{node['openldap']['dir']}/slapd.conf").must_include node['openldap']['ssl_cert']
-    file("#{node['openldap']['dir']}/slapd.conf").must_include node['openldap']['ssl_key']
+    if node['openldap']['tls_enabled']
+      file("#{node['openldap']['dir']}/slapd.conf").must_include node['openldap']['ssl_cert']
+      file("#{node['openldap']['dir']}/slapd.conf").must_include node['openldap']['ssl_key']
+    end
   end
 
   it 'places the ssl certs' do
-    file(node['openldap']['ssl_cert']).must_exist
-    file(node['openldap']['ssl_cert']).must_exist
+    if node['openldap']['tls_enabled']
+      file(node['openldap']['ssl_cert']).must_exist
+      file(node['openldap']['ssl_cert']).must_exist
+    end
   end
 end
diff --git a/recipes/server.rb b/recipes/server.rb
@@ -53,7 +53,7 @@
   end
 end
 
-if node['openldap']['manage_ssl']
+if node['openldap']['tls_enabled'] && node['openldap']['manage_ssl']
   cookbook_file node['openldap']['ssl_cert'] do
     source "ssl/#{node['openldap']['server']}.pem"
     mode 00644

diff --git a/templates/default/ldap.conf.erb b/templates/default/ldap.conf.erb
@@ -16,13 +16,16 @@ scope sub
 nss_base_passwd ou=<%= node['openldap']['passwd_ou'] %>,<%= node['openldap']['basedn'] %>
 nss_base_shadow ou=<%= node['openldap']['shadow_ou'] %>,<%= node['openldap']['basedn'] %>
 nss_base_group ou=<%= node['openldap']['group_ou'] %>,<%= node['openldap']['basedn'] %>
-nss_base_automount ou=<%= node['openldap']['automount_oi'] %>,<%= node['openldap']['basedn'] %>
+nss_base_automount ou=<%= node['openldap']['automount_ou'] %>,<%= node['openldap']['basedn'] %>
 
-<% if node['openldap']['tls_enabled'] %>
+<% if node['openldap']['tls_enabled'] -%>
 # TLS Options
 ssl start_tls
+<% if node['openldap']['tls_checkpeer'] -%>
+tls_checkpeer yes
+<% else -%>
 tls_checkpeer no
-<% end %>
+<% end -%>
+<% end -%>
 
-# Password options
-pam_password <%= node['openldap']['password_mechanism'] %>
+pam_password <%= node['openldap']['pam_password'] %>
diff --git a/templates/default/libnss-ldap.conf.erb b/templates/default/libnss-ldap.conf.erb
@@ -20,4 +20,9 @@ nss_base_group ou=group,<%= node['openldap']['basedn'] %>
 
 # TLS Options
 ssl start_tls
+
+<% if node['openldap']['tls_checkpeer'] -%>
+tls_checkpeer yes
+<% else -%>
 tls_checkpeer no
+<% end -%>
diff --git a/templates/default/slapd.conf.erb b/templates/default/slapd.conf.erb
@@ -8,11 +8,13 @@
 ####
 
 # TLS configuration
+<% if node['openldap']['tls_enabled'] -%>
 TLSCertificateFile     <%= node['openldap']['ssl_cert'] %>
 TLSCertificateKeyFile  <%= node['openldap']['ssl_key'] %>
 <% if node['openldap']['cafile'] -%>
 TLSCACertificateFile   <%= node['openldap']['cafile'] %>
 <% end -%>
+<% end -%>
 
 # Schema and objectClass definitions
 include         <%= node['openldap']['dir'] %>/schema/core.schema