Commit Graph

34 Commits

Author SHA1 Message Date
Alan Bandeira 96d6f948a9 Update error message for ldapsetpasswd
Using ldapsetpasswd when changing a password may
fail due to required password security standards.
The current error message is vague and provides
no information about the error causing password
change to fail. This fix provides a more clear
error message which informs the user about the
security requirements for a new password.

Test Plan:
PASS: In a simplex system, create a ldap user named
      test and then run "sudo ldapsetpasswd test" and
      provide a password that fails the security
      requirements, such as "linux99", retype the
      provided password and the system should present
      an error message comprising the system's security
      requirements for user passwords.

PASS: Using the same user created in the previous test
      plan, run the command "sudo ldapsetpasswd test
      <pwd>", changing <pwd> for a bad password, and
      the system should present an error message
      comprising the system's security requirements
      for user passwords.

Closes-Bug: 2008838
Change-Id: Ibe942d87bee402e43c42f33e26276f0e078213cb
Signed-off-by: Alan Bandeira <Alan.PortelaBandeira@windriver.com>
2023-03-28 16:54:07 +00:00
Manoel Benedito Neto a8f7a06d8f Update debian packages for pkg-versioning
The Debian packaging has been changed to reflect all the
latest git commits under the directory, pointed as usable, and to
improve pkg-versioning addressing the first commit as start point to
debian build packages.

This commit add GITREVCOUNT and remove PKG_GITREVCOUNT of the packages
to calculate git revisions relative to package's source git repository,
instead of count git revisions relative only to package's debian
folder. This ensures that any new code submissions under those
directories will increment the versions.

The commit SHA 9b545c5e19 was chosen to be the BASE_SRCREV of the
base-passwd's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained base-passwd version .stx.8)

The commit SHA 698c14ccef was chosen to be the BASE_SRCREV of the
puppet-ldap's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained puppet-ldap version .stx.2)

The commit SHA 39bc6c35f1 was chosen to be the BASE_SRCREV of the
ldapscripts's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained ldapscripts version .stx.4)

The commit SHA 2821680c8b was chosen to be the BASE_SRCREV of the
openldap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openldap version .stx.9)

The commit SHA f043585c65 was chosen to be the BASE_SRCREV of the
openscap's metadata because is the commit that creates the debian
directory with build files structure for this package.
(maintained openscap version .stx.3)

The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
keyrings.alt's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained keyring.alt version .stx.4)

The commit SHA de2af4d74d was chosen to be the BASE_SRCREV of the
python-keyring's metadata because is the commit that creates the
debian directory with build files structure for this package.
(maintained python-keyring version .stx.4)

Test Plan:
PASS: Verify package versions are updated as expected.
PASS: build-pkgs -c -p base-passwd
PASS: build-pkgs -c -p puppet-ldap
PASS: build-pkgs -c -p ldapscripts
PASS: build-pkgs -c -p openldap
PASS: build-pkgs -c -p openscap
PASS: build-pkgs -c -p keyrings.alt
PASS: build-pkgs -c -p python-keyrings

Story: 2010550
Task: 47496

Signed-off-by: Manoel Benedito Neto <Manoel.BeneditoNeto@windriver.com>
Change-Id: I32b47348ece39ea88b3c5aeb0d1e64c6d3e7a6b5
2023-03-15 14:44:32 +00:00
Zuul 0e37611215 Merge "Remove nslcd and related packages on Debian" 2022-08-26 19:06:05 +00:00
Zuul 4516d73f9b Merge "Patch ldapscripts to support user password change" 2022-08-26 19:05:30 +00:00
Andy Ning 7962e653b3 Remove nslcd and related packages on Debian
This is part of the change to replace nslcd with sssd to
support multiple secure ldap backends.

This change removed nss-pam-ldapd (nslcd, libpam-slapd,
libnss-slapd) on Debian based stx system.

nscd is removed in
https://review.opendev.org/c/starlingx/tools/+/854217

Test Plan on Debian:
PASS: Package build, image build
PASS: System deployment
PASS: Verify nslcd, libpam-slapd, libnss-slapd are not installed.
PASS: ldap functions work properly (ldap user creation, user login
      on console and by ssh etc).

Story: 2009834
Task: 46069
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I87de211876a00c0b0a0d629dde70e13c0feb3df0
2022-08-24 16:36:42 -04:00
Andy Ning 1d73a1bd70 Patch ldapscripts to support user password change
This is part of the change to replace nslcd with sssd to
support multiple secure ldap backends.

This change patched ldapscripts (ldapadduser) to reset password
right after the ldap user is created on Debian. With its password
reset, the ldap user will be forced to change its password at
first login, the similar behavior as on CentOS.

Test Plan on Debian (SX and DX):
PASS: Package build, image build.
PASS: System deployment.
PASS: ldap user added by ldapadduser or ldapusersetup will be asked
      to change password at first login (either on console or by
      ssh)
PASS: Change checked by shellcheck, warnings investigated.

Story: 2009834
Task: 46068
Depends-On: https://review.opendev.org/c/starlingx/metal/+/854203
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I13f098c6053816bb3b0450c039caccf94c04d55d
2022-08-24 13:42:54 -04:00
Yue Tao 9d93ffc30b Debian: fix wrong checksums
Checksums are currently not being checked upon download. This commit
corrects them with the intent for us to turn on checking soon.

Not sure what reason causes the checksum incorrect. I am aware someone
complain on github that checksum of some tarballs are changed without
any updating. We also can't guarantee developers always fill correct
checksum. Once we turn on checksum upon download, we can catch in up in
time.

Test Plan:

Pass: downloader -s

Story: 2009303
Task: 46029

Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I89f0db6086641062048b52270ffc585887cb8acf
2022-08-23 11:56:25 +08:00
Fabiano Mercer 84017b4290 Ignore --all/lo* for ifupdown/nslcd scripts
It was detected the networking.service is marked as failing after reboot.
It happpens because "ifup -a" is executed by the service.
It starts to run the scripts in /etc/network/interfaces.d/.
But several scripts in ifupdown-extra are not prepared to handle "-all".

In the case of nss-pam-ldapd the script /etc/network/if-up.d/nslcd
is failing when there are loopback interfaces with label (lo:X) as the
script only tests the interface "lo".

Test Plan (Debian only - AIO-SX and AIO-DX)):
PASS  Check systemctl status networking.service after unlock

Closes-Bug: #1983503

Change-Id: I1fd9e2ea75233d987d6f1f2aa5a3395ab2885e2b
Signed-off-by: Fabiano Mercer <fabiano.correamercer@windriver.com>
2022-08-12 13:07:02 -03:00
Zuul 744bdb4cb8 Merge "Set default debconf slapd/no_configuration to true" 2022-08-02 13:21:47 +00:00
Thiago Brito 7b283931a0 Set default debconf slapd/no_configuration to true
The debian packaging for openldap by default initializes the ldap DB
unless debconf tells otherwise. This patch will set the default value of
the debconf so the installation doesn't trigger this initialization and
generate garbage on the database (entries related to an admin user on
dc=nodomain).

TEST PLAN
PASS Build new ISO and install, verify slapcat for entries on DB
PASS Bootstrap with no errors
PASS Restore backup

Story: 2009303
Task: 45752
Signed-off-by: Thiago Brito <thiago.brito@windriver.com>
Change-Id: I60786a6b9f46619b328cf00d6bdbdf0cc95c9c35
2022-07-25 14:58:36 +00:00
Zhixiong Chi e1f6fe0d56 Debian: openldap: fix CVE-2022-29155
Upgrade the openldap version to 2.4.57+dfsg-3+deb11u1 to fix the
CVE-2022-29155 issue.

References:
https://security-tracker.debian.org/tracker/CVE-2022-29155

TestPlan:
PASS: build-pkgs -c -p openldap
PASS: build-image --std

Closes-Bug: 1982723

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
Change-Id: I1ac30da3e4597035ef4f816ca7ab95aa9adcaa7c
2022-07-25 06:23:43 +00:00
Bin Qian 54f2f7d6c6 Make /usr readonly to support OSTree
OSTree structure requires /usr to be readonly as OSTree's dracut
hook creates a read-only bind mount over /usr.

1. deploy validate_postgresql_connection.sh directly to
   /usr/local/bin. It was copied to the location after
   installation.
2. move /usr/local/etc/ldapscripts to /etc/ldapscripts, files
   need writable.
3. move /usr/libexec/cni to /opt/cni/bin. Plugins are installed
   at runtime.

TCs:
   provision aio-dx centos with /usr mount to readonly fs.
   unlocked host
   provision aio-sx debian and unlocked host.
   upgrade AIO-DX from 21.12
   upgrade AIO-SX from 21.12
   successfully apply cert-manager and nginx-ingress-controller

Story: 2009101
Task: 44314

Change-Id: I99231f3f7db3d2d8eaceba137e13dea650370f71
Signed-off-by: Bin Qian <bin.qian@windriver.com>
2022-04-29 11:19:37 -04:00
Andy Ning 8b59e0c8bc Add ppolicy-check-password library for ldap on Debian
This change added ppolicy-check-password package from
https://github.com/cedric-dufour/ppolicy-check-password

This package contains check_password.so that is used by ldap
to enforce password complexity for ldap users.

Test Plan for Debian:
PASS: package build, image build
PASS: system bootstrap, controller unlock
PASS: after controller unlock, login by "admin" user on
      console, and su to "admin" on ssh session.
PASS: failure path with incompliant passwords for ldap user
      password change (eg, change password when first login)

Story: 2009101
Task: 44864
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: If5a1e5c6784c7354c0a4903e1d1c4abb21d8a01f
2022-03-28 10:47:00 -04:00
Zuul 52093f16ab Merge "meta_data.yaml: add sha256sum checksum" 2022-03-09 22:54:45 +00:00
Andy Ning fc13f4db8b Change openldap pid and args file location for Debian
Change openldap pid and args file location from /var/run/slapd
to /run so it's aligned with CentOS. This will enable openldap
to be managed by SM.

Test Plan for Debian:
PASS: package build, image build
PASS: system boostrap
PASS: controller unlock, open-ldap service state in SM is
      enabled-active enabled-active

Story: 2009101
Task: 44664
Signed-off-by: Andy Ning <andy.ning@windriver.com>
Change-Id: I108a63d5b829b66ef24516f9e2c33fde0288f9a8
2022-03-03 11:41:22 -05:00
Yue Tao 4a709349a9 meta_data.yaml: add sha256sum checksum
Test Plan:
Pass: Verify sha256sum checksum via "download -s"

Story: 2008846
Task: 44578

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Change-Id: I78d9dff2af0afb18c6db4e8d2d39ef79b5cf5864
2022-03-03 14:30:40 +08:00
Zuul bba2bc0ace Merge "Add debian package for ldapscripts" 2021-11-23 18:18:46 +00:00
Yue Tao 39bc6c35f1 Add debian package for ldapscripts
Porting all CentOS patches, and also align the file permission
with CentOS.

Test Plan: Verify the building, installing and booting test

PASS: Verify package build
PASS: Verify system install
PASS: Verify system boot

Story: 2009221
Task: 43415
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: I7766d4aa26420c6f701a0dffaa7e9bf6b77e0c75
2021-11-23 08:48:30 +08:00
Yue Tao 2821680c8b Add debian package for openldap
Ported all patches from CentOS.
Ported patch rootdn-should-not-bypass-ppolicy.patch + deleted unit test for it.

meta_data patches were not needed as they were only modifying the rpm spec.

Disabled unit tests part of debian build.
Ran the unit tests once before disabling and they pass.

Story: 2009221
Task: 43407
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Ia0b640c5cd2594daae5722b1c9743a3a800485ab
2021-10-18 13:41:34 +08:00
Dongqi Chen af359d4938 Add auto-versioning to starlingx/integ packages
This update makes use of the PKG_GITREVCOUNT variable
to auto-version the packages in this repo.

Story: 2007750
Task: 39951
Change-Id: I854419c922b9db4edbbf6f1e987a982ec2ec7b59
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
2020-06-24 09:48:28 +08:00
Scott Little e80813bb81 Relocated some packages to repo 'config-files'
List of relocated subdirectories:

base/centos-release-config
base/dhcp-config
base/dnsmasq-config
base/haproxy-config
base/initscripts-config
base/lighttpd-config
base/net-snmp-config
base/openssh-config
base/setup-config
base/systemd-config
config-files/audit-config
config-files/docker-config
config-files/io-scheduler
config-files/iptables-config
config-files/memcached-custom
config-files/ntp-config
config-files/pam-config
config-files/rsync-config
config-files/shadow-utils-config
config-files/sudo-config
config-files/syslog-ng-config
config-files/util-linux-config
filesystem/filesystem-scripts
filesystem/iscsi-initiator-utils-config
filesystem/nfs-utils-config
ldap/openldap-config
logging/logrotate-config
networking/mellanox/mlx4-config
networking/openvswitch-config

Story: 2006166
Task: 35687
Depends-On: I665dc7fabbfffc798ad57843eb74dca16e7647a3
Change-Id: I3dc0fc9f88931c5e0963d00274408ff7a16fae3a
Signed-off-by: Scott Little <scott.little@windriver.com>
Depends-On: I761b0f76150881c765b70b2ccd255244c754bd5d
2019-09-05 20:32:09 -04:00
Saul Wold 83c6575d51 integ: Convert wrsroot -> sysadmin
This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.

Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Ic2ea06d3ac15c31854a604af5f4cecf9094fcaea
Story: 2004716
Task: 28748
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2019-06-14 15:09:09 -07:00
Erich Cordoba 6bfca507bd Add notices to Intel authored files.
Story: 2005265
Task:  30090

Change-Id: I7cc22cf39d971fbf7fa149b89a892de27b8e6b64
Signed-off-by: Erich Cordoba <erich.cordoba.malibran@intel.com>
2019-03-20 10:31:10 -06:00
Zhe Hu eb96c9a6e9 rebase openldap patch to CentOS 7.6 version
Test:
Pass build and simplex deploy test

Depends-On: https://review.openstack.org/626503

Story: 2004522
Task: 28398

Change-Id: If4ba828526724f7888a39d9bb5fb15cd7c6c5815
Signed-off-by: Zhe Hu <zhe.hu@intel.com>
2018-12-25 09:12:05 +08:00
zhipengl beec03a095 Remove hardcoded configure options for openldap
The openldap-spec-file.patch contains some modifications to the
default configure command line.
After evaluated by Saul in task 27731, we should be able to remove
the part of configure options change in this patch. 
However, it seems still some other changes in this patch could not be
removed, so the patch could not be reverted so far.

Deployment test pass and slapd service works.

Story: 2004216
Task: 28015

Signed-off-by: zhipengl <zhipengs.liu@intel.com>

Change-Id: I55e4961bf2ceb69bb0592f3fb34b4fded3a2e8fd
2018-12-04 08:21:31 +00:00
zhipengl 462fa4fc08 Refactor patches for nss-pam-ldapd package
The change of 3 meta patches refers to %post section in spec file.
The comment in the patch mentions that we don't want change our custom
binddn and bindpw in nslcd.conf.
However, in spec file, "source" variabe could not be assigned to a valid
file name, as we could not find these *.conf files in /etc/ folder.

if test -s /etc/nss-ldapd.conf ; then
        source=/etc/nss-ldapd.conf
elif test -s /etc/nss_ldap.conf ; then
        source=/etc/nss_ldap.conf
elif test -s /etc/pam_ldap.conf ; then
        source=/etc/pam_ldap.conf
else
        source=/etc/ldap.conf

So it will not change nslcd.conf even if we do not remove
below code.

if grep -E -q '^base[[:blank:]]' $source 2> /dev/null ; then
     # Comment out the packaged default base and replace it.
        sed -i -r -e 's,^(base[[:blank:]].*),# \1,g' $target
        grep -E '^base[[:blank:]]' $source >> $target
fi

grep -E '^(binddn|bindpw|port|scope|ssl|pagesize)[[:blank:]]'
   $source 2> /dev/null >> $target

We can use RPM instead of SRPM for nss-pam-ldapd package,
since related patches are not used anymore.

Deployment test pass.

Story: 2003768
Task: 28045
Depends-on: https://review.openstack.org/#/c/619976/

Change-Id: Ia4fa723d1a6ff9a7a8059fc2db1afec640ea41b1
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2018-11-28 02:25:22 +00:00
slin14 822420e2d3 refactor openldap
Package openldap-config is added to config customized config file
of openldap.

Here is the customized change in slapd.service:
"
-After=syslog.target network-online.target
+Before=rsyncd.service
+After=network.target syslog-ng.target

-PIDFile=/var/run/openldap/slapd.pid
+PIDFile=/var/run/slapd.pid

-ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS
+ExecStart=/etc/init.d/openldap start
+ExecStop=/etc/init.d/openldap stop
+ExecReload=/etc/init.d/openldap restart
+RemainAfterExit=yes
"
Here is the customized change in slapd.sysconfig:
"
-#SLAPD_OPTIONS=""
+SLAPD_OPTIONS=""
"

Test:
Pass build and multi node deploy test. Confirmed related config
file is the same as before in deploy node.

Story: 2003768
Task: 26462
Depends-On: https://review.openstack.org/618440

Change-Id: I2559a8e43619449d6179ed913181052d653fa91d
Signed-off-by: slin14 <shuicheng.lin@intel.com>
2018-11-19 23:29:42 +08:00
slin14 6a6ea416e1 remove lshell
There is security related issue with lshell, and it is not
maintained now. So remove it from our system to avoid
security issue.

To remove lshell:
1. Package sudo-config is created for wrs.sudo configure file
following the refactor process.
2. ldapusersetup in ldapscripts is modified to use bash only.
lshell support is removed.

ldapusersetup related patches are merged into 1 for easy
maintenance.

Test has been done:
Build and deploy test is done, also unit tests for ldap are
executed with pass, except lshell related test.

Closes-Bug: 1795451

Change-Id: Ia5de1bc94d22eb6c9bea6d9a96e92564ad848b19
Signed-off-by: slin14 <shuicheng.lin@intel.com>
2018-10-30 02:22:54 +08:00
Sun Austin 5514b84469 de-fuzz nss-pam-ldapd patches
Problem:
- Centos 7.5 upgraded nss-pam-ldapds.
- Porting of nss-pam-ldapds patches did not resolve and 'fuzz' in the line
  numbers of the patches.
- If nss-pam-ldapd is built by rpm 4.11, or default version of rpm
  until 4.14 is compiled, a fuzzy patch results in the creating
  of an .orig file.
- Packaging of nss-pam-ldapds failes due to the unexpected, and
  unpackaged .orig file

Solution:
  Safest solution is to de-fuzz our nss-pam-ldapds patches.

Story: 2003389
Task: 26755

Change-Id: I82092c3ff4d7cf711d0e1542e61bccb491bd8388
Signed-off-by: Sun Austin <austin.sun@intel.com>
2018-09-28 09:01:42 +08:00
zhipengl d501c0be15 upgrade nss-pam-ldapd to CentOS 7.5 version
Story: 2003389
Task: 24502

Change-Id: Ibf2db2bfcefd8b4102eb6c93036024203e415ebd
Signed-off-by: zhipengl <zhipengs.liu@intel.com>
2018-08-27 06:35:56 +00:00
slin14 b76800636e rebase openldap patch to CentOS7.5
Story: 2003389
Task: 24468

Change-Id: Ib9e04a1fa46ef10dd3f63c2ec386f03dea1585e3
Signed-off-by: slin14 <shuicheng.lin@intel.com>
2018-08-27 03:01:20 +00:00
Kam Nasim 8c1837205d Multi-Region: Support shared LDAP service
Decouple NSLCD from the open-ldap SM service and manage it by PMOND
instead. This is needed because in the Shared LDAP case, we deprovision
the open-ldap service on the Secondary Region which renders NSLCD
unmanaged.

Additionally, we allow the Secondary Region or Sub Clouds to bind
anonymously, but still need to support LDAP read operations in these
regions such as ldapfinger or lsldap. For this purpose, the ldapscripts
runtime library has been modified to allow anonymous binds during LDAP
search operations.

Change-Id: I3d4a709d058963be61a0311a539cd020f54118d6
Signed-off-by: Jack Ding <jack.ding@windriver.com>
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 15:31:55 -04:00
Scott Little 69be80651e Relocate ldapscripts to stx-integ/ldap/ldapscripts
Move content from stx-gplv2 into stx-integ

Packages will be relocated to

stx-integ:
    base/
        bash
        cgcs-users
        cluster-resource-agents
        dpkg
        haproxy
        libfdt
        netpbm
        rpm

    database/
        mariadb

    filesystem/
        iscsi-initiator-utils

    filesystem/drbd/
        drbd-tools

    kernel/kernel-modules/
        drbd
        integrity
        intel-e1000e
        intel-i40e
        intel-i40evf
        intel-ixgbe
        intel-ixgbevf
        qat17
        tpmdd

    ldap/
        ldapscripts

    networking/
        iptables
        net-tools

Change-Id: I688cd576de5e8fb9fbe7ad727b9e5321ad4b0e45
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 15:31:54 -04:00
Scott Little bab9bb6b69 Internal restructuring of stx-integ
Create new directories:
   ceph
   config
   config-files
   filesystem
   kernel
   kernel/kernel-modules
   ldap
   logging
   strorage-drivers
   tools
   utilities
   virt

Retire directories:
   connectivity
   core
   devtools
   support
   extended

Delete two packages:
   tgt
   irqbalance

Relocated packages:
   base/
      dhcp
      initscripts
      libevent
      lighttpd
      linuxptp
      memcached
      net-snmp
      novnc
      ntp
      openssh
      pam
      procps
      sanlock
      shadow
      sudo
      systemd
      util-linux
      vim
      watchdog

   ceph/
      python-cephclient

   config/
      facter
      puppet-4.8.2
      puppet-modules

   filesystem/
      e2fsprogs
      nfs-utils
      nfscheck

   kernel/
      kernel-std
      kernel-rt

   kernel/kernel-modules/
      mlnx-ofa_kernel

   ldap/
      nss-pam-ldapd
      openldap

   logging/
      syslog-ng
      logrotate

   networking/
      lldpd
      iproute
      mellanox
      python-ryu
      mlx4-config

   python/
      python-2.7.5
      python-django
      python-gunicorn
      python-setuptools
      python-smartpm
      python-voluptuous

   security/
      shim-signed
      shim-unsigned
      tboot

   strorage-drivers/
      python-3parclient
      python-lefthandclient

   virt/
      cloud-init
      libvirt
      libvirt-python
      qemu

   tools/
      storage-topology
      vm-topology

   utilities/
      tis-extensions
      namespace-utils
      nova-utils
      update-motd

Change-Id: I37ade764d873c701b35eac5881eb40412ba64a86
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 10:06:31 -04:00