userdir ldap ^#2

By bootstack-charmers
stable

Supports: focal bionic xenial

Description

Installs userdir-ldap and configures it.

Tags:
ops ›

Install the Canonical userdir-ldap package and configure it for use with Canonical infra.

The default options should be fine for our normal use. The only one you may want to pay attention to is "users-to-migrate", which is a space-separated list of usernames whose ssh keys will be copied from ~/.ssh/authorized_keys to /etc/ssh/user-authorized_keys. By default this is just the ubuntu user, as without this Juju will break, but if you need to add others, this is the place to do it.

Units of the userdir-ldap charm can also be cascaded. Cascaded units will take userdata from their upstream userdir-ldap units. To do this a "server" application can be related to a "client" application via the udprovide and udconsume relations. The "server" unit will attempt to rsync userdata from userdb.internal for the related "client" units. Note that userdb.internal may be configured to only allow syncing of the "template-hostname" userdata. In this case, "client" units will only be able to get userdata for "template-hostname" as well. See the bundle in "./tests/bundles/xenial.yaml" for an example.

Design note: with cascaded userdir-ldap units, user data is coming into the "server" from userdb-host unit via two paths:

rsynced via ud-replicate, where ud-replicate will process userdata for local consumption
straight rsync, without postprocessing, where client units in turn will be able to ud-replicate from

Configuration

apt-repo-keys: (string) Apt repository key, typically needed for apt-repo-spec.; 40976EAF437D05B5
apt-repo-spec: (string) Apt repository to install userdir-ldap from.; deb http://archive.admin.canonical.com/ubuntu xenial-cat main
ciphers: (string) List of ciphers allowed. Defaults chacha20-poly1305@openssh.com available since OpenSSH 6.5, aes256-gcm@openssh.com and aes128-gcm@openssh.com available since OpenSSH 6.2. All supported in both Trusty and Xenial.; chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
domain: (string) Fallback domain when none present. This is mostly to work around MAAS's failure to add DNS for LXC containers - LP#1274947.
kex-algorithms: (string) KEX (Key Exchange) algorithms allowed. Default curve25519-sha256@libssh.org which has been available since OpenSSH 6.5 so already supported on both Trusty and Xenial.; curve25519-sha256@libssh.org
macs: (string) List of MAC (message authentication code) algorithms allowed. Default MACs available since OpenSSH 6.2 so already supported on both Trusty and Xenial.; umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256
root-id-rsa: (string) An openssh-format RSA private key with no passphrase. (This option is a trapdoor; setting it back to null has no real effect.)
sudoer-group: (string) Comma separated groups of sudoers who do not require password; bootstack-squad
sudoer-password-groups: (string) Comma separated groups of sudoers who require a password
template-hostname: (string) If the files rsynced from sshdist don't match our hostname, create a symlink to bridge the gap from /var/lib/misc/thishost.
userdb-host: (string) Name of the userdb host; userdb.internal
userdb-ip: (string) IP address of the userdb host; 91.189.90.139
userdb-known-hosts: (string) A (possibly multiple-line) string of known_hosts entries to seed the userdb trust during install. If none specified, ssh-keyscan will be used.
users-to-migrate: (string) A space-separated list of usernames whose authorized_keys files should be migrated from ~/.ssh/authorized_keys to /etc/ssh/user-authorized-keys on install.; ubuntu