userdir ldap #2
Description
Installs userdir-ldap and configures it.
- Tags:
- ops ›
Install the Canonical userdir-ldap package and configure it for use with Canonical infra.
The default options should be fine for our normal use. The only one you may want to pay attention to is "users-to-migrate", which is a space-separated list of usernames whose ssh keys will be copied from ~/.ssh/authorized_keys to /etc/ssh/user-authorized_keys. By default this is just the ubuntu user, as without this Juju will break, but if you need to add others, this is the place to do it.
Units of the userdir-ldap charm can also be cascaded. Cascaded units will take userdata from their upstream userdir-ldap units. To do this a "server" application can be related to a "client" application via the udprovide and udconsume relations. The "server" unit will attempt to rsync userdata from userdb.internal for the related "client" units. Note that userdb.internal may be configured to only allow syncing of the "template-hostname" userdata. In this case, "client" units will only be able to get userdata for "template-hostname" as well. See the bundle in "./tests/bundles/xenial.yaml" for an example.
Design note: with cascaded userdir-ldap units, user data is coming into the "server" from userdb-host unit via two paths:
-
rsynced via ud-replicate, where ud-replicate will process userdata for local consumption
-
straight rsync, without postprocessing, where client units in turn will be able to ud-replicate from
Configuration
- apt-repo-keys
- (string) Apt repository key, typically needed for apt-repo-spec.
- 40976EAF437D05B5
- apt-repo-spec
- (string) Apt repository to install userdir-ldap from.
- deb http://archive.admin.canonical.com/ubuntu xenial-cat main
- ciphers
- (string) List of ciphers allowed. Defaults chacha20-poly1305@openssh.com available since OpenSSH 6.5, aes256-gcm@openssh.com and aes128-gcm@openssh.com available since OpenSSH 6.2. All supported in both Trusty and Xenial.
- chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
- domain
- (string) Fallback domain when none present. This is mostly to work around MAAS's failure to add DNS for LXC containers - LP#1274947.
- kex-algorithms
- (string) KEX (Key Exchange) algorithms allowed. Default curve25519-sha256@libssh.org which has been available since OpenSSH 6.5 so already supported on both Trusty and Xenial.
- curve25519-sha256@libssh.org
- macs
- (string) List of MAC (message authentication code) algorithms allowed. Default MACs available since OpenSSH 6.2 so already supported on both Trusty and Xenial.
- umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-256
- root-id-rsa
- (string) An openssh-format RSA private key with no passphrase. (This option is a trapdoor; setting it back to null has no real effect.)
- sudoer-group
- (string) Comma separated groups of sudoers who do not require password
- bootstack-squad
- sudoer-password-groups
- (string) Comma separated groups of sudoers who require a password
- template-hostname
- (string) If the files rsynced from sshdist don't match our hostname, create a symlink to bridge the gap from /var/lib/misc/thishost.
- userdb-host
- (string) Name of the userdb host
- userdb.internal
- userdb-ip
- (string) IP address of the userdb host
- 91.189.90.139
- userdb-known-hosts
- (string) A (possibly multiple-line) string of known_hosts entries to seed the userdb trust during install. If none specified, ssh-keyscan will be used.
- users-to-migrate
- (string) A space-separated list of usernames whose authorized_keys files should be migrated from ~/.ssh/authorized_keys to /etc/ssh/user-authorized-keys on install.
- ubuntu