From 2ad1a04263a9dd1e5c1ac9e38b6df6305cf88949 Mon Sep 17 00:00:00 2001 From: chrislevi Date: Wed, 10 May 2017 14:34:08 +0300 Subject: [PATCH 1/8] docker group members fixes #11 --- defaults/main.yml | 12 +++++++++--- files/groovy/create_repo_docker_group.groovy | 5 +---- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c160d31..0840671 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -22,6 +22,9 @@ nexus_backup_log: '/var/log/nexus-backup.log' # Nexus default properties nexus_default_port: 8081 +nexus_docker_hosted_port: 9080 +nexus_docker_proxy_port: 9081 +nexus_docker_group_port: 9082 nexus_default_context_path: '/' nexus_admin_password: 'changeme' # Note : admin password change subsequent to first-time install is *not implemented* yet @@ -232,12 +235,12 @@ _nexus_repos_docker_defaults: nexus_repos_docker_hosted: - name: docker-hosted - http_port: 9080 + http_port: "{{ nexus_docker_hosted_port }}" v1_enabled: True nexus_repos_docker_proxy: - name: docker-proxy - http_port: 9081 + http_port: "{{ nexus_docker_proxy_port }}" v1_enabled: True index_type: "HUB" proxy_url: "https://registry-1.docker.io" @@ -245,8 +248,11 @@ nexus_repos_docker_proxy: nexus_repos_docker_group: - name: docker-group - http_port: 9082 + http_port: "{{ nexus_docker_group_port }}" v1_enabled: True + member_repos: + - docker-hosted + - docker-proxy # RubyGems support _nexus_repos_rubygems_defaults: diff --git a/files/groovy/create_repo_docker_group.groovy b/files/groovy/create_repo_docker_group.groovy index ab2a1ba..6b144a2 100644 --- a/files/groovy/create_repo_docker_group.groovy +++ b/files/groovy/create_repo_docker_group.groovy @@ -13,10 +13,7 @@ configuration = new Configuration( v1Enabled : parsed_args.v1_enabled ], group: [ - memberNames: [ - "private-registry", - "proxy-registry" - ] + memberNames: parsed_args.member_repos ], storage: [ writePolicy: parsed_args.write_policy.toUpperCase(), From 995170e3924cc810f781b37130443ac57f2a5552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20Herv=C3=A9?= Date: Wed, 10 May 2017 09:09:47 -0400 Subject: [PATCH 2/8] Bumped default Nexus version to latest 3.3.1-01 release --- defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0840671..d4d365b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ --- -nexus_version: '3.3.0-01' +nexus_version: '3.3.1-01' nexus_package: "nexus-{{ nexus_version }}-unix.tar.gz" nexus_download_dir: '/tmp' nexus_backup_dir: '/var/nexus-backup' From 85189f0800c318f82a5bf29c2d4f9848514578e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20Herv=C3=A9?= Date: Wed, 10 May 2017 09:10:31 -0400 Subject: [PATCH 3/8] Fixed #12 : pom.xml is using wrong path for *.groovy files --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 923f8d4..eab49ae 100644 --- a/pom.xml +++ b/pom.xml @@ -10,10 +10,10 @@ Fake project meant to be imported in an IDE (IntelliJ) to edit groovy scripts with classpath-aware completion - 3.0.2-02 + 3.3.1-01 - templates/groovy + files/groovy From 36296254233682e66df0f28108f868b2e055e662 Mon Sep 17 00:00:00 2001 From: Marc Vertido Date: Tue, 16 May 2017 22:59:56 -0400 Subject: [PATCH 4/8] Added documentation to README for simple authorization --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3609af6..fa7f872 100644 --- a/README.md +++ b/README.md @@ -86,6 +86,9 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference ldap_group_id_attribute: 'cn' ldap_group_member_attribute: 'memberUid' ldap_group_member_format: '${username}' + ldap_auth: 'none' # or simple + ldap_auth_username: 'username' # if auth = simple + ldap_auth_password: 'password' # if auth = simple ``` From ebe6637329707f1b045904052001d92e7eaf0c9f Mon Sep 17 00:00:00 2001 From: Marc Vertido Date: Tue, 16 May 2017 23:13:00 -0400 Subject: [PATCH 5/8] Added user subtree and group subtree options to LDAP configurations --- README.md | 2 ++ files/groovy/setup_ldap.groovy | 3 +++ tasks/setup_ldap_each.yml | 2 ++ 3 files changed, 7 insertions(+) diff --git a/README.md b/README.md index fa7f872..c3ed6d4 100644 --- a/README.md +++ b/README.md @@ -81,11 +81,13 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference ldap_user_id_attribute: 'uid' ldap_user_real_name_attribute: 'cn' ldap_user_email_attribute: 'mail' + ldap_user_subtree: false ldap_group_base_dn: 'ou=groups' ldap_group_object_class: 'posixGroup' ldap_group_id_attribute: 'cn' ldap_group_member_attribute: 'memberUid' ldap_group_member_format: '${username}' + ldap_group_subtree: false ldap_auth: 'none' # or simple ldap_auth_username: 'username' # if auth = simple ldap_auth_password: 'password' # if auth = simple diff --git a/files/groovy/setup_ldap.groovy b/files/groovy/setup_ldap.groovy index 6f3f4fb..fccb785 100644 --- a/files/groovy/setup_ldap.groovy +++ b/files/groovy/setup_ldap.groovy @@ -56,6 +56,9 @@ mapping.setGroupIdAttribute(parsed_args.group_id_attribute) mapping.setGroupMemberAttribute(parsed_args.group_member_attribute) mapping.setGroupMemberFormat(parsed_args.group_member_format) +mapping.setUserSubtree(parsed_args.user_subtree) +mapping.setGroupSubtree(parsed_args.group_subtree) + ldapConfig.setMapping(mapping) diff --git a/tasks/setup_ldap_each.yml b/tasks/setup_ldap_each.yml index b6a3774..e3e7970 100644 --- a/tasks/setup_ldap_each.yml +++ b/tasks/setup_ldap_each.yml @@ -21,3 +21,5 @@ group_id_attribute: "{{ item.ldap_group_id_attribute }}" group_member_attribute: "{{ item.ldap_group_member_attribute }}" group_member_format: "{{ item.ldap_group_member_format }}" + user_subtree: "{{ item.ldap_user_subtree }}" + group_subtree: "{{ item.ldap_group_subtree }}" From 6c3712fb6b8df72929e826dfc898d06df3793b24 Mon Sep 17 00:00:00 2001 From: Marc Vertido Date: Tue, 16 May 2017 23:56:53 -0400 Subject: [PATCH 6/8] Refactor check for simple auth --- files/groovy/setup_ldap.groovy | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/files/groovy/setup_ldap.groovy b/files/groovy/setup_ldap.groovy index fccb785..287479a 100644 --- a/files/groovy/setup_ldap.groovy +++ b/files/groovy/setup_ldap.groovy @@ -26,12 +26,11 @@ ldapConfig.setName(parsed_args.name) // Connection connection = new Connection() connection.setHost(new Connection.Host(Connection.Protocol.valueOf(parsed_args.protocol), parsed_args.hostname, Integer.valueOf(parsed_args.port))) -if(parsed_args.auth != null && parsed_args.auth.equals("simple")){ +if (parsed_args.auth == "simple") { connection.setAuthScheme("simple") connection.setSystemUsername(parsed_args.username) connection.setSystemPassword(parsed_args.password) -} -else { +} else { connection.setAuthScheme("none") } connection.setSearchBase(parsed_args.search_base) From ac358ce1d2805120217d20c0b9c69cf211da5996 Mon Sep 17 00:00:00 2001 From: Marc Vertido Date: Wed, 17 May 2017 00:05:55 -0400 Subject: [PATCH 7/8] Moved LDAP auth section closer to where it logically belongs --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c3ed6d4..362c3c6 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,9 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference ldap_hostname: 'ldap.mycompany.com' ldap_port: 636 ldap_search_base: 'dc=mycompany,dc=net' + ldap_auth: 'none' # or simple + ldap_auth_username: 'username' # if auth = simple + ldap_auth_password: 'password' # if auth = simple ldap_user_base_dn: 'ou=users' ldap_user_object_class: 'inetOrgPerson' ldap_user_id_attribute: 'uid' @@ -88,9 +91,6 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference ldap_group_member_attribute: 'memberUid' ldap_group_member_format: '${username}' ldap_group_subtree: false - ldap_auth: 'none' # or simple - ldap_auth_username: 'username' # if auth = simple - ldap_auth_password: 'password' # if auth = simple ``` From 20916d3337298494c539b65b244d57f01792b7cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Samuel=20Herv=C3=A9?= Date: Thu, 18 May 2017 09:47:52 -0400 Subject: [PATCH 8/8] Fixed LDAP config default values, updated documentation --- README.md | 58 ++++++++++++++++++++++++++++++++++ files/groovy/setup_ldap.groovy | 14 ++++---- tasks/setup_ldap_each.yml | 17 +++++----- 3 files changed, 75 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 362c3c6..00c9647 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,7 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference ldap_user_real_name_attribute: 'cn' ldap_user_email_attribute: 'mail' ldap_user_subtree: false + ldap_map_groups_as_roles: false ldap_group_base_dn: 'ou=groups' ldap_group_object_class: 'posixGroup' ldap_group_id_attribute: 'cn' @@ -93,6 +94,63 @@ Setup an [SSL Reverse-proxy](https://books.sonatype.com/nexus-book/3.0/reference ldap_group_subtree: false ``` +Example LDAP config for anonymous authentication (anonymous bind), this is also the "minimal" config : + +``` + - ldap_name: 'Simplest LDAP config' + ldap_protocol: 'ldaps' + ldap_hostname: 'annuaire.mycompany.com' + ldap_search_base: 'dc=mycompany,dc=net' + ldap_port: 636 + ldap_user_id_attribute: 'uid' + ldap_user_real_name_attribute: 'cn' + ldap_user_email_attribute: 'mail' + ldap_user_object_class: 'inetOrgPerson' +``` + +Example LDAP config for simple authentication (using a DSA account) : + +``` + - ldap_name: 'LDAP config with DSA' + ldap_protocol: 'ldaps' + ldap_hostname: 'annuaire.mycompany.com' + ldap_port: 636 + ldap_auth: 'simple' + ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net' + ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault + ldap_search_base: 'dc=mycompany,dc=net' + ldap_user_base_dn: 'ou=users' + ldap_user_object_class: 'inetOrgPerson' + ldap_user_id_attribute: 'uid' + ldap_user_real_name_attribute: 'cn' + ldap_user_email_attribute: 'mail' + ldap_user_subtree: false +``` + +Example LDAP config for simple authentication (using a DSA account) + groups mapped as roles : + +``` + - ldap_name: 'LDAP config with DSA' + ldap_protocol: 'ldaps' + ldap_hostname: 'annuaire.mycompany.com' + ldap_port: 636 + ldap_auth: 'simple' + ldap_auth_username: 'cn=mynexus,ou=dsa,dc=mycompany,dc=net' + ldap_auth_password: "{{ vault_ldap_dsa_password }}" # better keep passwords in an ansible vault + ldap_search_base: 'dc=mycompany,dc=net' + ldap_user_base_dn: 'ou=users' + ldap_user_object_class: 'inetOrgPerson' + ldap_user_id_attribute: 'uid' + ldap_user_real_name_attribute: 'cn' + ldap_user_email_attribute: 'mail' + ldap_map_groups_as_roles: true + ldap_group_base_dn: 'ou=groups' + ldap_group_object_class: 'groupOfNames' + ldap_group_id_attribute: 'cn' + ldap_group_member_attribute: 'member' + ldap_group_member_format: 'uid=${username},ou=users,dc=mycompany,dc=net' + ldap_group_subtree: false +``` nexus_privileges: - name: all-repos-read # used as key to update a privilege diff --git a/files/groovy/setup_ldap.groovy b/files/groovy/setup_ldap.groovy index 287479a..c74732d 100644 --- a/files/groovy/setup_ldap.groovy +++ b/files/groovy/setup_ldap.groovy @@ -48,12 +48,14 @@ mapping.setUserIdAttribute(parsed_args.user_id_attribute) mapping.setUserRealNameAttribute(parsed_args.user_real_name_attribute) mapping.setEmailAddressAttribute(parsed_args.user_email_attribute) -mapping.setLdapGroupsAsRoles(true) -mapping.setGroupBaseDn(parsed_args.group_base_dn) -mapping.setGroupObjectClass(parsed_args.group_object_class) -mapping.setGroupIdAttribute(parsed_args.group_id_attribute) -mapping.setGroupMemberAttribute(parsed_args.group_member_attribute) -mapping.setGroupMemberFormat(parsed_args.group_member_format) +if (parsed_args.map_groups_as_roles) { + mapping.setLdapGroupsAsRoles(true) + mapping.setGroupBaseDn(parsed_args.group_base_dn) + mapping.setGroupObjectClass(parsed_args.group_object_class) + mapping.setGroupIdAttribute(parsed_args.group_id_attribute) + mapping.setGroupMemberAttribute(parsed_args.group_member_attribute) + mapping.setGroupMemberFormat(parsed_args.group_member_format) +} mapping.setUserSubtree(parsed_args.user_subtree) mapping.setGroupSubtree(parsed_args.group_subtree) diff --git a/tasks/setup_ldap_each.yml b/tasks/setup_ldap_each.yml index e3e7970..59d7539 100644 --- a/tasks/setup_ldap_each.yml +++ b/tasks/setup_ldap_each.yml @@ -11,15 +11,16 @@ username: "{{ item.ldap_auth_username | default('') }}" password: "{{ item.ldap_auth_password | default('') }}" search_base: "{{ item.ldap_search_base }}" - user_base_dn: "{{ item.ldap_user_base_dn }}" + user_base_dn: "{{ item.ldap_user_base_dn | default('ou=users') }}" user_object_class: "{{ item.ldap_user_object_class }}" user_id_attribute: "{{ item.ldap_user_id_attribute }}" user_real_name_attribute: "{{ item.ldap_user_real_name_attribute }}" user_email_attribute: "{{ item.ldap_user_email_attribute }}" - group_base_dn: "{{ item.ldap_group_base_dn }}" - group_object_class: "{{ item.ldap_group_object_class }}" - group_id_attribute: "{{ item.ldap_group_id_attribute }}" - group_member_attribute: "{{ item.ldap_group_member_attribute }}" - group_member_format: "{{ item.ldap_group_member_format }}" - user_subtree: "{{ item.ldap_user_subtree }}" - group_subtree: "{{ item.ldap_group_subtree }}" + map_groups_as_roles: "{{ item.ldap_map_groups_as_roles | default(false) }}" + group_base_dn: "{{ item.ldap_group_base_dn | default('ou=groups') }}" + group_object_class: "{{ item.ldap_group_object_class | default('groupOfNames') }}" + group_id_attribute: "{{ item.ldap_group_id_attribute | default('cn') }}" + group_member_attribute: "{{ item.ldap_group_member_attribute | default('member') }}" + group_member_format: "{{ item.ldap_group_member_format | default('uid=${username},ou=users,dc=yourcompany') }}" + user_subtree: "{{ item.ldap_user_subtree | default(false) }}" + group_subtree: "{{ item.ldap_group_subtree | default(false) }}"