Send credentials via environment variables. Support DNS forwarders without DNSSEC. Support latest version of BIND. #6
Conversation
…thout DNSSEC. Support latest version of BIND.
There was a problem hiding this comment.
Please add formula testing, at bets in separate commit that we merge first:
https://salt-formulas.readthedocs.io/en/latest/develop/index.html#testing
(an example is in every other formula, See last line in README on here for info how to easily add tests: https://github.com/salt-formulas/salt-formulas-cookiecutter/tree/master/salt-formula)
| @@ -25,13 +25,15 @@ freeipa_server_pkgs: | |||
| ldap_secure_binds: | |||
| cmd.run: | |||
| - name: | | |||
There was a problem hiding this comment.
you may use: output_loglevel: quiet, but ENV looks better, as you still get the output and log's are not full of sensitive passwords.
the person who executes the command may any time get the pillar data and get the clear text password.
I agree that this doesn't have a better solution, unless: saltstack/salt#26236 comes with kind of obfuscate solution.
There was a problem hiding this comment.
You need to also remember that this is a ONE TIME password. As soon as it is used, it is no longer valuable or sensitive. For it to be useful, you would need to have A) used the same OTP on multiple hosts or B) successfully snarf this from salt and then beat the FreeIPA installer to registration between OTP generation in salt and the host creation and the free-ipa-install registration or fail a run and take the place of that host.
But either way, I like this change.
| @@ -25,13 +25,15 @@ freeipa_server_pkgs: | |||
| ldap_secure_binds: | |||
| cmd.run: | |||
| - name: | | |||
| ldapmodify -h localhost -D 'cn=directory manager' -w {{ server.ldap.password }} -Z << EOF | |||
| ldapmodify -h localhost -D 'cn=directory manager' -w "$FREEIPA_LDAP_PASSWORD" -Z << EOF | |||
There was a problem hiding this comment.
freeipa/files/named.conf
Outdated
| arg "sasl_mech GSSAPI"; | ||
| arg "sasl_user DNS/{{ hostname }}"; | ||
| arg "serial_autoincrement yes"; | ||
| dyndb "ipa" "/usr/lib64/bind/ldap.so" { |
There was a problem hiding this comment.
seems to me bit hardcoded, store it on the map.jinja with other defaults
|
Thanks, I will take a look at your docs on using test kitchen. |
# Conflicts: # freeipa/files/named.conf # freeipa/server/common.sls # freeipa/server/master.sls
Hello,
This pull request does three things.
Sends admin and ldap user credentials via environment variables to prevent them from showing up in the Salt master/minion logs.
Supports DNS forwarders without DNSSEC. The use case is using the Amazon forwarders.
Updates named.conf to use the new dyndb parameter which is used in the latest version of BIND.
Best,
Doug