Add definition of base_dn and ldap db in 99-local.py

ComputeCanada · Feb 22, 2023 · b9d10aa · b9d10aa
1 parent 301ea3c
commit b9d10aa
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/site/profile/manifests/userportal.pp b/site/profile/manifests/userportal.pp
@@ -10,6 +10,11 @@
 
   include profile::userportal::install_tarball
 
+  $domain_name = lookup('profile::freeipa::base::domain_name')
+  $int_domain_name = "int.${domain_name}"
+  $base_dn = join(split($int_domain_name, '[.]').map |$dc| { "dc=${dc}" }, ',')
+  $admin_password = lookup('profile::freeipa::server::admin_password')
+
   file { '/var/www/userportal/userportal/settings/99-local.py':
     show_diff => false,
     content   => epp('profile/userportal/99-local.py',
@@ -18,13 +23,15 @@
         'slurm_password'  => lookup('profile::slurm::accounting::password'),
         'cluster_name'    => lookup('profile::slurm::base::cluster_name'),
         'secret_key'      => seeded_rand_string(32, $password),
-        'domain_name'     => lookup('profile::freeipa::base::domain_name'),
+        'domain_name'     => $domain_name,
         'subdomain'       => lookup('profile::reverse_proxy::userportal_subdomain'),
         'logins'          => $logins,
         'prometheus_ip'   => $prometheus_ip,
         'prometheus_port' => $prometheus_port,
         'db_ip'           => $db_ip,
         'db_port'         => $db_port,
+        'base_dn'         => $base_dn,
+        'ldap_password'   => $admin_password,
       }
     ),
     owner     => 'apache',

diff --git a/site/profile/templates/userportal/99-local.py.epp b/site/profile/templates/userportal/99-local.py.epp
@@ -47,8 +47,17 @@ DATABASES = {
         'HOST': '<%= $db_ip %>',
         'PORT': '<%= $db_port %>',
     },
+    'ldap': {
+        'ENGINE': 'ldapdb.backends.ldap',
+        'NAME': 'ldaps://ipa.int.<%= $domain_name %>/',
+        'USER': 'uid=admin,cn=users,cn=accounts,<%= $base_dn %>',
+        'PASSWORD': '<%= $ldap_password %>',
+    },
 }
 
+import ldap
+ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
+
 PROMETHEUS = {
     'url': 'http://<%= $prometheus_ip %>:<%= $prometheus_port %>',
     'headers': {},
@@ -67,7 +76,7 @@ LOGIN_URL = '/accounts/login/' # So it does not use SAML2
 
 FREEIPA_AUTH_BACKEND_ENABLED = True
 FREEIPA_AUTH_SERVER = "ipa.int.<%= $domain_name %>"
-FREEIPA_AUTH_SSL_VERIFY = '/etc/pki/tls/certs/ca-bundle.crt'
+FREEIPA_AUTH_SSL_VERIFY = False#'/etc/pki/tls/certs/ca-bundle.crt'
 FREEIPA_AUTH_UPDATE_USER_GROUPS = True
 FREEIPA_AUTH_ALWAYS_UPDATE_USER = True
 FREEIPA_AUTH_USER_ATTRS_MAP = {"first_name": "givenname", "last_name": "sn", "email": "mail"}
@@ -125,3 +134,4 @@ CLUSTER_INTRO = """
 <p><%= $cluster_name %>'s cluster</p>
 """
 
+BASE_DN = '<%= $base_dn %>'