DriveTrain uses OpenLDAP to provide authentication and metadata for MCP users. This section describes how to create a new user entry in the OpenLDAP service through the Reclass cluster metadata model and grant the user permissions to access Gerrit and Jenkins.
To add a user to an OpenLDAP server:
Log in to the Salt Master node.
Check out the latest version of the Reclass cluster metadata model from the Git repository for your project.
Create a new directory called people
in
classes/cluster/<CLUSTER_NAME>/cicd/
:
mkdir classes/cluster/<cluster_name>/cicd/people
New user definitions will be added to this directory.
Create a new YAML file in the people
directory for a new user.
For example, joey.yml
:
touch classes/cluster/<cluster_name>/cicd/people/joey.yml
In the newly created file, add the user definition. For example:
parameters:
_param:
openldap_pw_joey: "<ENCRYPTED_PASSWORD>"
openldap:
client:
entry:
people:
entry:
jdoe:
attr:
uid: joey
userPassword: ${_param:openldap_pw_joey}
uidNumber: 20600
gidNumber: 20001
gecos: "Joey Tribbiani"
givenName: Joey
sn: Tribbiani
homeDirectory: /home/joey
loginShell: /bin/bash
mail: joey@domain.tld
classes:
- posixAccount
- inetOrgPerson
- top
- shadowAccount
Parameters description:
openldap_pw_joey
The user password for the joey
user that can be created using
the following example command:
echo "{CRYPT}$(mkpasswd --rounds 500000 -m sha-512 \
--salt `head -c 40 /dev/random | base64 | sed -e 's/+/./g' \
| cut -b 10-25` 'r00tme')"
Substitute r00tme
with a user encrypted password.
uid
The case-sensitive user ID to be used as a login ID for Gerrit, Jenkins, and other integrated services.
userPassword: ${_param:openldap_pw_joey}
The password for the joey
user, same as the openldap_pw_joey
value.
gidNumber
An integer uniquely identifying a group in an administrative domain, which a user should belong to.
uidNumber
An integer uniquely identifying a user in an administrative domain.
Add the new user definition from joey.yml
as a class in
classes/cluster/<CLUSTER_NAME>/cicd/control/leader.yml
:
classes:
...
- cluster.<CLUSTER_NAME>.cicd.control
- cluster.<CLUSTER_NAME>.cicd.people.joey
By defining the cluster level parameters of the joey
user and including
it in the classes
section of
cluster/<CLUSTER_NANE>/cicd/control/leader.yml
,
you import the user data to the cid01
node inventory,
although the parameter has not been rendered just yet.
Commit the change.
Update the copy of the model on the Salt Master node:
sudo git -C /srv/salt/reclass pull
Synchronize all Salt resources:
sudo salt '*' saltutil.sync_all
Apply the changes:
sudo salt 'cid01*' state.apply openldap
Example output for a successfully created user:
ID: openldap_client_cn=joey,ou=people,dc=deploy-name,dc=local
Function: ldap.managed
Result: True
Comment: Successfully updated LDAP entries
Started: 18:12:29.788665
Duration: 58.193 ms
Changes:
----------
cn=joey,ou=people,dc=deploy-name,dc=local:
----------
new:
----------
cn:
- joey
gecos:
- Joey Tribbiani
gidNumber:
- 20001
givenName:
- Joey
homeDirectory:
- /home/joey
loginShell:
- /bin/bash
mail:
- joey@domain.tld
objectClass:
- inetOrgPerson
- posixAccount
- shadowAccount
- top
sn:
- Tribbiani
uid:
- joey
uidNumber:
- 20060
userPassword:
- {CRYPT}$6$rounds=500000$KaJBYb3F8hYMv.UEHvc0...
old:
None
Summary for cid01.domain.tld
------------
Succeeded: 7 (changed=1)
Failed: 0
------------
Total states run: 7
Total run time: 523.672 ms