Userdir Ldap
- Canonical BootStack Charmers
- Monitoring
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/stable | 35 | 10 Oct 2024 | |
| latest/stable | 12 | 14 Feb 2023 | |
| latest/stable | 6 | 09 Feb 2022 | |
| latest/stable | 2 | 01 Feb 2021 | |
| latest/candidate | 35 | 10 Oct 2024 | |
| latest/candidate | 12 | 11 Jan 2023 | |
| latest/candidate | 7 | 09 Feb 2022 | |
| latest/candidate | 4 | 21 Jul 2021 | |
| latest/edge | 39 | 11 Dec 2024 | |
| latest/edge | 37 | 27 Nov 2024 | |
| latest/edge | 12 | 27 Nov 2024 |
juju deploy userdir-ldap
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
Cryptography
Setup and Dependency installation
During the installation of the userdir-ldap and other dependencies, the charm uses an APT repository key (commonly referred to as a GPG key or public key) for apt-repo-spec to ensure the integrity and authenticity of the software packages downloaded from the repositories.
The charm will also set up the root SSH key for any access related to file synchronization. The key can be provided via the root-id-rsa charm config option (which accepts an OpenSSH-format RSA private key with no passphrase). The charm will then derive the public key using ssh-keygen -f <private_key> -y and write it alongside the private key with 0o644 permissions. If the private key is unavailable, the Charm will generate a new keypair using the 2048-bit RSA algorithm via the ssh-keygen CLI (ssh-keygen docs).
Additionally, during the installation, the charm will try to add entries listed in the userdb-known-hosts charm config option to /root/.ssh/known_hosts to seed the userdb trust. The charm will use ssh-keyscan against userdb.internal host to find and add new entries if no hosts are specified, similar to step two in the Consumer/Client relation setup (see below).
User data rsync
The charm uses rsync over SSH to synchronize user data from a specified remote host to a local host. The key_file option, which defines the path to the private SSH key, is used in the spec for SSH authentication and encryption of the data in motion.
SSH daemon reconfiguration
The charm reconfigures the ssh daemon of the Juju unit in the following ways:
- Blacklisting host keys using the DSA and ECDSA algorithms
- Adding allowed KEX (Key Exchange) algorithms using the
kex-algorithmcharm config option. The charm default one is curve25519-sha256 - Adding a list of allowed ciphers using
cipherscharm config option. The charm default ones are: - Adding a list of allowed MAC (message authentication code) algorithms using
macscharm config option. The charm default ones are:
Consumer/Client relation
Every unit provides a public SSH key to a user data producer (server) via the pub_key relation setting. The keypair generated during the setup and dependency installation step is used.
Additionally, when the relation is configured, the charm adds/updates the known SSH host keys of the unit in the /root/.ssh/known_hosts file. The process includes:
- Removing the old host keys using
ssh-keygen -R <hostname> -f /root/.ssh/known_hosts - Scanning for and adding new host keys using
ssh-keyscan -t rsa <host1> <host2> ... >> /root/.ssh/known_hosts(see ssh-keyscan docs) againstuserdb.internal.
Producer/Client relation
The charm collects SSH pubkeys of the consumer/client units from the relation data bag to set up the cron jobs for the rsync. Collected keys are then used to configure a custom /etc/ssh/user-authorized-keys/<user> file, which provides limited access to the specified user to pull files via rsync. The configuration is done via a templated command override to prevent shell access and only allow rsync.
Copy of authorized_keys
The charm copies each specified user’s authorized_keys file in the users-to-migrate charm config option to the /etc/ssh/user-authorized-keys directory of the unit with the permissions set to 0o444 and root ownership.