Commit 5d0b41ea authored by CRAIG BENNER's avatar CRAIG BENNER

Roles updated to include LDAPS and local base-box vagrantfile updgraded to test

parent 3b13ea60
...@@ -7,15 +7,15 @@ required_plugins.each do |plugin| ...@@ -7,15 +7,15 @@ required_plugins.each do |plugin|
end end
Vagrant.configure("2") do |config| Vagrant.configure("2") do |config|
config.vm.boot_timeout = 600
config.vm.box = "edu.psu/base-winsvr2012" config.vm.box = "edu.psu/base-winsvr2012"
#config.vm.box_url = "file:///home/cpb113/base-vagrant/psu_winsvr2012_basebox_1_0_0.tar.gz" config.vm.box_url = "file:///home/cpb113/base-vagrant/base-winsvr2012.json"
config.vm.box_url = "https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json" #config.vm.box_url = "https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json"
config.winrm.username = "vagrant" config.winrm.username = "vagrant"
config.winrm.password = "P@ssw0rd" config.winrm.password = "P@ssw0rd"
config.vm.network "forwarded_port", guest: 3389, host: 3389, host_ip: "127.0.0.1", id: "rdp"
config.vm.network "forwarded_port", guest: 3389, host: 3389
config.vm.network "private_network", ip: "192.168.33.11", virtualbox__intnet: "localDev" config.vm.network "private_network", ip: "192.168.33.11", virtualbox__intnet: "localDev"
...@@ -26,15 +26,16 @@ Vagrant.configure("2") do |config| ...@@ -26,15 +26,16 @@ Vagrant.configure("2") do |config|
end end
config.vm.provider :virtualbox do |vb| config.vm.provider :virtualbox do |vb|
vb.customize ["modifyvm", :id, "--memory", "1024"] vb.memory = "1024"
vb.cpus = "2"
end end
# Enable provisioning with Ansible # Enable provisioning with Ansible
#config.vm.provision :ansible do |ansible| config.vm.provision :ansible do |ansible|
# ansible.playbook = "playbook.yml" ansible.playbook = "playbook.yml"
# ansible.groups = { ansible.groups = {
# "vagrant" => ["default"], "vagrant" => ["default"],
# } }
#end end
end end
- name: force Name of machine
rename_computer: >
computer_name=develop-dc-01
- name: wait for reboot
local_action: wait_for
args: host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started
- name: generate ca cert key
shell: openssl genrsa -des3 -passout pass:{{ ad_safe_mode_password }} -out ca.key 4096
delegate_to: localhost
- name: generate ca cert
shell: openssl req -new -x509 -days 3650 -passin pass:{{ ad_safe_mode_password }} -key ca.key -out ca.crt -subj "/C=US/ST=Pennsylvania/L=University Park/O=Pennsylvania State University/OU=IT/CN=CA.develop.local"
delegate_to: localhost
- name: create LDAPS local certRequest.inf
delegate_to: localhost
copy:
content: ";----------------- request.inf -----------------
[Version]
Signature=$Windows NT$
[NewRequest]
Subject = \"CN=develop-dc-01.develop.local\" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 2048
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = \"Microsoft RSA SChannel Cryptographic Provider\"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[Extensions]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
;-----------------------------------------------"
dest: ./certRequest.inf
- name: create temp directory
win_file:
path: c:\temp
state: directory
- name: copy ldaps inf to server
win_copy:
src: certRequest.inf
dest: c:\temp\certRequest.inf
- name: generate ldaps PEM
win_shell: certreq -new c:\temp\certRequest.inf c:\temp\develop_dc.pem
- name: copy ldaps pem to server
fetch:
src: c:\temp\develop_dc.pem
dest: develop_dc.pem
flat: yes
##### NOT SURE IF NEEDED
#- name: create v3ext.txt
# delegate_to: localhost
# copy:
# content: "keyUsage=digitalSignature,keyEncipherment
# extendedKeyUsage=serverAuth
# subjectKeyIdentifier=hash"
# dest: ./v3ext.txt
- name: create ldaps cert
shell: openssl x509 -req -days 3650 -in develop_dc.pem -passin pass:{{ ad_safe_mode_password }} -CA ca.crt -CAkey ca.key -set_serial 01 -out develop_dc.crt
delegate_to: localhost
- name: copy ca pub cert to server
win_copy:
src: ca.crt
dest: c:\temp\ca.crt
- name: import certificate into Windows
import_certs: >
name=develop_dc.crt
- name: copy ldaps pub cert to server
win_copy:
src: develop_dc.crt
dest: c:\temp\develop_dc.crt
- name: import certificate into Windows
win_shell: certreq -accept c:\temp\develop_dc.crt
- name: Install AD-Domain-Services feature - name: Install AD-Domain-Services feature
win_feature: > win_feature: >
name=AD-Domain-Services name=AD-Domain-Services
...@@ -11,20 +106,10 @@ ...@@ -11,20 +106,10 @@
safe_mode_password={{ ad_safe_mode_password }} safe_mode_password={{ ad_safe_mode_password }}
register: result register: result
- name: Reboot - name: Reboot second
win_shell: restart-computer -force win_shell: restart-computer -force
when: result|changed when: result|changed
#- name: pause for reboot
# pause: seconds=30
#- name: wait for machine start up
# win_ping:
# register: result
# until: result.rc == 0
# retries: 30
# delay: 10
- name: wait for reboot - name: wait for reboot
local_action: wait_for local_action: wait_for
args: host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started args: host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started
...@@ -32,25 +32,39 @@ function createUser([String]$inUserName, [String]$inDN, [String]$inPassword) ...@@ -32,25 +32,39 @@ function createUser([String]$inUserName, [String]$inDN, [String]$inPassword)
} }
} }
function grantUserPermssion($inUsername, $inPermissionApplyToDN, $inPermissionType) function grantUserPermssion($inUsername, $inPermissionApplyToDN, $inPermissionType, $inAccessControlType)
{ {
Write-host "----------------------------------------------------"
Write-host "Granting Permissions to $inUsername"
write-host "Against DN $inPermissionApplyToDN"
write-host "With Permission Type $inPermissionType"
write-host "Permission Type of $inAccessControlType"
$acl = get-acl "ad:$inPermissionApplyToDN" $acl = get-acl "ad:$inPermissionApplyToDN"
$acl.access #$acl.access
$user = get-aduser $inUsername $user = get-aduser $inUsername
$sid = [System.Security.Principal.SecurityIdentifier] $user.SID $sid = [System.Security.Principal.SecurityIdentifier] $user.SID
$identity = [System.Security.Principal.IdentityReference] $sid $identity = [System.Security.Principal.IdentityReference] $sid
$adRights = [System.DirectoryServices.ActiveDirectoryRights] $inPermissionType $adRights = [System.DirectoryServices.ActiveDirectoryRights] $inPermissionType
$type = [System.Security.AccessControl.AccessControlType] "Allow" $Controltype = [System.Security.AccessControl.AccessControlType] "Allow"
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All" $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
$ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $type, $inheritanceType if ($inPermissionType.CompareTo("ExtendedRight") -eq 0) {
$guid = new-object Guid $inAccessControltype
$ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $controltype, $inheritanceType, $guid
} else {
$ACE = new-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity, $adRights, $controltype, $inheritanceType
}
$acl.AddAccessRule($ace) $acl.AddAccessRule($ace)
$newACL = set-acl -aclobject $acl "ad:$inPermissionApplyToDN" $newACL = set-acl -aclobject $acl "ad:$inPermissionApplyToDN"
} }
$ADS_EXTENDED_CHANGEPASSWORD = "ab721a53-1e2f-11d0-9819-00aa0040529b"
$ADS_EXTENDED_SETPASSWORD = "00299570-246d-11d0-a768-00aa006e0529"
################################################### actual code to execute ##########################################################3 ################################################### actual code to execute ##########################################################3
...@@ -92,27 +106,35 @@ try { ...@@ -92,27 +106,35 @@ try {
#Get Base DN #Get Base DN
$baseDN = $(Get-ADDomain $domainName).DistinguishedName $baseDN = $(Get-ADDomain $domainName).DistinguishedName
#OU Structure #OU Structure
createOU "PSU-Users" $baseDN createOU "PSU-Users" $baseDN
createOU "Inactive-Users" "OU=PSU-Users,$baseDN" createOU "Inactive-Users" "OU=PSU-Users,$baseDN"
createOU "Deprovisioned" "OU=Inactive-Users,OU=PSU-Users,$baseDN" createOU "Deprovisioned" "OU=Inactive-Users,OU=PSU-Users,$baseDN"
createOU "Security-Disabled" "OU=Inactive-Users,OU=PSU-Users,$baseDN" createOU "Security-Disabled" "OU=Inactive-Users,OU=PSU-Users,$baseDN"
createOU "PSU-Groups" $baseDN createOU "PSU-Groups" $baseDN
createOU "PSU-AD-Groups" "OU=PSU-Groups,$baseDN" createOU "PSU-AD-Groups" "OU=PSU-Groups,$baseDN"
#Groups #Groups
$adGroupsDN = "OU=PSU-AD-Groups,OU=PSU-Groups,$baseDN" $adGroupsDN = "OU=PSU-AD-Groups,OU=PSU-Groups,$baseDN"
createGroup "PSU-Users" $adGroupsDN createGroup "PSU-Users" $adGroupsDN
createGroup "PSU-Inactive-Users" $adGroupsDN createGroup "PSU-Inactive-Users" $adGroupsDN
createGroup "PSU-Security-Disabled-Users" $adGroupsDN createGroup "PSU-Security-Disabled-Users" $adGroupsDN
createGroup "PSU-Deprovisioned-Users" $adGroupsDN createGroup "PSU-Deprovisioned-Users" $adGroupsDN
#### LOCAL Configuration #### #### LOCAL Configuration ####
createOU "LocalConfig" $baseDN createOU "LocalConfig" $baseDN
createUser $localDevUsername "OU=LocalConfig,$baseDN" $localDevPassword createUser $localDevUsername "OU=LocalConfig,$baseDN" $localDevPassword
set-aduser $localDevUsername -PasswordNeverExpires 1
grantUserPermssion $localDevUsername "OU=PSU-Users,$baseDN" "GenericAll" grantUserPermssion $localDevUsername "OU=PSU-Users,$baseDN" "GenericAll"
grantUserPermssion $localDevUsername "OU=PSU-Groups,$baseDN" "GenericAll" grantUserPermssion $localDevUsername "OU=PSU-Groups,$baseDN" "GenericAll"
grantUserPermssion $localDevUserName "OU=PSU-Users,$baseDN" "ExtendedRight" $ADS_EXTENDED_SETPASSWORD
#### Test Accounts for Local Mirror of Kerb ###
createUser "bad1" "OU=PSU-Users,$baseDN" $localDevPassword
createUser "bad2" "OU=PSU-Users,$baseDN" $localDevPassword
createUser "gud1" "OU=PSU-Users,$baseDN" $localDevPassword
createUser "gud2" "OU=PSU-Users,$baseDN" $localDevPassword
$result.changed = $true $result.changed = $true
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment