Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
I
Infrastructure
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
2
Issues
2
List
Boards
Labels
Service Desk
Milestones
Merge Requests
2
Merge Requests
2
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
EIT-SWE
Infrastructure
Commits
5d0b41ea
Commit
5d0b41ea
authored
Jun 27, 2017
by
CRAIG BENNER
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Roles updated to include LDAPS and local base-box vagrantfile updgraded to test
parent
3b13ea60
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
151 additions
and
43 deletions
+151
-43
base-boxes/base-winsvr2012/Vagrantfile
base-boxes/base-winsvr2012/Vagrantfile
+12
-11
roles/ActiveDirectory/tasks/main.yml
roles/ActiveDirectory/tasks/main.yml
+96
-11
roles/ONEForest/library/ONEForest_Config.ps1
roles/ONEForest/library/ONEForest_Config.ps1
+43
-21
No files found.
base-boxes/base-winsvr2012/Vagrantfile
View file @
5d0b41ea
...
...
@@ -7,15 +7,15 @@ required_plugins.each do |plugin|
end
Vagrant
.
configure
(
"2"
)
do
|
config
|
config
.
vm
.
boot_timeout
=
600
config
.
vm
.
box
=
"edu.psu/base-winsvr2012"
#config.vm.box_url = "file:///home/cpb113/base-vagrant/psu_winsvr2012_basebox_1_0_0.tar.gz
"
config
.
vm
.
box_url
=
"https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json"
config
.
vm
.
box_url
=
"file:///home/cpb113/base-vagrant/base-winsvr2012.json
"
#
config.vm.box_url = "https://nexus.ci.psu.edu/repository/vagrant-boxes/base-winsvr2012.json"
config
.
winrm
.
username
=
"vagrant"
config
.
winrm
.
password
=
"P@ssw0rd"
config
.
vm
.
network
"forwarded_port"
,
guest:
3389
,
host:
3389
config
.
vm
.
network
"forwarded_port"
,
guest:
3389
,
host:
3389
,
host_ip:
"127.0.0.1"
,
id:
"rdp"
config
.
vm
.
network
"private_network"
,
ip:
"192.168.33.11"
,
virtualbox__intnet:
"localDev"
...
...
@@ -26,15 +26,16 @@ Vagrant.configure("2") do |config|
end
config
.
vm
.
provider
:virtualbox
do
|
vb
|
vb
.
customize
[
"modifyvm"
,
:id
,
"--memory"
,
"1024"
]
vb
.
memory
=
"1024"
vb
.
cpus
=
"2"
end
# Enable provisioning with Ansible
#
config.vm.provision :ansible do |ansible|
#
ansible.playbook = "playbook.yml"
#
ansible.groups = {
#
"vagrant" => ["default"],
#
}
#
end
config
.
vm
.
provision
:ansible
do
|
ansible
|
ansible
.
playbook
=
"playbook.yml"
ansible
.
groups
=
{
"vagrant"
=>
[
"default"
],
}
end
end
roles/ActiveDirectory/tasks/main.yml
View file @
5d0b41ea
-
name
:
force Name of machine
rename_computer
:
>
computer_name=develop-dc-01
-
name
:
wait for reboot
local_action
:
wait_for
args
:
host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started
-
name
:
generate ca cert key
shell
:
openssl genrsa -des3 -passout pass:{{ ad_safe_mode_password }} -out ca.key
4096
delegate_to
:
localhost
-
name
:
generate ca cert
shell
:
openssl req -new -x509 -days 3650 -passin pass:{{ ad_safe_mode_password }} -key ca.key -out ca.crt -subj "/C=US/ST=Pennsylvania/L=University Park/O=Pennsylvania State University/OU=IT/CN=CA.develop.local"
delegate_to
:
localhost
-
name
:
create LDAPS local certRequest.inf
delegate_to
:
localhost
copy
:
content
:
"
;-----------------
request.inf
-----------------
[Version]
Signature=$Windows
NT$
[NewRequest]
Subject
=
\"
CN=develop-dc-01.develop.local
\"
;
replace
with
the
FQDN
of
the
DC
KeySpec
=
1
KeyLength
=
2048
;
Can
be
1024,
2048,
4096,
8192,
or
16384.
;
Larger
key
sizes
are
more
secure,
but
have
;
a
greater
impact
on
performance.
Exportable
=
TRUE
MachineKeySet
=
TRUE
SMIME
=
False
PrivateKeyArchive
=
FALSE
UserProtected
=
FALSE
UseExistingKeySet
=
FALSE
ProviderName
=
\"
Microsoft
RSA
SChannel
Cryptographic
Provider
\"
ProviderType
=
12
RequestType
=
PKCS10
KeyUsage
=
0xa0
[Extensions]
OID=1.3.6.1.5.5.7.3.1
;
this
is
for
Server
Authentication
;-----------------------------------------------"
dest
:
./certRequest.inf
-
name
:
create temp directory
win_file
:
path
:
c:\temp
state
:
directory
-
name
:
copy ldaps inf to server
win_copy
:
src
:
certRequest.inf
dest
:
c:\temp\certRequest.inf
-
name
:
generate ldaps PEM
win_shell
:
certreq -new c:\temp\certRequest.inf c:\temp\develop_dc.pem
-
name
:
copy ldaps pem to server
fetch
:
src
:
c:\temp\develop_dc.pem
dest
:
develop_dc.pem
flat
:
yes
##### NOT SURE IF NEEDED
#- name: create v3ext.txt
# delegate_to: localhost
# copy:
# content: "keyUsage=digitalSignature,keyEncipherment
# extendedKeyUsage=serverAuth
# subjectKeyIdentifier=hash"
# dest: ./v3ext.txt
-
name
:
create ldaps cert
shell
:
openssl x509 -req -days 3650 -in develop_dc.pem -passin pass:{{ ad_safe_mode_password }} -CA ca.crt -CAkey ca.key -set_serial 01 -out develop_dc.crt
delegate_to
:
localhost
-
name
:
copy ca pub cert to server
win_copy
:
src
:
ca.crt
dest
:
c:\temp\ca.crt
-
name
:
import certificate into Windows
import_certs
:
>
name=develop_dc.crt
-
name
:
copy ldaps pub cert to server
win_copy
:
src
:
develop_dc.crt
dest
:
c:\temp\develop_dc.crt
-
name
:
import certificate into Windows
win_shell
:
certreq -accept c:\temp\develop_dc.crt
-
name
:
Install AD-Domain-Services feature
win_feature
:
>
name=AD-Domain-Services
...
...
@@ -11,20 +106,10 @@
safe_mode_password={{ ad_safe_mode_password }}
register
:
result
-
name
:
Reboot
-
name
:
Reboot
second
win_shell
:
restart-computer -force
when
:
result|changed
#- name: pause for reboot
# pause: seconds=30
#- name: wait for machine start up
# win_ping:
# register: result
# until: result.rc == 0
# retries: 30
# delay: 10
-
name
:
wait for reboot
local_action
:
wait_for
args
:
host={{ inventory_hostname }} port=5985 delay=1 timeout=120 state=started
roles/ONEForest/library/ONEForest_Config.ps1
View file @
5d0b41ea
...
...
@@ -32,25 +32,39 @@ function createUser([String]$inUserName, [String]$inDN, [String]$inPassword)
}
}
function
grantUserPermssion
(
$inUsername
,
$inPermissionApplyToDN
,
$inPermissionType
)
function
grantUserPermssion
(
$inUsername
,
$inPermissionApplyToDN
,
$inPermissionType
,
$inAccessControlType
)
{
Write-host
"----------------------------------------------------"
Write-host
"Granting Permissions to
$inUsername
"
write-host
"Against DN
$inPermissionApplyToDN
"
write-host
"With Permission Type
$inPermissionType
"
write-host
"Permission Type of
$inAccessControlType
"
$acl
=
get-acl
"ad:
$inPermissionApplyToDN
"
$acl
.
access
#
$acl.access
$user
=
get-aduser
$inUsername
$sid
=
[
System.Security.Principal.SecurityIdentifier
]
$user
.
SID
$identity
=
[
System.Security.Principal.IdentityReference
]
$sid
$adRights
=
[
System.DirectoryServices.ActiveDirectoryRights
]
$inPermissionType
$type
=
[
System.Security.AccessControl.AccessControlType
]
"Allow"
$
Control
type
=
[
System.Security.AccessControl.AccessControlType
]
"Allow"
$inheritanceType
=
[
System.DirectoryServices.ActiveDirectorySecurityInheritance
]
"All"
$ACE
=
new-Object
System.DirectoryServices.ActiveDirectoryAccessRule
$identity
,
$adRights
,
$type
,
$inheritanceType
if
(
$inPermissionType
.
CompareTo
(
"ExtendedRight"
)
-eq
0
)
{
$guid
=
new-object
Guid
$inAccessControltype
$ACE
=
new-Object
System.DirectoryServices.ActiveDirectoryAccessRule
$identity
,
$adRights
,
$controltype
,
$inheritanceType
,
$guid
}
else
{
$ACE
=
new-Object
System.DirectoryServices.ActiveDirectoryAccessRule
$identity
,
$adRights
,
$controltype
,
$inheritanceType
}
$acl
.
AddAccessRule
(
$ace
)
$newACL
=
set-acl
-aclobject
$acl
"ad:
$inPermissionApplyToDN
"
}
$ADS_EXTENDED_CHANGEPASSWORD
=
"ab721a53-1e2f-11d0-9819-00aa0040529b"
$ADS_EXTENDED_SETPASSWORD
=
"00299570-246d-11d0-a768-00aa006e0529"
################################################### actual code to execute ##########################################################3
...
...
@@ -111,8 +125,16 @@ try {
#### LOCAL Configuration ####
createOU
"LocalConfig"
$baseDN
createUser
$localDevUsername
"OU=LocalConfig,
$baseDN
"
$localDevPassword
set-aduser
$localDevUsername
-PasswordNeverExpires
1
grantUserPermssion
$localDevUsername
"OU=PSU-Users,
$baseDN
"
"GenericAll"
grantUserPermssion
$localDevUsername
"OU=PSU-Groups,
$baseDN
"
"GenericAll"
grantUserPermssion
$localDevUserName
"OU=PSU-Users,
$baseDN
"
"ExtendedRight"
$ADS_EXTENDED_SETPASSWORD
#### Test Accounts for Local Mirror of Kerb ###
createUser
"bad1"
"OU=PSU-Users,
$baseDN
"
$localDevPassword
createUser
"bad2"
"OU=PSU-Users,
$baseDN
"
$localDevPassword
createUser
"gud1"
"OU=PSU-Users,
$baseDN
"
$localDevPassword
createUser
"gud2"
"OU=PSU-Users,
$baseDN
"
$localDevPassword
$result
.
changed
=
$true
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment