⚰️ Drop Domain SID extraction as this is not needed with Apricot

alan-turing-institute · Apr 8, 2024 · 1034be6 · 1034be6
1 parent 88edb87
commit 1034be6
Show file tree

Hide file tree

Showing 6 changed files with 1 addition and 73 deletions.
diff --git a/data_safe_haven/commands/deploy.py b/data_safe_haven/commands/deploy.py
@@ -130,11 +130,6 @@ def sre(
         )
         stack.add_option("azure-native:tenantId", config.azure.tenant_id, replace=False)
         # Load SHM stack outputs
-        stack.add_option(
-            "shm-domain_controllers-domain_sid",
-            shm_stack.output("domain_controllers")["domain_sid"],
-            replace=True,
-        )
         stack.add_option(
             "shm-domain_controllers-ldap_root_dn",
             shm_stack.output("domain_controllers")["ldap_root_dn"],

diff --git a/data_safe_haven/infrastructure/stacks/declarative_sre.py b/data_safe_haven/infrastructure/stacks/declarative_sre.py
@@ -279,9 +279,6 @@ def run(self) -> None:
             self.stack_name,
             SREWorkspacesProps(
                 admin_password=data.password_workspace_admin,
-                domain_sid=self.pulumi_opts.require(
-                    "shm-domain_controllers-domain_sid"
-                ),
                 ldap_bind_dn=ldap_bind_dn,
                 ldap_group_filter=ldap_group_filter,
                 ldap_group_search_base=ldap_group_search_base,

diff --git a/data_safe_haven/infrastructure/stacks/shm/domain_controllers.py b/data_safe_haven/infrastructure/stacks/shm/domain_controllers.py
@@ -9,8 +9,6 @@
 from data_safe_haven.infrastructure.components import (
     AutomationDscNode,
     AutomationDscNodeProps,
-    RemoteScript,
-    RemoteScriptProps,
     VMComponent,
     WindowsVMComponentProps,
     WrappedAutomationAccount,
@@ -122,7 +120,7 @@ def __init__(
             / "desired_state_configuration"
             / f"{dsc_configuration_name}.ps1"
         )
-        primary_domain_controller_dsc_node = AutomationDscNode(
+        AutomationDscNode(
             f"{self._name}_primary_domain_controller_dsc_node",
             AutomationDscNodeProps(
                 automation_account=props.automation_account,
@@ -154,33 +152,12 @@ def __init__(
             ),
             tags=child_tags,
         )
-        # Extract the domain SID
-        domain_sid_script = FileReader(
-            resources_path / "active_directory" / "get_ad_sid.ps1"
-        )
-        domain_sid = RemoteScript(
-            f"{self._name}_get_ad_sid",
-            RemoteScriptProps(
-                force_refresh=True,
-                script_contents=domain_sid_script.file_contents(),
-                script_hash=domain_sid_script.sha256(),
-                script_parameters={},
-                subscription_name=props.subscription_name,
-                vm_name=primary_domain_controller.vm_name,
-                vm_resource_group_name=resource_group.name,
-            ),
-            opts=ResourceOptions.merge(
-                child_opts,
-                ResourceOptions(parent=primary_domain_controller_dsc_node),
-            ),
-        )
 
         # Register outputs
         self.resource_group_name = resource_group.name
 
         # Register exports
         self.exports = {
-            "domain_sid": domain_sid.script_output,
             "ldap_root_dn": props.domain_root_dn,
             "ldap_search_username": props.username_domain_searcher,
             "ldap_server_ip": primary_domain_controller.ip_address_private,

diff --git a/data_safe_haven/infrastructure/stacks/sre/workspaces.py b/data_safe_haven/infrastructure/stacks/sre/workspaces.py
@@ -30,7 +30,6 @@ class SREWorkspacesProps:
     def __init__(
         self,
         admin_password: Input[str],
-        domain_sid: Input[str],
         ldap_bind_dn: Input[str],
         ldap_group_filter: Input[str],
         ldap_group_search_base: Input[str],
@@ -56,7 +55,6 @@ def __init__(
     ) -> None:
         self.admin_password = Output.secret(admin_password)
         self.admin_username = "dshadmin"
-        self.domain_sid = domain_sid
         self.ldap_bind_dn = ldap_bind_dn
         self.ldap_group_filter = ldap_group_filter
         self.ldap_group_search_base = ldap_group_search_base
@@ -129,7 +127,6 @@ def __init__(
 
         # Load cloud-init file
         b64cloudinit = Output.all(
-            domain_sid=props.domain_sid,
             ldap_bind_dn=props.ldap_bind_dn,
             ldap_group_filter=props.ldap_group_filter,
             ldap_group_search_base=props.ldap_group_search_base,
@@ -222,7 +219,6 @@ def __init__(
 
     def read_cloudinit(
         self,
-        domain_sid: str,
         ldap_bind_dn: str,
         ldap_group_filter: str,
         ldap_group_search_base: str,
@@ -242,7 +238,6 @@ def read_cloudinit(
             encoding="utf-8",
         ) as f_cloudinit:
             mustache_values = {
-                "domain_sid": domain_sid,
                 "ldap_bind_dn": ldap_bind_dn,
                 "ldap_group_filter": ldap_group_filter,
                 "ldap_group_search_base": ldap_group_search_base,

diff --git a/data_safe_haven/resources/active_directory/get_ad_sid.ps1 b/data_safe_haven/resources/active_directory/get_ad_sid.ps1
diff --git a/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml b/data_safe_haven/resources/workspace/workspace.cloud_init.mustache.yaml
@@ -7,40 +7,6 @@ write_files:
       Acquire::http::Proxy "http://{{linux_update_server_ip}}:8000";
       Acquire::https::Proxy "http://{{linux_update_server_ip}}:8000";
 
-  - path: "/etc/nslcd.conf.old"
-    permissions: "0400"
-    content: |
-      # nslcd configuration file.
-      # http://manpages.ubuntu.com/manpages/bionic/man5/nslcd.conf.5.html
-
-      # Runtime options
-      uid nslcd
-      gid nslcd
-      log syslog debug
-
-      # General connection options
-      uri ldap://10.0.0.132:389
-      binddn {{ldap_bind_dn}}
-      bindpw {{ldap_search_password}}
-
-      # Search/mapping options
-      base {{ldap_user_search_base}}
-      base {{ldap_group_search_base}}
-
-      # All users that are members of the correct security group
-      filter passwd (&(objectClass=user)(memberOf=CN={{ldap_user_group_name}},OU=Data Safe Haven Security Groups,{{ldap_root_dn}}))
-
-      # One group for each security group and for each user
-      filter group (|(objectclass=group)(&(objectClass=user)(memberOf=CN={{ldap_user_group_name}},OU=Data Safe Haven Security Groups,{{ldap_root_dn}})))
-
-      # Attribute mappings
-      map  passwd  uid                sAMAccountName
-      map  passwd  gidNumber          objectSid:{{domain_sid}}
-      map  passwd  uidNumber          objectSid:{{domain_sid}}
-      map  passwd  homeDirectory      "${unixHomeDirectory:-/home/$sAMAccountName}"
-      map  group   cn                 sAMAccountName
-      map  group   gidNumber          objectSid:{{domain_sid}}
-
   - path: "/etc/nslcd.conf"
     permissions: "0400"
     content: |