Added kerberos::server::ldap class and removed database checks from kerberos::server.

2012-04-18 16:00:33 +03:00 · 2012-04-18 16:00:33 +03:00 · 1c2fcb7004
commit 1c2fcb7004
parent 4cd4582679
2 changed files with 57 additions and 8 deletions
--- a/kerberos/manifests/init.pp
+++ b/kerberos/manifests/init.pp
@ -136,18 +136,40 @@ class kerberos::server inherits kerberos::client {
        notify  => Service["krb5kdc"],
    }

-    exec { "check-database":
-        command   => "echo 'Run \"kdb5_util create -r ${kerberos_realm} -s\" to initialize database.'",
-        path      => "/bin:/usr/bin:/sbin:/usr/sbin",
-        creates   => "/srv/kerberos/db.${kerberos_realm}.ok",
-        returns   => 1,
-    }
-
    service { "krb5kdc":
        ensure    => running,
        enable    => true,
        subscribe => File["/etc/krb5.conf"],
-        require   => Exec["check-database"],
+    }
+
+    service { "kadmin":
+        ensure  => running,
+        enable  => true,
+        require => Service["krb5kdc"],
+    }
+
+}
+
+
+# Install Kerberos server with LDAP backend
+#
+# === Global variables
+#
+#   $kerberos_realm:
+#       Kerberos realm name.
+#
+#   $kerberos_datadir:
+#       Directory where to store Kerberos authentication keys
+#       defaults to /srv/kerberos
+#
+class kerberos::server::ldap inherits kerberos::server {
+
+    package { "krb5-server-ldap":
+        ensure => installed,
+    }
+
+    File["/var/kerberos/krb5kdc/kdc.conf"] {
+        content => template("kerberos/kdc-ldap.conf.erb"),
    }    

 }
--- a/kerberos/templates/kdc-ldap.conf.erb
+++ b/kerberos/templates/kdc-ldap.conf.erb
@ -0,0 +1,27 @@
+
+[kdcdefaults]
+  kdc_ports = 88
+  kdc_tcp_ports = 88
+
+[realms]
+  <%= kerberos_realm %> = {
+    database_module = ldap.<%= kerberos_realm.downcase %>
+    key_stash_file = /srv/kerberos/.k5.<%= kerberos_realm %>
+    max_life = 24h 0m 0s
+    max_renewable_life = 7d 0h 0m 0s
+    master_key_type = aes256-cts-hmac-sha1-96
+    supported_enctypes = aes256-cts-hmac-sha1-96:normal
+  }
+
+[dbdefaults]
+  ldap_kerberos_container_dn = "ou=system,<%= ldap_basedn %>"
+
+[dbmodules]
+  ldap.<%= kerberos_realm.downcase %> = {
+    db_library = kldap
+    ldap_kerberos_container_dn = ou=system,<%= ldap_basedn %>
+    ldap_kdc_dn = "uid=krb5admin,ou=system,<%= ldap_basedn %>"
+    ldap_kadmind_dn = "uid=krb5admin,ou=system,<%= ldap_basedn %>"
+    ldap_service_password_file = "/srv/kerberos/.ldap.<%= kerberos_realm %>"
+    ldap_servers = "<%= ldap_server.join(" ") %>"
+  }