ldap: Added gssapi and bind authentication support to nslcd.

2014-01-22 01:41:20 +02:00 · 2014-01-22 01:41:20 +02:00 · 6d6e165dad
commit 6d6e165dad
parent 8896fa28f8
2 changed files with 67 additions and 1 deletions
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@ -14,11 +14,37 @@
 #
 # === Parameters
 #
+#   $auth:
+#       Authentication method to use for LDAP queries. Valid values
+#       are anonymous, bind and gssapi. Default is anonymous.
+#
+#   $credentials:
+#       Credentials for authentication. For simple bind use array
+#       containig user dn and password. For gssapi use array containing
+#       principal name.
+#
 #   $mapping:
 #       Attribute mapping to use. Valid values are ad and rfc2307.
 #       Default is rfc2307.
 #
-class ldap::auth($mapping="rfc2307") inherits ldap::client {
+# === Sample usage
+#
+# class { "ldap::auth":
+#     auth        => "bind",
+#     credentials => [ "uid=user,dc=example,dc=com", "secret", ],
+# }
+#
+# class { "ldap::auth":
+#     auth        => "gssapi",
+#     credentials => [ "MYHOST\$@EXAMPLE.COM" ],
+#     mapping     => "ad",
+# }
+#
+class ldap::auth(
+    $auth="anonymous",
+    $credentials=[],
+    $mapping="rfc2307"
+) inherits ldap::client {

    include pam::common

@ -31,6 +57,27 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
        $ssl = "off"
    }

+    case $auth {
+        "anonymous": {}
+        "bind": {
+            if !$credentials[0] and !$credentials[1] {
+                fail("no \$credentials argument set")
+            }
+        }
+        "gssapi": {
+            require kerberos::kstart
+            require sasl::client
+            if $credentials[0] {
+                $principal = $credentials[0]
+            } else {
+                $principal = "host/${::homename}"
+            }
+        }
+        default: {
+            fail("unsupported auth value \"${auth}\"")
+        }
+    }
+
    if $::kernel == "Linux" {
        include nscd
    }
@ -58,6 +105,9 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
                        group   => "root",
                        notify  => Service["nslcd"],
                    }
+                    if $auth == "gssapi" {
+                        fail("gssapi not supported on ${::operatingsystem}")
+                    }
                    augeas { "pam-ldap-conf":
                        changes => [ "set ssl ${ssl}",
                                     "set pam_password exop",
@ -111,6 +161,13 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
                require => Package["libnss-ldapd"],
                notify  => Service["nslcd"],
            }
+            if $auth == "gssapi" { 
+                augeas { "ldap-auth-set-principal":
+                    context => "/files/etc/default/nslcd",
+                    changes => "set K5START_PRINCIPAL '${principal}'",
+                    notify  => Service["nslcd"],
+                }
+            }
            service { "nslcd":
                ensure => running,
                enable => true,
--- a/ldap/templates/nslcd.conf.erb
+++ b/ldap/templates/nslcd.conf.erb
@ -25,6 +25,15 @@ pagesize 500
 map group member uniqueMember
 <%   end -%>
 <% end -%>
+<% if @auth == 'bind' -%>
+
+binddn <%= @credentials[0] %>
+bindpw <%= @credentials[1] %>
+<% elsif @auth == 'gssapi' -%>
+
+sasl_mech GSSAPI
+krb5_ccname FILE:/var/run/nslcd/krb5cc_nslcd
+<% end -%>

 <% if @ldap_uri =~ /^ldaps:/ -%>
 ssl on