ldap: Added gssapi and bind authentication support to nslcd.

2014-01-22 01:41:20 +02:00 · 2014-01-22 01:41:20 +02:00 · 6d6e165dad
commit 6d6e165dad
parent 8896fa28f8
2 changed files with 67 additions and 1 deletions
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@ -14,11 +14,37 @@
 #
 # === Parameters
 #
 #   $auth:
 #       Authentication method to use for LDAP queries. Valid values
 #       are anonymous, bind and gssapi. Default is anonymous.
 #
 #   $credentials:
 #       Credentials for authentication. For simple bind use array
 #       containig user dn and password. For gssapi use array containing
 #       principal name.
 #
 #   $mapping:
 #       Attribute mapping to use. Valid values are ad and rfc2307.
 #       Default is rfc2307.
 #
-class ldap::auth($mapping="rfc2307") inherits ldap::client {
+# === Sample usage
 #
 # class { "ldap::auth":
 #     auth        => "bind",
 #     credentials => [ "uid=user,dc=example,dc=com", "secret", ],
 # }
 #
 # class { "ldap::auth":
 #     auth        => "gssapi",
 #     credentials => [ "MYHOST\$@EXAMPLE.COM" ],
 #     mapping     => "ad",
 # }
 #
 class ldap::auth(
    $auth="anonymous",
    $credentials=[],
    $mapping="rfc2307"
 ) inherits ldap::client {
    include pam::common
@ -31,6 +57,27 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
        $ssl = "off"
    }
    case $auth {
        "anonymous": {}
        "bind": {
            if !$credentials[0] and !$credentials[1] {
                fail("no \$credentials argument set")
            }
        }
        "gssapi": {
            require kerberos::kstart
            require sasl::client
            if $credentials[0] {
                $principal = $credentials[0]
            } else {
                $principal = "host/${::homename}"
            }
        }
        default: {
            fail("unsupported auth value \"${auth}\"")
        }
    }
    if $::kernel == "Linux" {
        include nscd
    }
@ -58,6 +105,9 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
                        group   => "root",
                        notify  => Service["nslcd"],
                    }
                    if $auth == "gssapi" {
                        fail("gssapi not supported on ${::operatingsystem}")
                    }
                    augeas { "pam-ldap-conf":
                        changes => [ "set ssl ${ssl}",
                                     "set pam_password exop",
@ -111,6 +161,13 @@ class ldap::auth($mapping="rfc2307") inherits ldap::client {
                require => Package["libnss-ldapd"],
                notify  => Service["nslcd"],
            }
            if $auth == "gssapi" { 
                augeas { "ldap-auth-set-principal":
                    context => "/files/etc/default/nslcd",
                    changes => "set K5START_PRINCIPAL '${principal}'",
                    notify  => Service["nslcd"],
                }
            }
            service { "nslcd":
                ensure => running,
                enable => true,
--- a/ldap/templates/nslcd.conf.erb
+++ b/ldap/templates/nslcd.conf.erb
@ -25,6 +25,15 @@ pagesize 500
 map group member uniqueMember
 <%   end -%>
 <% end -%>
 <% if @auth == 'bind' -%>
 binddn <%= @credentials[0] %>
 bindpw <%= @credentials[1] %>
 <% elsif @auth == 'gssapi' -%>
 sasl_mech GSSAPI
 krb5_ccname FILE:/var/run/nslcd/krb5cc_nslcd
 <% end -%>
 <% if @ldap_uri =~ /^ldaps:/ -%>
 ssl on