tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactored ldap::server class.

Browse source
This commit is contained in:
Timo Mkinen 2012-03-13 14:50:00 +02:00
parent 742008eee8
commit 756cbeb4f5
8 changed files with 4051 additions and 58 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

610
ldap/files/core.schema Normal file
View file

@ -0,0 +1,610 @@
# OpenLDAP Core schema
# $OpenLDAP: pkg/ldap/servers/slapd/schema/core.schema,v 1.88.2.8 2010/04/13 20:23:48 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2010 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (1997-2006).
## All Rights Reserved.
##
## This document and translations of it may be copied and furnished to
## others, and derivative works that comment on or otherwise explain it
## or assist in its implementation may be prepared, copied, published
## and distributed, in whole or in part, without restriction of any
## kind, provided that the above copyright notice and this paragraph are
## included on all such copies and derivative works. However, this
## document itself may not be modified in any way, such as by removing
## the copyright notice or references to the Internet Society or other
## Internet organizations, except as needed for the purpose of
## developing Internet standards in which case the procedures for
## copyrights defined in the Internet Standards process must be
## followed, or as required to translate it into languages other than
## English.
##
## The limited permissions granted above are perpetual and will not be
## revoked by the Internet Society or its successors or assigns.
##
## This document and the information contained herein is provided on an
## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
#
#
# Includes LDAPv3 schema items from:
# RFC 2252/2256 (LDAPv3)
#
# Select standard track schema items:
# RFC 1274 (uid/dc)
# RFC 2079 (URI)
# RFC 2247 (dc/dcObject)
# RFC 2587 (PKI)
# RFC 2589 (Dynamic Directory Services)
# RFC 4524 (associatedDomain)
#
# Select informational schema items:
# RFC 2377 (uidObject)
#
# Standard attribute types from RFC 2256
#
# system schema
#attributetype ( 2.5.4.0 NAME 'objectClass'
# DESC 'RFC2256: object classes of the entity'
# EQUALITY objectIdentifierMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
# system schema
#attributetype ( 2.5.4.1 NAME ( 'aliasedObjectName' 'aliasedEntryName' )
# DESC 'RFC2256: name of aliased object'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE )
attributetype ( 2.5.4.2 NAME 'knowledgeInformation'
DESC 'RFC2256: knowledge information'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
# system schema
#attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' )
# DESC 'RFC2256: common name(s) for which the entity is known by'
# SUP name )
attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' )
DESC 'RFC2256: last (family) name(s) for which the entity is known by'
SUP name )
attributetype ( 2.5.4.5 NAME 'serialNumber'
DESC 'RFC2256: serial number of the entity'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
# RFC 4519 definition ('countryName' in X.500 and RFC2256)
attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
DESC 'RFC4519: two-letter ISO-3166 country code'
SUP name
SYNTAX 1.3.6.1.4.1.1466.115.121.1.11
SINGLE-VALUE )
#attributetype ( 2.5.4.6 NAME ( 'c' 'countryName' )
# DESC 'RFC2256: ISO-3166 country 2-letter code'
# SUP name SINGLE-VALUE )
attributetype ( 2.5.4.7 NAME ( 'l' 'localityName' )
DESC 'RFC2256: locality which this object resides in'
SUP name )
attributetype ( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' )
DESC 'RFC2256: state or province which this object resides in'
SUP name )
attributetype ( 2.5.4.9 NAME ( 'street' 'streetAddress' )
DESC 'RFC2256: street address of this object'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 2.5.4.10 NAME ( 'o' 'organizationName' )
DESC 'RFC2256: organization this object belongs to'
SUP name )
attributetype ( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' )
DESC 'RFC2256: organizational unit this object belongs to'
SUP name )
attributetype ( 2.5.4.12 NAME 'title'
DESC 'RFC2256: title associated with the entity'
SUP name )
# system schema
#attributetype ( 2.5.4.13 NAME 'description'
# DESC 'RFC2256: descriptive information'
# EQUALITY caseIgnoreMatch
# SUBSTR caseIgnoreSubstringsMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1024} )
# Deprecated by enhancedSearchGuide
attributetype ( 2.5.4.14 NAME 'searchGuide'
DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
attributetype ( 2.5.4.15 NAME 'businessCategory'
DESC 'RFC2256: business category'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 2.5.4.16 NAME 'postalAddress'
DESC 'RFC2256: postal address'
EQUALITY caseIgnoreListMatch
SUBSTR caseIgnoreListSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
attributetype ( 2.5.4.17 NAME 'postalCode'
DESC 'RFC2256: postal code'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
attributetype ( 2.5.4.18 NAME 'postOfficeBox'
DESC 'RFC2256: Post Office Box'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
attributetype ( 2.5.4.19 NAME 'physicalDeliveryOfficeName'
DESC 'RFC2256: Physical Delivery Office Name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype ( 2.5.4.20 NAME 'telephoneNumber'
DESC 'RFC2256: Telephone Number'
EQUALITY telephoneNumberMatch
SUBSTR telephoneNumberSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
attributetype ( 2.5.4.21 NAME 'telexNumber'
DESC 'RFC2256: Telex Number'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
attributetype ( 2.5.4.22 NAME 'teletexTerminalIdentifier'
DESC 'RFC2256: Teletex Terminal Identifier'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
attributetype ( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' )
DESC 'RFC2256: Facsimile (Fax) Telephone Number'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
attributetype ( 2.5.4.24 NAME 'x121Address'
DESC 'RFC2256: X.121 Address'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
attributetype ( 2.5.4.25 NAME 'internationaliSDNNumber'
DESC 'RFC2256: international ISDN number'
EQUALITY numericStringMatch
SUBSTR numericStringSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
attributetype ( 2.5.4.26 NAME 'registeredAddress'
DESC 'RFC2256: registered postal address'
SUP postalAddress
SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
attributetype ( 2.5.4.27 NAME 'destinationIndicator'
DESC 'RFC2256: destination indicator'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
attributetype ( 2.5.4.28 NAME 'preferredDeliveryMethod'
DESC 'RFC2256: preferred delivery method'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.14
SINGLE-VALUE )
attributetype ( 2.5.4.29 NAME 'presentationAddress'
DESC 'RFC2256: presentation address'
EQUALITY presentationAddressMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.43
SINGLE-VALUE )
attributetype ( 2.5.4.30 NAME 'supportedApplicationContext'
DESC 'RFC2256: supported application context'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
attributetype ( 2.5.4.31 NAME 'member'
DESC 'RFC2256: member of a group'
SUP distinguishedName )
attributetype ( 2.5.4.32 NAME 'owner'
DESC 'RFC2256: owner (of the object)'
SUP distinguishedName )
attributetype ( 2.5.4.33 NAME 'roleOccupant'
DESC 'RFC2256: occupant of role'
SUP distinguishedName )
# system schema
#attributetype ( 2.5.4.34 NAME 'seeAlso'
# DESC 'RFC2256: DN of related object'
# SUP distinguishedName )
# system schema
#attributetype ( 2.5.4.35 NAME 'userPassword'
# DESC 'RFC2256/2307: password of user'
# EQUALITY octetStringMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
# Must be transferred using ;binary
# with certificateExactMatch rule (per X.509)
attributetype ( 2.5.4.36 NAME 'userCertificate'
DESC 'RFC2256: X.509 user certificate, use ;binary'
EQUALITY certificateExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
# Must be transferred using ;binary
# with certificateExactMatch rule (per X.509)
attributetype ( 2.5.4.37 NAME 'cACertificate'
DESC 'RFC2256: X.509 CA certificate, use ;binary'
EQUALITY certificateExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
# Must be transferred using ;binary
attributetype ( 2.5.4.38 NAME 'authorityRevocationList'
DESC 'RFC2256: X.509 authority revocation list, use ;binary'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
# Must be transferred using ;binary
attributetype ( 2.5.4.39 NAME 'certificateRevocationList'
DESC 'RFC2256: X.509 certificate revocation list, use ;binary'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
# Must be stored and requested in the binary form
attributetype ( 2.5.4.40 NAME 'crossCertificatePair'
DESC 'RFC2256: X.509 cross certificate pair, use ;binary'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
# system schema
#attributetype ( 2.5.4.41 NAME 'name'
# EQUALITY caseIgnoreMatch
# SUBSTR caseIgnoreSubstringsMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( 2.5.4.42 NAME ( 'givenName' 'gn' )
DESC 'RFC2256: first name(s) for which the entity is known by'
SUP name )
attributetype ( 2.5.4.43 NAME 'initials'
DESC 'RFC2256: initials of some or all of names, but not the surname(s).'
SUP name )
attributetype ( 2.5.4.44 NAME 'generationQualifier'
DESC 'RFC2256: name qualifier indicating a generation'
SUP name )
attributetype ( 2.5.4.45 NAME 'x500UniqueIdentifier'
DESC 'RFC2256: X.500 unique identifier'
EQUALITY bitStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
attributetype ( 2.5.4.46 NAME 'dnQualifier'
DESC 'RFC2256: DN qualifier'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
attributetype ( 2.5.4.47 NAME 'enhancedSearchGuide'
DESC 'RFC2256: enhanced search guide'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
attributetype ( 2.5.4.48 NAME 'protocolInformation'
DESC 'RFC2256: protocol information'
EQUALITY protocolInformationMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
# system schema
#attributetype ( 2.5.4.49 NAME 'distinguishedName'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.5.4.50 NAME 'uniqueMember'
DESC 'RFC2256: unique member of a group'
EQUALITY uniqueMemberMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
attributetype ( 2.5.4.51 NAME 'houseIdentifier'
DESC 'RFC2256: house identifier'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
# Must be transferred using ;binary
attributetype ( 2.5.4.52 NAME 'supportedAlgorithms'
DESC 'RFC2256: supported algorithms'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
# Must be transferred using ;binary
attributetype ( 2.5.4.53 NAME 'deltaRevocationList'
DESC 'RFC2256: delta revocation list; use ;binary'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
attributetype ( 2.5.4.54 NAME 'dmdName'
DESC 'RFC2256: name of DMD'
SUP name )
attributetype ( 2.5.4.65 NAME 'pseudonym'
DESC 'X.520(4th): pseudonym for the object'
SUP name )
# Standard object classes from RFC2256
# system schema
#objectclass ( 2.5.6.0 NAME 'top'
# DESC 'RFC2256: top of the superclass chain'
# ABSTRACT
# MUST objectClass )
# system schema
#objectclass ( 2.5.6.1 NAME 'alias'
# DESC 'RFC2256: an alias'
# SUP top STRUCTURAL
# MUST aliasedObjectName )
objectclass ( 2.5.6.2 NAME 'country'
DESC 'RFC2256: a country'
SUP top STRUCTURAL
MUST c
MAY ( searchGuide $ description ) )
objectclass ( 2.5.6.3 NAME 'locality'
DESC 'RFC2256: a locality'
SUP top STRUCTURAL
MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
objectclass ( 2.5.6.4 NAME 'organization'
DESC 'RFC2256: an organization'
SUP top STRUCTURAL
MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectclass ( 2.5.6.5 NAME 'organizationalUnit'
DESC 'RFC2256: an organizational unit'
SUP top STRUCTURAL
MUST ou
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
objectclass ( 2.5.6.6 NAME 'person'
DESC 'RFC2256: a person'
SUP top STRUCTURAL
MUST ( sn $ cn )
MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
objectclass ( 2.5.6.7 NAME 'organizationalPerson'
DESC 'RFC2256: an organizational person'
SUP person STRUCTURAL
MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
objectclass ( 2.5.6.8 NAME 'organizationalRole'
DESC 'RFC2256: an organizational role'
SUP top STRUCTURAL
MUST cn
MAY ( x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
objectclass ( 2.5.6.10 NAME 'residentialPerson'
DESC 'RFC2256: an residential person'
SUP person STRUCTURAL
MUST l
MAY ( businessCategory $ x121Address $ registeredAddress $
destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $ preferredDeliveryMethod $ street $
postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l ) )
objectclass ( 2.5.6.11 NAME 'applicationProcess'
DESC 'RFC2256: an application process'
SUP top STRUCTURAL
MUST cn
MAY ( seeAlso $ ou $ l $ description ) )
objectclass ( 2.5.6.12 NAME 'applicationEntity'
DESC 'RFC2256: an application entity'
SUP top STRUCTURAL
MUST ( presentationAddress $ cn )
MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $
description ) )
objectclass ( 2.5.6.13 NAME 'dSA'
DESC 'RFC2256: a directory system agent (a server)'
SUP applicationEntity STRUCTURAL
MAY knowledgeInformation )
objectclass ( 2.5.6.14 NAME 'device'
DESC 'RFC2256: a device'
SUP top STRUCTURAL
MUST cn
MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
objectclass ( 2.5.6.15 NAME 'strongAuthenticationUser'
DESC 'RFC2256: a strong authentication user'
SUP top AUXILIARY
MUST userCertificate )
objectclass ( 2.5.6.16 NAME 'certificationAuthority'
DESC 'RFC2256: a certificate authority'
SUP top AUXILIARY
MUST ( authorityRevocationList $ certificateRevocationList $
cACertificate ) MAY crossCertificatePair )
objectclass ( 2.5.6.17 NAME 'groupOfUniqueNames'
DESC 'RFC2256: a group of unique names (DN and Unique Identifier)'
SUP top STRUCTURAL
MUST ( uniqueMember $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
objectclass ( 2.5.6.18 NAME 'userSecurityInformation'
DESC 'RFC2256: a user security information'
SUP top AUXILIARY
MAY ( supportedAlgorithms ) )
objectclass ( 2.5.6.16.2 NAME 'certificationAuthority-V2'
SUP certificationAuthority
AUXILIARY MAY ( deltaRevocationList ) )
objectclass ( 2.5.6.19 NAME 'cRLDistributionPoint'
SUP top STRUCTURAL
MUST ( cn )
MAY ( certificateRevocationList $ authorityRevocationList $
deltaRevocationList ) )
objectclass ( 2.5.6.20 NAME 'dmd'
SUP top STRUCTURAL
MUST ( dmdName )
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $
street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ st $ l $ description ) )
#
# Object Classes from RFC 2587
#
objectclass ( 2.5.6.21 NAME 'pkiUser'
DESC 'RFC2587: a PKI user'
SUP top AUXILIARY
MAY userCertificate )
objectclass ( 2.5.6.22 NAME 'pkiCA'
DESC 'RFC2587: PKI certificate authority'
SUP top AUXILIARY
MAY ( authorityRevocationList $ certificateRevocationList $
cACertificate $ crossCertificatePair ) )
objectclass ( 2.5.6.23 NAME 'deltaCRL'
DESC 'RFC2587: PKI user'
SUP top AUXILIARY
MAY deltaRevocationList )
#
# Standard Track URI label schema from RFC 2079
# system schema
#attributetype ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI'
# DESC 'RFC2079: Uniform Resource Identifier with optional label'
# EQUALITY caseExactMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
objectclass ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject'
DESC 'RFC2079: object that contains the URI attribute type'
SUP top AUXILIARY
MAY ( labeledURI ) )
#
# Derived from RFC 1274, but with new "short names"
#
#attributetype ( 0.9.2342.19200300.100.1.1
# NAME ( 'uid' 'userid' )
# DESC 'RFC1274: user identifier'
# EQUALITY caseIgnoreMatch
# SUBSTR caseIgnoreSubstringsMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 0.9.2342.19200300.100.1.3
NAME ( 'mail' 'rfc822Mailbox' )
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
objectclass ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
DESC 'RFC1274: simple security object'
SUP top AUXILIARY
MUST userPassword )
# RFC 1274 + RFC 2247
attributetype ( 0.9.2342.19200300.100.1.25
NAME ( 'dc' 'domainComponent' )
DESC 'RFC1274/2247: domain component'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
# RFC 2247
objectclass ( 1.3.6.1.4.1.1466.344 NAME 'dcObject'
DESC 'RFC2247: domain component object'
SUP top AUXILIARY MUST dc )
# RFC 2377
objectclass ( 1.3.6.1.1.3.1 NAME 'uidObject'
DESC 'RFC2377: uid object'
SUP top AUXILIARY MUST uid )
# RFC 4524
# The 'associatedDomain' attribute specifies DNS [RFC1034][RFC2181]
# host names [RFC1123] that are associated with an object. That is,
# values of this attribute should conform to the following ABNF:
#
# domain = root / label *( DOT label )
# root = SPACE
# label = LETDIG [ *61( LETDIG / HYPHEN ) LETDIG ]
# LETDIG = %x30-39 / %x41-5A / %x61-7A ; "0" - "9" / "A"-"Z" / "a"-"z"
# SPACE = %x20 ; space (" ")
# HYPHEN = %x2D ; hyphen ("-")
# DOT = %x2E ; period (".")
attributetype ( 0.9.2342.19200300.100.1.37
NAME 'associatedDomain'
DESC 'RFC1274: domain associated with object'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# RFC 2459 -- deprecated in favor of 'mail' (in cosine.schema)
attributetype ( 1.2.840.113549.1.9.1
NAME ( 'email' 'emailAddress' 'pkcs9email' )
DESC 'RFC3280: legacy attribute for email addresses in DNs'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

2571
ldap/files/cosine.schema Normal file
View file

File diff suppressed because it is too large Load diff

531
ldap/files/ppolicy.schema Normal file
View file

@ -0,0 +1,531 @@
# $OpenLDAP: pkg/ldap/servers/slapd/schema/ppolicy.schema,v 1.7.2.5 2010/04/13 20:23:49 kurt Exp $
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 2004-2010 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (2004).
## Please see full copyright statement below.
# Definitions from Draft behera-ldap-password-policy-07 (a work in progress)
# Password Policy for LDAP Directories
# With extensions from Hewlett-Packard:
# pwdCheckModule etc.
# Contents of this file are subject to change (including deletion)
# without notice.
#
# Not recommended for production use!
# Use with extreme caution!
#Network Working Group J. Sermersheim
#Internet-Draft Novell, Inc
#Expires: April 24, 2005 L. Poitou
# Sun Microsystems
# October 24, 2004
#
#
# Password Policy for LDAP Directories
# draft-behera-ldap-password-policy-08.txt
#
#Status of this Memo
#
# This document is an Internet-Draft and is subject to all provisions
# of section 3 of RFC 3667. By submitting this Internet-Draft, each
# author represents that any applicable patent or other IPR claims of
# which he or she is aware have been or will be disclosed, and any of
# which he or she become aware will be disclosed, in accordance with
# RFC 3668.
#
# Internet-Drafts are working documents of the Internet Engineering
# Task Force (IETF), its areas, and its working groups. Note that
# other groups may also distribute working documents as
# Internet-Drafts.
#
# Internet-Drafts are draft documents valid for a maximum of six months
# and may be updated, replaced, or obsoleted by other documents at any
# time. It is inappropriate to use Internet-Drafts as reference
# material or to cite them other than as "work in progress."
#
# The list of current Internet-Drafts can be accessed at
# http://www.ietf.org/ietf/1id-abstracts.txt.
#
# The list of Internet-Draft Shadow Directories can be accessed at
# http://www.ietf.org/shadow.html.
#
# This Internet-Draft will expire on April 24, 2005.
#
#Copyright Notice
#
# Copyright (C) The Internet Society (2004).
#
#Abstract
#
# Password policy as described in this document is a set of rules that
# controls how passwords are used and administered in Lightweight
# Directory Access Protocol (LDAP) based directories. In order to
# improve the security of LDAP directories and make it difficult for
# password cracking programs to break into directories, it is desirable
# to enforce a set of rules on password usage. These rules are made to
#
# [trimmed]
#
#5. Schema used for Password Policy
#
# The schema elements defined here fall into two general categories. A
# password policy object class is defined which contains a set of
# administrative password policy attributes, and a set of operational
# attributes are defined that hold general password policy state
# information for each user.
#
#5.2 Attribute Types used in the pwdPolicy ObjectClass
#
# Following are the attribute types used by the pwdPolicy object class.
#
#5.2.1 pwdAttribute
#
# This holds the name of the attribute to which the password policy is
# applied. For example, the password policy may be applied to the
# userPassword attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.1
NAME 'pwdAttribute'
EQUALITY objectIdentifierMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
#5.2.2 pwdMinAge
#
# This attribute holds the number of seconds that must elapse between
# modifications to the password. If this attribute is not present, 0
# seconds is assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.2
NAME 'pwdMinAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.3 pwdMaxAge
#
# This attribute holds the number of seconds after which a modified
# password will expire.
#
# If this attribute is not present, or if the value is 0 the password
# does not expire. If not 0, the value must be greater than or equal
# to the value of the pwdMinAge.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.3
NAME 'pwdMaxAge'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.4 pwdInHistory
#
# This attribute specifies the maximum number of used passwords stored
# in the pwdHistory attribute.
#
# If this attribute is not present, or if the value is 0, used
# passwords are not stored in the pwdHistory attribute and thus may be
# reused.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.4
NAME 'pwdInHistory'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.5 pwdCheckQuality
#
# {TODO: Consider changing the syntax to OID. Each OID will list a
# quality rule (like min len, # of special characters, etc). These
# rules can be specified outsid ethis document.}
#
# {TODO: Note that even though this is meant to be a check that happens
# during password modification, it may also be allowed to happen during
# authN. This is useful for situations where the password is encrypted
# when modified, but decrypted when used to authN.}
#
# This attribute indicates how the password quality will be verified
# while being modified or added. If this attribute is not present, or
# if the value is '0', quality checking will not be enforced. A value
# of '1' indicates that the server will check the quality, and if the
# server is unable to check it (due to a hashed password or other
# reasons) it will be accepted. A value of '2' indicates that the
# server will check the quality, and if the server is unable to verify
# it, it will return an error refusing the password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.5
NAME 'pwdCheckQuality'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.6 pwdMinLength
#
# When quality checking is enabled, this attribute holds the minimum
# number of characters that must be used in a password. If this
# attribute is not present, no minimum password length will be
# enforced. If the server is unable to check the length (due to a
# hashed password or otherwise), the server will, depending on the
# value of the pwdCheckQuality attribute, either accept the password
# without checking it ('0' or '1') or refuse it ('2').
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.6
NAME 'pwdMinLength'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.7 pwdExpireWarning
#
# This attribute specifies the maximum number of seconds before a
# password is due to expire that expiration warning messages will be
# returned to an authenticating user.
#
# If this attribute is not present, or if the value is 0 no warnings
# will be returned. If not 0, the value must be smaller than the value
# of the pwdMaxAge attribute.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.7
NAME 'pwdExpireWarning'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.8 pwdGraceAuthNLimit
#
# This attribute specifies the number of times an expired password can
# be used to authenticate. If this attribute is not present or if the
# value is 0, authentication will fail.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.8
NAME 'pwdGraceAuthNLimit'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.9 pwdLockout
#
# This attribute indicates, when its value is "TRUE", that the password
# may not be used to authenticate after a specified number of
# consecutive failed bind attempts. The maximum number of consecutive
# failed bind attempts is specified in pwdMaxFailure.
#
# If this attribute is not present, or if the value is "FALSE", the
# password may be used to authenticate when the number of failed bind
# attempts has been reached.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.9
NAME 'pwdLockout'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.10 pwdLockoutDuration
#
# This attribute holds the number of seconds that the password cannot
# be used to authenticate due to too many failed bind attempts. If
# this attribute is not present, or if the value is 0 the password
# cannot be used to authenticate until reset by a password
# administrator.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.10
NAME 'pwdLockoutDuration'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.11 pwdMaxFailure
#
# This attribute specifies the number of consecutive failed bind
# attempts after which the password may not be used to authenticate.
# If this attribute is not present, or if the value is 0, this policy
# is not checked, and the value of pwdLockout will be ignored.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.11
NAME 'pwdMaxFailure'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.12 pwdFailureCountInterval
#
# This attribute holds the number of seconds after which the password
# failures are purged from the failure counter, even though no
# successful authentication occurred.
#
# If this attribute is not present, or if its value is 0, the failure
# counter is only reset by a successful authentication.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.12
NAME 'pwdFailureCountInterval'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
#5.2.13 pwdMustChange
#
# This attribute specifies with a value of "TRUE" that users must
# change their passwords when they first bind to the directory after a
# password is set or reset by a password administrator. If this
# attribute is not present, or if the value is "FALSE", users are not
# required to change their password upon binding after the password
# administrator sets or resets the password. This attribute is not set
# due to any actions specified by this document, it is typically set by
# a password administrator after resetting a user's password.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.13
NAME 'pwdMustChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.14 pwdAllowUserChange
#
# This attribute indicates whether users can change their own
# passwords, although the change operation is still subject to access
# control. If this attribute is not present, a value of "TRUE" is
# assumed. This attribute is intended to be used in the absense of an
# access control mechanism.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
#5.2.15 pwdSafeModify
#
# This attribute specifies whether or not the existing password must be
# sent along with the new password when being changed. If this
# attribute is not present, a "FALSE" value is assumed.
attributetype ( 1.3.6.1.4.1.42.2.27.8.1.15
NAME 'pwdSafeModify'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
# HP extensions
#
# pwdCheckModule
#
# This attribute names a user-defined loadable module that provides
# a check_password() function. If pwdCheckQuality is set to '1' or '2'
# this function will be called after all of the internal password
# quality checks have been passed. The function has this prototype:
#
# int check_password( char *password, char **errormessage, void *arg )
#
# The function should return LDAP_SUCCESS for a valid password.
attributetype ( 1.3.6.1.4.1.4754.1.99.1
NAME 'pwdCheckModule'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
DESC 'Loadable module that instantiates "check_password() function'
SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.4754.2.99.1
NAME 'pwdPolicyChecker'
SUP top
AUXILIARY
MAY ( pwdCheckModule ) )
#5.1 The pwdPolicy Object Class
#
# This object class contains the attributes defining a password policy
# in effect for a set of users. Section 10 describes the
# administration of this object, and the relationship between it and
# particular objects.
#
objectclass ( 1.3.6.1.4.1.42.2.27.8.2.1
NAME 'pwdPolicy'
SUP top
AUXILIARY
MUST ( pwdAttribute )
MAY ( pwdMinAge $ pwdMaxAge $ pwdInHistory $ pwdCheckQuality $
pwdMinLength $ pwdExpireWarning $ pwdGraceAuthNLimit $ pwdLockout
$ pwdLockoutDuration $ pwdMaxFailure $ pwdFailureCountInterval $
pwdMustChange $ pwdAllowUserChange $ pwdSafeModify ) )
#5.3 Attribute Types for Password Policy State Information
#
# Password policy state information must be maintained for each user.
# The information is located in each user entry as a set of operational
# attributes. These operational attributes are: pwdChangedTime,
# pwdAccountLockedTime, pwdFailureTime, pwdHistory, pwdGraceUseTime,
# pwdReset, pwdPolicySubEntry.
#
#5.3.1 Password Policy State Attribute Option
#
# Since the password policy could apply to several attributes used to
# store passwords, each of the above operational attributes must have
# an option to specify which pwdAttribute it applies to. The password
# policy option is defined as the following:
#
# pwd-<passwordAttribute>
#
# where passwordAttribute a string following the OID syntax
# (1.3.6.1.4.1.1466.115.121.1.38). The attribute type descriptor
# (short name) MUST be used.
#
# For example, if the pwdPolicy object has for pwdAttribute
# "userPassword" then the pwdChangedTime operational attribute, in a
# user entry, will be:
#
# pwdChangedTime;pwd-userPassword: 20000103121520Z
#
# This attribute option follows sub-typing semantics. If a client
# requests a password policy state attribute to be returned in a search
# operation, and does not specify an option, all subtypes of that
# policy state attribute are returned.
#
#5.3.2 pwdChangedTime
#
# This attribute specifies the last time the entry's password was
# changed. This is used by the password expiration policy. If this
# attribute does not exist, the password will never expire.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.16
# NAME 'pwdChangedTime'
# DESC 'The time the password was last changed'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.3 pwdAccountLockedTime
#
# This attribute holds the time that the user's account was locked. A
# locked account means that the password may no longer be used to
# authenticate. A 000001010000Z value means that the account has been
# locked permanently, and that only a password administrator can unlock
# the account.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.17
# NAME 'pwdAccountLockedTime'
# DESC 'The time an user account was locked'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.4 pwdFailureTime
#
# This attribute holds the timestamps of the consecutive authentication
# failures.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.19
# NAME 'pwdFailureTime'
# DESC 'The timestamps of the last consecutive authentication
# failures'
# EQUALITY generalizedTimeMatch
# ORDERING generalizedTimeOrderingMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
# USAGE directoryOperation )
#
#5.3.5 pwdHistory
#
# This attribute holds a history of previously used passwords. Values
# of this attribute are transmitted in string format as given by the
# following ABNF:
#
# pwdHistory = time "#" syntaxOID "#" length "#" data
#
# time = <generalizedTimeString as specified in 6.14
# of [RFC2252]>
#
# syntaxOID = numericoid ; the string representation of the
# ; dotted-decimal OID that defines the
# ; syntax used to store the password.
# ; numericoid is described in 4.1
# ; of [RFC2252].
#
# length = numericstring ; the number of octets in data.
# ; numericstring is described in 4.1
# ; of [RFC2252].
#
# data = <octets representing the password in the format
# specified by syntaxOID>.
#
# This format allows the server to store, and transmit a history of
# passwords that have been used. In order for equality matching to
# function properly, the time field needs to adhere to a consistent
# format. For this purpose, the time field MUST be in GMT format.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.20
# NAME 'pwdHistory'
# DESC 'The history of user s passwords'
# EQUALITY octetStringMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
# USAGE directoryOperation )
#
#5.3.6 pwdGraceUseTime
#
# This attribute holds the timestamps of grace authentications after a
# password has expired.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.21
# NAME 'pwdGraceUseTime'
# DESC 'The timestamps of the grace authentication after the
# password has expired'
# EQUALITY generalizedTimeMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
#
#5.3.7 pwdReset
#
# This attribute holds a flag to indicate (when TRUE) that the password
# has been updated by the password administrator and must be changed by
# the user on first authentication.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.22
# NAME 'pwdReset'
# DESC 'The indication that the password has been reset'
# EQUALITY booleanMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
# SINGLE-VALUE
# USAGE directoryOperation )
#
#5.3.8 pwdPolicySubentry
#
# This attribute points to the pwdPolicy subentry in effect for this
# object.
#
# ( 1.3.6.1.4.1.42.2.27.8.1.23
# NAME 'pwdPolicySubentry'
# DESC 'The pwdPolicy subentry in effect for this object'
# EQUALITY distinguishedNameMatch
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
# SINGLE-VALUE
# USAGE directoryOperation )
#
#
#Disclaimer of Validity
#
# This document and the information contained herein are provided on an
# "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
# OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
# ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
# INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
# WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
#
#
#Copyright Statement
#
# Copyright (C) The Internet Society (2004). This document is subject
# to the rights, licenses and restrictions contained in BCP 78, and
# except as set forth therein, the authors retain all their rights.

5
ldap/files/slapd-index.conf Normal file
View file

@ -0,0 +1,5 @@
index objectClass eq,pres
index uid eq,pres
index cn eq,pres,sub

272
ldap/manifests/init.pp
View file

@ -279,25 +279,49 @@ class ldap::client::ruby {
}
# Install OpenLDAP server.
#
# === Global variables
#
# $ldap_datadir:
# Directory for LDAP databases. Defaults to /srv/ldap.
#
# $ldap_modules:
# List of dynamic modules to load, syncprov and ppolicy modules
# are always loaded.
#
# $ldap_server_key:
# Path to SSL private key. Defaults to puppet client key.
#
# $ldap_server_cert:
# Path to SSL certificate. Defaults to puppet client certificate.
#
class ldap::server {
include ssl
if !$ldap_server_key {
$ldap_server_key = "${puppet_ssldir}/private_keys/${homename}.pem"
}
if !$ldap_server_cert {
$ldap_server_cert = "${puppet_ssldir}/certs/${homename}.pem"
}
case $operatingsystem {
"debian","ubuntu": {
$user = "openldap"
$group = "openldap"
$package_name = "slapd"
$service_name = "slapd"
$config = "/etc/ldap"
}
"fedora": {
$user = "ldap"
$group = "ldap"
$package_name = "openldap-servers"
$service_name = "slapd"
$config = "/etc/openldap"
}
"centos": {
$user = "ldap"
@ -310,35 +334,14 @@ class ldap::server {
/^5/ => "ldap",
/^6/ => "slapd",
}
$config = "/etc/openldap"
}
"openbsd": {
$user = "_openldap"
$group = "_openldap"
$package_name = "openldap-server"
$service_name = "slapd"
}
}
if $ldap_datadir {
file { "${ldap_datadir}":
ensure => directory,
mode => 0700,
owner => $user,
group => $group,
require => Package["openldap-server"],
}
file { "/srv/ldap":
ensure => link,
target => "${ldap_datadir}",
require => File["${ldap_datadir}"],
}
} else {
file { "/srv/ldap":
ensure => directory,
mode => 0700,
owner => $user,
group => $group,
require => Package["openldap-server"],
$config = "/etc/openldap"
}
}
@ -347,32 +350,49 @@ class ldap::server {
ensure => installed,
}
service { "slapd":
name => $service_name,
start => $operatingsystem ? {
"openbsd" => "/usr/local/libexec/slapd -u _openldap -h ldap:///\\ ldaps:///",
default => undef,
file { "${ssl::certs}/slapd.crt":
ensure => present,
source => $ldap_server_cert,
mode => 0644,
owner => "root",
group => $operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
ensure => running,
enable => true,
require => Package ["openldap-server"]
require => Package["openldap-server"],
notify => Service["slapd"],
}
file { "${ssl::private}/slapd.key":
ensure => present,
source => $ldap_server_key,
mode => 0640,
owner => "root",
group => $group,
require => Package["openldap-server"],
notify => Service["slapd"],
}
file { "slapd.conf":
path => $operatingsystem ? {
"ubuntu" => "/etc/ldap/slapd.conf",
"debian" => "/etc/ldap/slapd.conf",
default => "/etc/openldap/slapd.conf",
},
path => "${config}/slapd.conf",
ensure => present,
source => [ "puppet:///files/ldap/slapd.conf.${fqdn}",
"puppet:///files/ldap/slapd.conf", ],
content => template("ldap/slapd.conf.erb"),
mode => 0640,
owner => root,
owner => "root",
group => $group,
notify => Service["slapd"],
require => Package["openldap-server"],
}
file { "${config}/slapd.conf.d":
ensure => directory,
source => "puppet:///modules/custom/empty",
mode => 0750,
owner => "root",
group => $group,
purge => true,
recurse => true,
force => true,
require => Package["openldap-server"],
}
if $operatingsystem == "CentOS" and $operatinsystemrelease !~ /^5\./ {
file { "/etc/sysconfig/ldap":
@ -386,9 +406,153 @@ class ldap::server {
}
}
file { "/srv/ldap/DB_CONFIG":
service { "slapd":
name => $service_name,
start => $operatingsystem ? {
"openbsd" => "/usr/local/libexec/slapd -u _openldap -h ldap:///\\ ldaps:///\\ ldapi:///",
default => undef,
},
ensure => running,
enable => true,
require => Package ["openldap-server"]
}
if $ldap_datadir {
file { "${ldap_datadir}":
ensure => directory,
mode => 0700,
owner => $user,
group => $group,
require => Package["openldap-server"],
}
file { "/srv/ldap":
ensure => link,
target => "${ldap_datadir}",
require => File["${ldap_datadir}"],
}
} else {
file { "/srv/ldap":
ensure => directory,
mode => 0700,
owner => $user,
group => $group,
require => Package["openldap-server"],
}
}
file { "${config}/schema":
ensure => directory,
source => "puppet:///modules/custom/empty",
mode => 0755,
owner => "root",
group => $operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
purge => true,
recurse => true,
force => true,
require => Package["openldap-server"],
}
file { "${config}/slapd.conf.d/schema.conf":
ensure => present,
source => [ "puppet:///files/ldap/DB_CONFIG.${fqdn}",
mode => 0640,
owner => "root",
group => $group,
require => Exec["generate-slapd-schema-config"],
}
exec { "generate-slapd-schema-config":
command => "find ${config}/schema/*.schema -exec echo 'include {}' \; | sort -n > ${config}/slapd.conf.d/schema.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
notify => Service["slapd"],
}
ldap::server::schema { [ "core", "cosine", "ppolicy", ]:
idx => 10,
}
file { "${config}/slapd.conf.d/database.conf":
ensure => present,
mode => 0640,
owner => "root",
group => $group,
require => Exec["generate-slapd-database-config"],
}
exec { "generate-slapd-database-config":
command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \; > ${config}/slapd.conf.d/database.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
notify => Service["slapd"],
}
}
# Create new LDAP database.
#
# === Parameters
#
# $name:
# Database suffix (base DN).
#
# $aclsource:
# Source file for custom ACL's. Default is to use template.
#
# === Sample usage
#
# ldap::server::database { "dc=example,dc=com": }
#
define ldap::server::database($aclsource = "") {
include ldap::server
file { "${ldap::server::config}/slapd.conf.d/db.${name}.conf":
ensure => present,
content => template("ldap/slapd-database.conf.erb"),
mode => 0640,
owner => "root",
group => $ldap::server::group,
notify => Exec["generate-slapd-database-config"],
}
file { "${ldap::server::config}/slapd.conf.d/acl.${name}.conf":
ensure => present,
source => $aclsource ? {
"" => undef,
default => $aclsource,
},
content => $aclsource ? {
"" => template("ldap/slapd-acl.conf.erb"),
default => undef,
},
mode => 0640,
owner => "root",
group => $ldap::server::group,
notify => Service["slapd"],
}
file { "${ldap::server::config}/slapd.conf.d/index.${name}.conf":
ensure => present,
source => [ "puppet:///files/ldap/slapd-index.conf.${name}",
"puppet:///files/ldap/slapd-index.conf",
"puppet:///modules/ldap/slapd-index.conf", ],
mode => 0640,
owner => "root",
group => $ldap::server::group,
notify => Service["slapd"],
}
file { "/srv/ldap/${name}":
ensure => directory,
mode => 0700,
owner => $ldap::server::user,
group => $ldap::server::group,
require => File["/srv/ldap"],
}
file { "/srv/ldap/${name}/DB_CONFIG":
ensure => present,
source => [ "puppet:///files/ldap/DB_CONFIG.${name}",
"puppet:///files/ldap/DB_CONFIG",
"puppet:///modules/ldap/DB_CONFIG", ],
mode => 0644,
@ -397,18 +561,10 @@ class ldap::server {
"openbsd" => "wheel",
default => "root",
},
require => File["/srv/ldap"]
require => File["/srv/ldap/${name}"],
before => Service["slapd"],
}
ldap::server::schema { "apple-auth": }
ldap::server::schema { "apple": }
ldap::server::schema { "autofs": }
ldap::server::schema { "dnszone": }
ldap::server::schema { "hdb": }
ldap::server::schema { "openssh-lpk": }
ldap::server::schema { "rfc2307bis": }
ldap::server::schema { "samba": }
}
@ -419,30 +575,30 @@ class ldap::server {
# $name:
# Schema name.
#
# $idx:
# Schema load order. Defaults to 50.
#
# === Sample usage
#
# ldap::server::schema { "samba": }
#
define ldap::server::schema() {
define ldap::server::schema($idx = 50) {
include ldap::server
file { "${name}.schema":
path => $operatingsystem ? {
"ubuntu" => "/etc/ldap/schema/${name}.schema",
"debian" => "/etc/ldap/schema/${name}.schema",
default => "/etc/openldap/schema/${name}.schema",
},
path => "${ldap::server::config}/schema/${idx}-${name}.schema",
ensure => present,
source => [ "puppet:///files/ldap/${name}.schema",
"puppet:///modules/ldap/${name}.schema", ],
mode => 0644,
owner => root,
owner => "root",
group => $operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => Package["openldap-server"],
notify => Exec["generate-slapd-schema-config"],
}
}

32
ldap/templates/slapd-acl.conf.erb Normal file
View file

@ -0,0 +1,32 @@
# database replication
access to *
by dn="uid=replicator,cn=config,<%= name %>" read
by * break
# allow everyone to get naming context
access to dn.base=""
by * read
# allow everyone to get directory root object
access to dn.base="<%= name %>"
by * read
# schema browsing requires authentication
access to dn.base="cn=Subschema"
by users read
by anonymous auth
by * none
# restrict user password
access to attrs=userPassword
by self write
by anonymous auth
by * none
# allow logged in users to read rest of data
access to *
by self read
by users read
by anonymous auth
by * none

43
ldap/templates/slapd-database.conf.erb Normal file
View file

@ -0,0 +1,43 @@
#######################################################################
# Database <%= name %> config
#######################################################################
database hdb
suffix "<%= name %>"
checkpoint 1024 15
rootdn "cn=manager,<%= name %>"
overlay ppolicy
ppolicy_default cn=pwdPolicy,cn=config,<%= name %>
ppolicy_hash_cleartext
ppolicy_use_lockout
password-hash {CRYPT}
password-crypt-salt-format "$6$%.8s"
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /srv/ldap/<%= name %>
# include acl and index configs
include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/acl.<%= name %>.conf
include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/index.<%= name %>.conf
# map local users connecting via ldapi:///
sasl-regexp "gidNumber=.*+uidNumber=0,cn=peercred,cn=external,cn=auth"
"cn=manager,<%= name %>"
sasl-regexp "gidNumber=([\d]+)+uidNumber=([\d]+),cn=peercred,cn=external,cn=auth"
ldap:///<%= name %>??sub?(&(uidNumber=$2)(objectClass=posixAccount))
# map sasl authenticated users
sasl-regexp "uid=(.*),cn=plain,cn=auth"
ldap:///<%= name %>??sub?(&(uid=$1)(objectClass=posixAccount))
sasl-regexp "uid=(.*),cn=login,cn=auth"
ldap:///<%= name %>??sub?(&(uid=$1)(objectClass=posixAccount))
sasl-regexp "uid=(.*),cn=gssapi,cn=auth"
ldap:///<%= name %>??sub?(&(uid=$1)(|(objectClass=posixAccount)(objectClass=krb5Principal)))

45
ldap/templates/slapd.conf.erb Normal file
View file

@ -0,0 +1,45 @@
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Schema configs in different file
include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/schema.conf
# disable logging
loglevel none
# require modern cipher (at least 128bits) for authentication
security simple_bind=128
# limit search result sizes (but don't set hard limit)
sizelimit size.soft=500
sizelimit size.hard=none
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# overlay modules to load
modulepath /usr/lib/openldap
moduleload ppolicy.la
moduleload syncprov.la
<% if has_variable?('ldap_server_modules') -%>
<% ldap_server_modules.each do |name| -%>
moduleload <%= name %>
<% end -%>
<% end -%>
# certificates
TLSCertificateFile <%= scope.lookupvar('ssl::certs') %>/slapd.crt
TLSCertificateKeyFile <%= scope.lookupvar('ssl::private') %>/slapd.key
TLSCACertificatePath <%= scope.lookupvar('ldap::server::config') %>/cacerts
TLSVerifyClient never
# include database configs
include <%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/database.conf
# enable monitoring database
database monitor
access to *
by peername.ip=127.0.0.1 read
by * none