Refactored ldap::server class.

ldap/templates/slapd-acl.conf.erb

@@ -0,0 +1,32 @@
+
+# database replication
+access to *
+        by dn="uid=replicator,cn=config,<%= name %>" read
+        by * break
+
+# allow everyone to get naming context
+access to dn.base=""
+        by * read
+
+# allow everyone to get directory root object
+access to dn.base="<%= name %>"
+        by * read
+
+# schema browsing requires authentication
+access to dn.base="cn=Subschema"
+        by users read
+        by anonymous auth
+        by * none
+
+# restrict user password
+access to attrs=userPassword
+        by self write
+        by anonymous auth
+        by * none
+
+# allow logged in users to read rest of data
+access to *
+        by self read
+        by users read
+        by anonymous auth
+        by * none

ldap/templates/slapd-database.conf.erb

@@ -0,0 +1,43 @@
+
+#######################################################################
+# Database <%= name %> config
+#######################################################################
+
+database			hdb
+suffix				"<%= name %>"
+checkpoint			1024 15
+rootdn				"cn=manager,<%= name %>"
+
+overlay				ppolicy
+ppolicy_default			cn=pwdPolicy,cn=config,<%= name %>
+ppolicy_hash_cleartext
+ppolicy_use_lockout
+password-hash			{CRYPT}
+password-crypt-salt-format	"$6$%.8s"
+
+overlay				syncprov
+syncprov-checkpoint		100 10
+syncprov-sessionlog		100
+
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory	/srv/ldap/<%= name %>
+
+# include acl and index configs
+include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/acl.<%= name %>.conf
+include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/index.<%= name %>.conf
+
+# map local users connecting via ldapi:///
+sasl-regexp "gidNumber=.*+uidNumber=0,cn=peercred,cn=external,cn=auth"
+	"cn=manager,<%= name %>"
+sasl-regexp "gidNumber=([\d]+)+uidNumber=([\d]+),cn=peercred,cn=external,cn=auth"
+	ldap:///<%= name %>??sub?(&(uidNumber=$2)(objectClass=posixAccount))
+
+# map sasl authenticated users
+sasl-regexp "uid=(.*),cn=plain,cn=auth"
+	ldap:///<%= name %>??sub?(&(uid=$1)(objectClass=posixAccount))
+sasl-regexp "uid=(.*),cn=login,cn=auth"
+	ldap:///<%= name %>??sub?(&(uid=$1)(objectClass=posixAccount))
+sasl-regexp "uid=(.*),cn=gssapi,cn=auth"
+	ldap:///<%= name %>??sub?(&(uid=$1)(|(objectClass=posixAccount)(objectClass=krb5Principal)))

ldap/templates/slapd.conf.erb

@@ -0,0 +1,45 @@
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+
+# Schema configs in different file
+include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/schema.conf
+
+# disable logging
+loglevel	none
+
+# require modern cipher (at least 128bits) for authentication
+security simple_bind=128
+
+# limit search result sizes (but don't set hard limit)
+sizelimit size.soft=500
+sizelimit size.hard=none
+
+pidfile		/var/run/openldap/slapd.pid
+argsfile	/var/run/openldap/slapd.args
+
+# overlay modules to load
+modulepath /usr/lib/openldap
+moduleload ppolicy.la
+moduleload syncprov.la
+<% if has_variable?('ldap_server_modules') -%>
+<%   ldap_server_modules.each do |name| -%>
+moduleload <%= name %>
+<%   end -%>
+<% end -%>
+
+# certificates
+TLSCertificateFile	<%= scope.lookupvar('ssl::certs') %>/slapd.crt
+TLSCertificateKeyFile	<%= scope.lookupvar('ssl::private') %>/slapd.key
+TLSCACertificatePath	<%= scope.lookupvar('ldap::server::config') %>/cacerts
+TLSVerifyClient		never
+
+# include database configs
+include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/database.conf
+
+# enable monitoring database
+database monitor
+access to *
+	by peername.ip=127.0.0.1 read
+        by * none