From 77ec635d150a2f1c0b83023fc0a4d18fc3912ae0 Mon Sep 17 00:00:00 2001 From: Jarkko Huttunen Date: Mon, 1 Aug 2011 09:35:19 +0300 Subject: [PATCH] Improved multiOS support to ldap-module --- ldap/manifests/init.pp | 143 +++++++++++++++++++++++++++++++++-------- 1 file changed, 117 insertions(+), 26 deletions(-) diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index ab1dc2d..4c1ba9a 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -59,14 +59,69 @@ class ldap::auth inherits ldap::client { "set base ${ldap_basedn}", "set nss_paged_results yes", "set pam_password exop", + "rm rootbinddn", "set ssl on", ], onlyif => [ "get uri != '${ldap_uri}'", "get base != ${ldap_basedn}", "get nss_paged_results != yes", "get pam_password != exop", + "get rootbinddn == 'cn=manager,dc=example,dc=net'", "get ssl != on", ], } } + Debian: { + package {[ "libnss-ldap", + "libpam-ldap" ]: + ensure => installed, + } +## Debian lacks some lenses. nss-ldap-conf and pam_ldap-conf needs corresponding files +## to /usr/share/augeas/lenses/dist/spacevars.aug. More info at: +## https://github.com/jwm/augeas/commit/8f768f45779048cbd95b5b7d71682b808d41bfd3 +## There isn't lens for nsswitch.conf either. nss-ldap-conf and pam_ldap-conf are tested, nsswitch isn't. +# augeas { "nss-ldap-conf": +# context => "/files/etc/libnss-ldap.conf", +# changes => [ "set uri '${ldap_uri}'", +# "set base ${ldap_basedn}", +# "set nss_paged_results yes", +# "set pam_password exop", +# "rm rootbinddn", +# "set ssl on", ], +# onlyif => [ "get uri != '${ldap_uri}'", +# "get base != ${ldap_basedn}", +# "get nss_paged_results != yes", +# "get pam_password != exop", +# "get rootbinddn == 'cn=manager,dc=example,dc=net'", +# "get ssl != on", ], +# require => Package["libnss-ldap"], +# } +# augeas { "pam_ldap-conf": +# context => "/files/etc/pam_ldap.conf", +# changes => [ "set uri '${ldap_uri}'", +# "set base ${ldap_basedn}", +# "set nss_paged_results yes", +# "set pam_password exop", +# "rm rootbinddn", +# "set ssl on", ], +# onlyif => [ "get uri != '${ldap_uri}'", +# "get base != ${ldap_basedn}", +# "get nss_paged_results != yes", +# "get pam_password != exop", +# "get rootbinddn == 'cn=manager,dc=example,dc=net'", +# "get ssl != on", ], +# require => Package["libpam-ldap"], +# } +# augeas { "nsswitch-conf": +# context => "/files/etc/nsswitch.conf", +# changes => [ "set passwd: 'files ldap'", +# "set group: 'files ldap'", +# "set shadow: 'files ldap'", ], +# onlyif => [ "get passwd: != 'files ldap'", +# "get group: != 'files ldap'", +# "get shadow: != 'files ldap'", ], +# require => [ Augeas["pam_ldap-conf"], +# Augeas["nss-ldap-conf"], ], +# } + } OpenBSD: { if ! $ldap_login_umask { $ldap_login_umask = "077" @@ -105,9 +160,9 @@ class ldap::client { package { "openldap-client": name => $operatingsystem ? { - debian => "ldap-utils", - ubuntu => "ldap-utils", - openbsd => "openldap-client", + "debian" => "ldap-utils", + "ubuntu" => "ldap-utils", + "openbsd" => "openldap-client", default => "openldap-clients", }, ensure => $operatingsystem ? { @@ -120,15 +175,15 @@ class ldap::client { ensure => present, content => template("ldap/ldap.conf.erb"), path => $operatingsystem ? { - debian => "/etc/ldap/ldap.conf", - ubuntu => "/etc/ldap/ldap.conf", + "debian" => "/etc/ldap/ldap.conf", + "ubuntu" => "/etc/ldap/ldap.conf", default => "/etc/openldap/ldap.conf", }, mode => 0644, owner => root, group => $operatingsystem ? { - darwin => wheel, - openbsd => wheel, + "darwin" => wheel, + "openbsd" => wheel, default => root, }, require => Package["openldap-client"], @@ -157,7 +212,7 @@ class ldap::client::python { class ldap::client::ruby { case $operatingsystem { - ubuntu,debian: { + "ubuntu","debian": { $pkgname = regsubst($rubyversion, '^([0-9]+\.[0-9]+)\..*', 'libldap-ruby\1') } default: { @@ -172,7 +227,6 @@ class ldap::client::ruby { } - # Install OpenLDAP server. # # $ldap_datadir: @@ -180,13 +234,24 @@ class ldap::client::ruby { # class ldap::server { + case $operatingsystem { + "debian","ubuntu": { + $user = "openldap" + $group = "openldap" + } + "centos","fedora": { + $user = "ldap" + $group = "openldap" + } + } + if $ldap_datadir { file { "${ldap_datadir}": ensure => directory, mode => 0700, - owner => ldap, - group => ldap, - require => Package["openldap-servers"], + owner => $user, + group => $group, + require => Package["openldap-server"], } file { "/srv/ldap": ensure => link, @@ -197,31 +262,51 @@ class ldap::server { file { "/srv/ldap": ensure => directory, mode => 0700, - owner => ldap, - group => ldap, - require => Package["openldap-servers"], + owner => $user, + group => $group, + require => Package["openldap-server"], } } - package { [ "openldap-servers", "openldap-servers-overlays", ]: + package { "openldap-server": + name => $operatingsystem ? { + "ubuntu" => "slapd", + "debian" => "slapd", + "centos" => [ "openldap-servers", + "openldap-servers-overlays" ], + "fedora" => [ "openldap-servers", + "openldap-servers-overlays" ], + }, ensure => installed, } - service { "ldap": + service { "slapd": + name => $operatingsystem ? { + "ubuntu" => "slapd", + "debian" => "slapd", + "centos" => "ldap", + "fedora" => "ldap", + }, ensure => running, enable => true, - require => Package["openldap-servers"], + require => Package ["openldap-server"] } - file { "/etc/openldap/slapd.conf": + file { "slapd.conf": + path => $operatingsystem ? { + "ubuntu" => "/etc/ldap/slapd.conf", + "debian" => "/etc/ldap/slapd.conf", + "centos" => "/etc/openldap/slapd.conf", + "fedora" => "/etc/openldap/slapd.conf", + }, ensure => present, source => [ "puppet:///files/ldap/slapd.conf.${fqdn}", "puppet:///files/ldap/slapd.conf", ], mode => 0640, owner => root, - group => ldap, - notify => Service["ldap"], - require => Package["openldap-servers"], + group => $group, + notify => Service["slapd"], + require => Package["openldap-server"], } file { "/srv/ldap/DB_CONFIG": @@ -232,7 +317,7 @@ class ldap::server { mode => 0644, owner => root, group => root, - require => Package["openldap-servers"], + require => Package["openldap-server"], } ldap::server::schema { "apple-auth": } @@ -262,14 +347,20 @@ define ldap::server::schema() { include ldap::server - file { "/etc/openldap/schema/${name}.schema": + file { "${name}.schema": + path => $operatingsystem ? { + "ubuntu" => "/etc/ldap/schema/${name}.schema", + "debian" => "/etc/ldap/schema/${name}.schema", + "centos" => "/etc/openldap/schema/${name}.schema", + "fedora" => "/etc/openldap/schema/${name}.schema", + }, ensure => present, source => [ "puppet:///files/ldap/${name}.schema", "puppet:///modules/ldap/${name}.schema", ], mode => 0644, owner => root, group => root, - require => Package["openldap-servers"], + require => Package["openldap-server"], } - } +