ldap: Added GSSAPI authentication support for CentOS 6 nslcd.

2014-01-23 10:28:26 +02:00 · 2014-01-23 10:28:26 +02:00 · 9a07075a8c
commit 9a07075a8c
parent 0f41b36d1f
2 changed files with 128 additions and 3 deletions
--- a/ldap/files/nslcd.init.gssapi
+++ b/ldap/files/nslcd.init.gssapi
@ -0,0 +1,108 @@
 #!/bin/sh
 #
 # chkconfig: - 12 88 
 # description: Provides naming services using a directory server.
 # processname: /usr/sbin/nslcd
 # config: /etc/nslcd.conf
 # pidfile: /var/run/nslcd/nslcd.pid
 #
 ### BEGIN INIT INFO
 # Provides: nslcd
 # Required-Start: $network
 # Required-Stop:
 # Default-Start:
 # Default-Stop:
 # Short-Description: naming services LDAP client daemon
 # Description: Provides naming services using a directory server.
 ### END INIT INFO
 program=/usr/sbin/nslcd
 prog=${program##*/}
 pidfile=/var/run/nslcd/nslcd.pid
 rundir=/var/run/nslcd
 k5start=/usr/bin/k5start
 k5start_pidfile=${rundir}/k5start_nslcd.pid
 k5start_user=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' /etc/nslcd.conf)
 k5start_group=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' /etc/nslcd.conf)
 k5start_ccfile=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' /etc/nslcd.conf)
 if [ -f /etc/rc.d/init.d/functions ]; then
 	. /etc/rc.d/init.d/functions
 fi
 [ -f /etc/sysconfig/nslcd ] && . /etc/sysconfig/nslcd
 RETVAL=0
 start() {
    grep -q '^sasl_mech *GSSAPI$' /etc/nslcd.conf
    if [ $? -eq 0 ]; then
        echo -n $"Starting k5start for nslcd"
        daemon $k5start -b -p $k5start_pidfile -o $k5start_user \
            -g $k5start_group -m 600 -f /etc/krb5.keytab -K 60 \
            -u $K5START_PRINCIPAL -k $k5start_ccfile
        echo
    fi
    echo -n $"Starting $prog: "
    daemon $program
    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
    return $RETVAL
 }
 stop() {
    if [ $? -eq 0 ]; then
        echo -n $"Stopping k5start for nslcd"
        killproc -p $k5start_pidfile $k5start
        echo
    fi
    echo -n $"Stopping $prog: "
    killproc $program
    RETVAL=$?
    echo
    if [ $RETVAL -eq 0 ]; then
 	rm -f /var/lock/subsys/$prog
    fi
 }
 restart() {
    stop
    start
 }
 # See how we were called.
 case "$1" in
    start)
        [ -f /var/lock/subsys/$prog ] && exit 0
        $1
        ;;
    stop)
        [ -f /var/lock/subsys/$prog ] || exit 0
        $1
        ;;
    restart)
        $1
        ;;
    status)
        status -p $pidfile $program
        RETVAL=$?
        ;;
    condrestart|try-restart)
        [ -f /var/lock/subsys/$prog ] && restart || :
        ;;
    reload)
        echo "can't reload configuration, you have to restart it"
        RETVAL=3
        ;;
    force-reload)
        restart
        ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 1
        ;;
 esac
 exit $RETVAL
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@ -105,9 +105,6 @@ class ldap::auth(
                        group   => "root",
                        notify  => Service["nslcd"],
                    }
                    if $auth == "gssapi" {
                        fail("gssapi not supported on ${::operatingsystem}")
                    }
                    augeas { "pam-ldap-conf":
                        changes => [ "set ssl ${ssl}",
                                     "set pam_password exop",
@ -115,6 +112,26 @@ class ldap::auth(
                        incl    => "/etc/pam_ldap.conf",
                        lens    => "Spacevars.simple_lns",
                    }
                    if $auth == "gssapi" and $::operatingsystem != "Fedora" {
                        file { "/etc/init.d/nslcd":
                            ensure  => present,
                            source  => "puppet:///modules/ldap/nslcd.init.gssapi",
                            mode    => "0755",
                            owner   => "root",
                            group   => "root",
                            require => Package["nss-pam-ldapd"],
                            notify  => Service["nslcd"],
                        }
                        file { "/etc/sysconfig/nslcd":
                            ensure  => present,
                            content => "K5START_PRINCIPAL='${principal}'\n",
                            mode    => "0755",
                            owner   => "root",
                            group   => "root",
                            require => Package["nss-pam-ldapd"],
                            notify  => Service["nslcd"],
                        }
                    }
                    service { "nslcd":
                         ensure => running,
                         enable => true,