tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ldap: Added GSSAPI authentication support for CentOS 6 nslcd.

Browse source
This commit is contained in:
Timo Makinen 2014-01-23 10:28:26 +02:00
parent 0f41b36d1f
commit 9a07075a8c
2 changed files with 128 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

108
ldap/files/nslcd.init.gssapi Executable file
View file

@ -0,0 +1,108 @@
#!/bin/sh
#
# chkconfig: - 12 88
# description: Provides naming services using a directory server.
# processname: /usr/sbin/nslcd
# config: /etc/nslcd.conf
# pidfile: /var/run/nslcd/nslcd.pid
#
### BEGIN INIT INFO
# Provides: nslcd
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: naming services LDAP client daemon
# Description: Provides naming services using a directory server.
### END INIT INFO
program=/usr/sbin/nslcd
prog=${program##*/}
pidfile=/var/run/nslcd/nslcd.pid
rundir=/var/run/nslcd
k5start=/usr/bin/k5start
k5start_pidfile=${rundir}/k5start_nslcd.pid
k5start_user=$(sed -n 's/^uid *\([^ ]*\) *$/\1/ip' /etc/nslcd.conf)
k5start_group=$(sed -n 's/^gid *\([^ ]*\) *$/\1/ip' /etc/nslcd.conf)
k5start_ccfile=$(sed -n 's/^krb5_ccname *\(FILE:\)\?\([^: ]*\) *$/\2/ip' /etc/nslcd.conf)
if [ -f /etc/rc.d/init.d/functions ]; then
. /etc/rc.d/init.d/functions
fi
[ -f /etc/sysconfig/nslcd ] && . /etc/sysconfig/nslcd
RETVAL=0
start() {
grep -q '^sasl_mech *GSSAPI$' /etc/nslcd.conf
if [ $? -eq 0 ]; then
echo -n $"Starting k5start for nslcd"
daemon $k5start -b -p $k5start_pidfile -o $k5start_user \
-g $k5start_group -m 600 -f /etc/krb5.keytab -K 60 \
-u $K5START_PRINCIPAL -k $k5start_ccfile
echo
fi
echo -n $"Starting $prog: "
daemon $program
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
if [ $? -eq 0 ]; then
echo -n $"Stopping k5start for nslcd"
killproc -p $k5start_pidfile $k5start
echo
fi
echo -n $"Stopping $prog: "
killproc $program
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
rm -f /var/lock/subsys/$prog
fi
}
restart() {
stop
start
}
# See how we were called.
case "$1" in
start)
[ -f /var/lock/subsys/$prog ] && exit 0
$1
;;
stop)
[ -f /var/lock/subsys/$prog ] || exit 0
$1
;;
restart)
$1
;;
status)
status -p $pidfile $program
RETVAL=$?
;;
condrestart|try-restart)
[ -f /var/lock/subsys/$prog ] && restart || :
;;
reload)
echo "can't reload configuration, you have to restart it"
RETVAL=3
;;
force-reload)
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 1
;;
esac
exit $RETVAL

23
ldap/manifests/init.pp
View file

@ -105,9 +105,6 @@ class ldap::auth(
group => "root",
notify => Service["nslcd"],
}
if $auth == "gssapi" {
fail("gssapi not supported on ${::operatingsystem}")
}
augeas { "pam-ldap-conf":
changes => [ "set ssl ${ssl}",
"set pam_password exop",
@ -115,6 +112,26 @@ class ldap::auth(
incl => "/etc/pam_ldap.conf",
lens => "Spacevars.simple_lns",
}
if $auth == "gssapi" and $::operatingsystem != "Fedora" {
file { "/etc/init.d/nslcd":
ensure => present,
source => "puppet:///modules/ldap/nslcd.init.gssapi",
mode => "0755",
owner => "root",
group => "root",
require => Package["nss-pam-ldapd"],
notify => Service["nslcd"],
}
file { "/etc/sysconfig/nslcd":
ensure => present,
content => "K5START_PRINCIPAL='${principal}'\n",
mode => "0755",
owner => "root",
group => "root",
require => Package["nss-pam-ldapd"],
notify => Service["nslcd"],
}
}
service { "nslcd":
ensure => running,
enable => true,