ldap: Converted nslcd.conf to template and added support for active directory attribute mappings.

2014-01-21 13:18:56 +02:00 · 2014-01-21 13:18:56 +02:00 · 9a1964c71a
commit 9a1964c71a
parent d0a5bca536
2 changed files with 55 additions and 32 deletions
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@ -12,7 +12,12 @@
 #   $ldap_login_umask:
 #       Default umask for LDAP users in OpenBSD, defaults to 077.
 #
-class ldap::auth inherits ldap::client {
+# === Parameters
+#
+#   $mapping:
+#       
+#
+class ldap::auth($mapping="rfc2307") inherits ldap::client {

    include pam::common

@ -22,7 +27,7 @@ class ldap::auth inherits ldap::client {
    if regsubst($ldap_uri, "^(ldaps)://.*", "\1") == "ldaps"{
        $ssl = "on"
    } else {
-        $ssl = "no"
+        $ssl = "off"
    }

    if $::kernel == "Linux" {
@ -39,29 +44,19 @@ class ldap::auth inherits ldap::client {
                    exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enableforcelegacy --update":
                        path    => "/bin:/usr/bin:/sbin:/usr/sbin",
                        unless  => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
-                        before  => [ Augeas["nslcd-conf"],
+                        before  => [ File["/etc/nslcd.conf"],
                                     Augeas["pam-ldap-conf"],
                                     File["/etc/openldap/ldap.conf"], ],
                        require => Package["authconfig", "nss-pam-ldapd"],
                    }
-                    augeas { "nslcd-conf":
-                        changes => [ "set pagesize 500",
-                                     "set ssl ${ssl}",
-                                     "set tls_reqcert never",
-                                     "rm tls_cacertdir", ],
-                        incl    => "/etc/nslcd.conf",
-                        lens    => "Spacevars.simple_lns",
+                    file { "/etc/nslcd.conf":
+                        ensure  => present,
+                        content => template("ldap/nslcd.conf.erb"),
+                        mode    => "0600",
+                        owner   => "root",
+                        group   => "root",
                        notify  => Service["nslcd"],
                    }
-                    if $::operatingsystem == "Fedora" {
-                        augeas { "nslcd-conf-groupmap":
-                            changes => "set map 'group member uniqueMember'",
-                            incl    => "/etc/nslcd.conf",
-                            lens    => "Spacevars.simple_lns",
-                            require => Package["nss-pam-ldapd"],
-                            notify  => Service["nslcd"],
-                        }
-                    }
                    augeas { "pam-ldap-conf":
                        changes => [ "set ssl ${ssl}",
                                     "set pam_password exop",
@ -104,21 +99,15 @@ class ldap::auth inherits ldap::client {
                path    => "/bin:/usr/bin:/sbin:/usr/sbin",
                unless  => "auth-client-config -t nss -p ldap_example -s",
                require => Package["auth-client-config"],
-                before  => Augeas["nslcd-conf"],
+                before  => File["/etc/nslcd.conf"],
            }
-            augeas { "nslcd-conf":
-                changes => [
-                  "set uri '${ldap_uri}'",
-                  "set base ${ldap_basedn}",
-                  "set pagesize 500",
-                  "set ssl ${ssl}",
-                  "set tls_reqcert never",
-                  "set map 'group member uniqueMember'",
-                ],
-                incl    => "/etc/nslcd.conf",
-                lens    => "Spacevars.simple_lns",
+            file { "/etc/nslcd.conf":
+                ensure  => present,
+                content => template("ldap/nslcd.conf.erb"),
+                mode    => "0640",
+                owner   => "root",
+                group   => "nslcd",
                notify  => Service["nslcd"],
-                before  => File["/etc/openldap/ldap.conf"],
            }
            service { "nslcd":
                ensure => running,
--- a/ldap/templates/nslcd.conf.erb
+++ b/ldap/templates/nslcd.conf.erb
@ -0,0 +1,34 @@
+uid nslcd
+<% if @operatingsystem == "Ubuntu" -%>
+gid nslcd
+<% else -%>
+gid ldap
+<% end -%>
+
+uri <%= @ldap_uri %>
+base <%= @ldap_basedn %>
+
+<% if ['ad','activedirectory'].index(@mapping) -%>
+pagesize 1000
+filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*))
+map    passwd uid              sAMAccountName
+map    passwd gecos            displayName
+map    passwd loginShell       "${loginShell:-/bin/bash}"
+map    passwd homeDirectory    "${unixHomeDirectory:-/home/$sAMAccountName}"
+filter group  (&(objectClass=group)(gidNumber=*))
+<%   if @operatingsystem == "CentOS" -%>
+map group uniqueMember member
+<%   end -%>
+<% else -%>
+pagesize 500
+<%   if @operatingsystem != "CentOS" -%>
+map group member uniqueMember
+<%   end -%>
+<% end -%>
+
+<% if @ldap_uri =~ /^ldaps:/ -%>
+ssl on
+tls_reqcert never
+<% else -%>
+ssl off
+<% end -%>