tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ldap: Disable SSL support when LDAP URI does not start with ldaps://

Browse source
This commit is contained in:
Timo Makinen 2014-01-20 11:59:22 +02:00
parent 60a8994103
commit dc5cd90bde
1 changed files with 18 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
ldap/manifests/init.pp
View file

@ -19,6 +19,11 @@ class ldap::auth inherits ldap::client {
tag("bootstrap") tag("bootstrap")
$ldap_uri = inline_template('<%= @ldap_server.join(" ") -%>') $ldap_uri = inline_template('<%= @ldap_server.join(" ") -%>')
if regsubst($ldap_uri, "^(ldaps)://.*", "\1") == "ldaps"{
$ssl = "on"
} else {
$ssl = "no"
}
if $::kernel == "Linux" { if $::kernel == "Linux" {
include nscd include nscd
@ -41,7 +46,7 @@ class ldap::auth inherits ldap::client {
} }
augeas { "nslcd-conf": augeas { "nslcd-conf":
changes => [ "set pagesize 500", changes => [ "set pagesize 500",
"set ssl on", "set ssl ${ssl}",
"set tls_reqcert never", "set tls_reqcert never",
"rm tls_cacertdir", ], "rm tls_cacertdir", ],
incl => "/etc/nslcd.conf", incl => "/etc/nslcd.conf",
@ -58,7 +63,7 @@ class ldap::auth inherits ldap::client {
} }
} }
augeas { "pam-ldap-conf": augeas { "pam-ldap-conf":
changes => [ "set ssl on", changes => [ "set ssl ${ssl}",
"set pam_password exop", "set pam_password exop",
"rm tls_cacertdir", ], "rm tls_cacertdir", ],
incl => "/etc/pam_ldap.conf", incl => "/etc/pam_ldap.conf",
@ -85,16 +90,13 @@ class ldap::auth inherits ldap::client {
context => "/files/etc/ldap.conf", context => "/files/etc/ldap.conf",
changes => [ "set nss_paged_results yes", changes => [ "set nss_paged_results yes",
"set pam_password exop", "set pam_password exop",
"set ssl on", ], "set ssl ${ssl}", ],
onlyif => [ "get nss_paged_results != yes",
"get pam_password != exop",
"get ssl != on", ],
notify => Service["nscd"], notify => Service["nscd"],
} }
} }
} }
} }
Ubuntu: { "Ubuntu": {
package { "ldap-auth-client": package { "ldap-auth-client":
ensure => installed, ensure => installed,
} }
@ -111,21 +113,17 @@ class ldap::auth inherits ldap::client {
} }
augeas { "pam-ldap-conf": augeas { "pam-ldap-conf":
context => "/files/etc/ldap.conf", context => "/files/etc/ldap.conf",
changes => [ "set uri '${ldap_uri}'", changes => [
"set base ${ldap_basedn}", "set uri '${ldap_uri}'",
"set nss_paged_results yes", "set base ${ldap_basedn}",
"set pam_password exop", "set nss_paged_results yes",
"rm rootbinddn", "set pam_password exop",
"set ssl on", ], "rm rootbinddn",
onlyif => [ "get uri != '${ldap_uri}'", "set ssl ${ssl}",
"get base != ${ldap_basedn}", ],
"get nss_paged_results != yes",
"get pam_password != exop",
"get rootbinddn == 'cn=manager,dc=example,dc=net'",
"get ssl != on", ],
} }
} }
OpenBSD: { "OpenBSD": {
if ! $ldap_login_umask { if ! $ldap_login_umask {
$ldap_login_umask = "077" $ldap_login_umask = "077"
} }