ldap: Disable SSL support when LDAP URI does not start with ldaps://

2014-01-20 11:59:22 +02:00 · 2014-01-20 11:59:22 +02:00 · dc5cd90bde
commit dc5cd90bde
parent 60a8994103
1 changed files with 18 additions and 20 deletions
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@ -19,6 +19,11 @@ class ldap::auth inherits ldap::client {
    tag("bootstrap")

    $ldap_uri = inline_template('<%= @ldap_server.join(" ") -%>')
+    if regsubst($ldap_uri, "^(ldaps)://.*", "\1") == "ldaps"{
+        $ssl = "on"
+    } else {
+        $ssl = "no"
+    }

    if $::kernel == "Linux" {
        include nscd
@ -41,7 +46,7 @@ class ldap::auth inherits ldap::client {
                    }
                    augeas { "nslcd-conf":
                        changes => [ "set pagesize 500",
-                                     "set ssl on",
+                                     "set ssl ${ssl}",
                                     "set tls_reqcert never",
                                     "rm tls_cacertdir", ],
                        incl    => "/etc/nslcd.conf",
@ -58,7 +63,7 @@ class ldap::auth inherits ldap::client {
                        }
                    }
                    augeas { "pam-ldap-conf":
-                        changes => [ "set ssl on",
+                        changes => [ "set ssl ${ssl}",
                                     "set pam_password exop",
                                     "rm tls_cacertdir", ],
                        incl    => "/etc/pam_ldap.conf",
@ -85,16 +90,13 @@ class ldap::auth inherits ldap::client {
                        context  => "/files/etc/ldap.conf",
                        changes  => [ "set nss_paged_results yes",
                                      "set pam_password exop",
-                                      "set ssl on", ],
-                        onlyif   => [ "get nss_paged_results != yes",
-                                      "get pam_password != exop",
-                                      "get ssl != on", ],
+                                      "set ssl ${ssl}", ],
                        notify   => Service["nscd"],
                    }
                }
            }
        }
-        Ubuntu: {
+        "Ubuntu": {
            package { "ldap-auth-client":
                ensure => installed,
            }
@ -111,21 +113,17 @@ class ldap::auth inherits ldap::client {
            }
            augeas { "pam-ldap-conf":
                context => "/files/etc/ldap.conf",
-                changes => [ "set uri '${ldap_uri}'",
+                changes => [
+                  "set uri '${ldap_uri}'",
                  "set base ${ldap_basedn}",
                  "set nss_paged_results yes",
                  "set pam_password exop",
                  "rm rootbinddn",
-                             "set ssl on", ],
-                onlyif  => [ "get uri != '${ldap_uri}'",
-                             "get base != ${ldap_basedn}",
-                             "get nss_paged_results != yes",
-                             "get pam_password != exop",
-                             "get rootbinddn == 'cn=manager,dc=example,dc=net'",
-                             "get ssl != on", ],
+                  "set ssl ${ssl}",
+                ],
            }
        }
-        OpenBSD: {
+        "OpenBSD": {
            if ! $ldap_login_umask {
                $ldap_login_umask = "077"
            }