diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp index d61a95d..97fc52c 100644 --- a/ldap/manifests/init.pp +++ b/ldap/manifests/init.pp @@ -9,6 +9,9 @@ # $ldap_basedn: # LDAP base DN. # +# $ldap_login_umask: +# Default umask for LDAP users in OpenBSD, defaults to 077. +# class ldap::client { package { "openldap-client": @@ -31,6 +34,23 @@ class ldap::client { require => Package["openldap-client"], } + case $operatingsystem { + OpenBSD: { + if ! $ldap_login_umask { + $ldap_login_umask = "077" + } + + file { "/etc/login.conf": + ensure => present, + content => template("ldap/login.conf.erb"), + mode => 0644, + owner => root, + group => wheel, + require => File["/etc/openldap/ldap.conf"], + } + } + } + } diff --git a/ldap/templates/login.conf.erb b/ldap/templates/login.conf.erb new file mode 100644 index 0000000..d75bb5e --- /dev/null +++ b/ldap/templates/login.conf.erb @@ -0,0 +1,113 @@ +# $OpenBSD: login.conf.in,v 1.2 2007/01/09 10:20:12 millert Exp $ + +# +# Sample login.conf file. See login.conf(5) for details. +# + +# +# Standard authentication styles: +# +# krb5-or-pwd First try Kerberos V password, then local password file +# passwd Use only the local password file +# krb5 Use only the Kerberos V password +# chpass Do not authenticate, but change users password (change +# the YP password if the user has one, else change the +# local password) +# lchpass Do not login; change user's local password instead +# radius Use radius authentication +# skey Use S/Key authentication +# activ ActivCard X9.9 token authentication +# crypto CRYPTOCard X9.9 token authentication +# snk Digital Pathways SecureNet Key authentication +# token Generic X9.9 token authentication +# + +# Default allowed authentication styles +auth-defaults:auth=passwd,skey: + +# Default allowed authentication styles for authentication type ftp +auth-ftp-defaults:auth-ftp=passwd: + +# +# The default values +# To alter the default authentication types change the line: +# :tc=auth-defaults:\ +# to be read something like: (enables passwd, "myauth", and activ) +# :auth=passwd,myauth,activ:\ +# Any value changed in the daemon class should be reset in default +# class. +# +default:\ + :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\ + :umask=022:\ + :datasize-max=512M:\ + :datasize-cur=512M:\ + :maxproc-max=256:\ + :maxproc-cur=128:\ + :openfiles-cur=128:\ + :stacksize-cur=4M:\ + :localcipher=blowfish,6:\ + :ypcipher=old:\ + :tc=auth-defaults:\ + :tc=auth-ftp-defaults: + +# +# Settings used by /etc/rc and root +# This must be set properly for daemons started as root by inetd as well. +# Be sure reset these values back to system defaults in the default class! +# +daemon:\ + :ignorenologin:\ + :datasize=infinity:\ + :maxproc=infinity:\ + :openfiles-cur=128:\ + :stacksize-cur=8M:\ + :localcipher=blowfish,8:\ + :tc=default: + +# +# Staff have fewer restrictions and can login even when nologins are set. +# +staff:\ + :datasize-cur=512M:\ + :datasize-max=infinity:\ + :maxproc-max=512:\ + :maxproc-cur=128:\ + :ignorenologin:\ + :requirehome@:\ + :tc=default: + +# +# Authpf accounts get a special motd and shell +# +authpf:\ + :welcome=/etc/motd.authpf:\ + :shell=/usr/sbin/authpf:\ + :tc=default: +<% +require 'uri' + +n = 0 +servers = "" +ldap_server.each do |uri| + uri = URI.parse(uri) + if uri.scheme == "ldaps": + mode = "ssl" + else + mode = "plain" + end + if n == 0: + servers += ":x-ldap-server=%s,,%s:\\\n" % [uri.host, mode] + else + servers += "\t:x-ldap-serveralt%d=%s,,%s:\\\n" % [n-1, uri.host, mode] + end + n += 1 +end +%> +ldap:\ + :auth=-ldap:\ + <%= servers -%> + :x-ldap-basedn=ou=People,<%= ldap_basedn %>:\ + :x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\ + :umask=<%= ldap_login_umask %>:\ + :tc=default: