Added LDAP authentication support for OpenBSD.

ldap/manifests/init.pp

@@ -9,6 +9,9 @@
 #   $ldap_basedn:
 #       LDAP base DN.
 #
+#   $ldap_login_umask:
+#       Default umask for LDAP users in OpenBSD, defaults to 077.
+#
 class ldap::client {
 
     package { "openldap-client":
@@ -31,6 +34,23 @@ class ldap::client {
         require => Package["openldap-client"],
     }
 
+    case $operatingsystem {
+        OpenBSD: {
+            if ! $ldap_login_umask {
+                $ldap_login_umask = "077"
+            }
+
+            file { "/etc/login.conf":
+                ensure  => present,
+                content => template("ldap/login.conf.erb"),
+                mode    => 0644,
+                owner   => root,
+                group   => wheel,
+                require => File["/etc/openldap/ldap.conf"],
+            }
+        }
+    }
+
 }
 
 

ldap/templates/login.conf.erb

@@ -0,0 +1,113 @@
+# $OpenBSD: login.conf.in,v 1.2 2007/01/09 10:20:12 millert Exp $
+
+#
+# Sample login.conf file.  See login.conf(5) for details.
+#
+
+#
+# Standard authentication styles:
+#
+# krb5-or-pwd	First try Kerberos V password, then local password file
+# passwd	Use only the local password file
+# krb5		Use only the Kerberos V password
+# chpass	Do not authenticate, but change users password (change
+#		the YP password if the user has one, else change the
+#		local password)
+# lchpass	Do not login; change user's local password instead
+# radius	Use radius authentication
+# skey		Use S/Key authentication
+# activ		ActivCard X9.9 token authentication
+# crypto	CRYPTOCard X9.9 token authentication
+# snk		Digital Pathways SecureNet Key authentication
+# token		Generic X9.9 token authentication
+#
+
+# Default allowed authentication styles
+auth-defaults:auth=passwd,skey:
+
+# Default allowed authentication styles for authentication type ftp
+auth-ftp-defaults:auth-ftp=passwd:
+
+#
+# The default values
+# To alter the default authentication types change the line:
+#	:tc=auth-defaults:\
+# to be read something like: (enables passwd, "myauth", and activ)
+#	:auth=passwd,myauth,activ:\
+# Any value changed in the daemon class should be reset in default
+# class.
+#
+default:\
+	:path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\
+	:umask=022:\
+	:datasize-max=512M:\
+	:datasize-cur=512M:\
+	:maxproc-max=256:\
+	:maxproc-cur=128:\
+	:openfiles-cur=128:\
+	:stacksize-cur=4M:\
+	:localcipher=blowfish,6:\
+	:ypcipher=old:\
+	:tc=auth-defaults:\
+	:tc=auth-ftp-defaults:
+
+#
+# Settings used by /etc/rc and root
+# This must be set properly for daemons started as root by inetd as well.
+# Be sure reset these values back to system defaults in the default class!
+#
+daemon:\
+	:ignorenologin:\
+	:datasize=infinity:\
+	:maxproc=infinity:\
+	:openfiles-cur=128:\
+	:stacksize-cur=8M:\
+	:localcipher=blowfish,8:\
+	:tc=default:
+
+#
+# Staff have fewer restrictions and can login even when nologins are set.
+#
+staff:\
+	:datasize-cur=512M:\
+	:datasize-max=infinity:\
+	:maxproc-max=512:\
+	:maxproc-cur=128:\
+	:ignorenologin:\
+	:requirehome@:\
+	:tc=default:
+
+#
+# Authpf accounts get a special motd and shell
+#
+authpf:\
+	:welcome=/etc/motd.authpf:\
+	:shell=/usr/sbin/authpf:\
+	:tc=default:
+<%
+require 'uri'
+
+n = 0
+servers = ""
+ldap_server.each do |uri|
+    uri = URI.parse(uri)
+    if uri.scheme == "ldaps":
+        mode = "ssl"
+    else
+        mode = "plain"
+    end
+    if n == 0:
+        servers += ":x-ldap-server=%s,,%s:\\\n" % [uri.host, mode]
+    else
+        servers += "\t:x-ldap-serveralt%d=%s,,%s:\\\n" % [n-1, uri.host, mode]
+    end
+    n += 1
+end
+%>
+ldap:\
+	:auth=-ldap:\
+	<%= servers -%>
+	:x-ldap-basedn=ou=People,<%= ldap_basedn %>:\
+	:x-ldap-filter=(&(objectclass=posixAccount)(uid=%u)):\
+	:umask=<%= ldap_login_umask %>:\
+	:tc=default: