tmakinen/puppet
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
puppet/ldap/manifests/init.pp

701 lines
21 KiB
Puppet
Raw Blame History

# Install and configure ldap authentication
#
# === Global variables
#
# $ldap_server:
# Array containing LDAP server URI's.
#
# $ldap_basedn:
# LDAP base DN.
#
# $ldap_login_umask:
# Default umask for LDAP users in OpenBSD, defaults to 077.
#
# === Parameters
#
# $auth:
# Authentication method to use for LDAP queries. Valid values
# are anonymous, bind and gssapi. Default is anonymous.
#
# $credentials:
# Credentials for authentication. For simple bind use array
# containig user dn and password. For gssapi use array containing
# principal name.
#
# $mapping:
# Attribute mapping to use. Valid values are ad and rfc2307.
# Default is rfc2307.
#
# === Sample usage
#
# class { "ldap::auth":
# auth => "bind",
# credentials => [ "uid=user,dc=example,dc=com", "secret", ],
# }
#
# class { "ldap::auth":
# auth => "gssapi",
# credentials => [ "MYHOST\$@EXAMPLE.COM" ],
# mapping => "ad",
# }
#
class ldap::auth(
$auth="anonymous",
$credentials=[],
$mapping="rfc2307"
) inherits ldap::client {
include pam::common
tag("bootstrap")
$ldap_uri = inline_template('<%= @ldap_server.join(" ") -%>')
if regsubst($ldap_uri, "^(ldaps)://.*", "\1") == "ldaps"{
$ssl = "on"
} else {
$ssl = "off"
}
case $auth {
"anonymous": {}
"bind": {
if !$credentials[0] and !$credentials[1] {
fail("no \$credentials argument set")
}
}
"gssapi": {
require kerberos::kstart
require sasl::client
if $credentials[0] {
$principal = $credentials[0]
} else {
$principal = "host/${::homename}"
}
}
default: {
fail("unsupported auth value \"${auth}\"")
}
}
if $::kernel == "Linux" {
include nscd
}
case $::operatingsystem {
"centos","fedora","redhat": {
case $::operatingsystemrelease {
default: {
package { "nss-pam-ldapd":
ensure => installed,
}
exec { "authconfig --enableldap --enableldapauth --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --enableforcelegacy --update":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
before => [ File["/etc/nslcd.conf"],
Augeas["pam-ldap-conf"],
File["/etc/openldap/ldap.conf"], ],
require => Package["authconfig", "nss-pam-ldapd"],
}
file { "/etc/nslcd.conf":
ensure => present,
content => template("ldap/nslcd.conf.erb"),
mode => "0600",
owner => "root",
group => "root",
notify => Service["nslcd"],
}
if $auth == "gssapi" {
fail("gssapi not supported on ${::operatingsystem}")
}
augeas { "pam-ldap-conf":
changes => [ "set ssl ${ssl}",
"set pam_password exop",
"rm tls_cacertdir", ],
incl => "/etc/pam_ldap.conf",
lens => "Spacevars.simple_lns",
}
service { "nslcd":
ensure => running,
enable => true,
notify => Service["nscd"],
}
}
/^[1-5]\./: {
package { "nss_ldap":
ensure => installed,
}
exec { "authconfig --enableldap --enableldapauth --enableldapssl --ldapserver='${ldap_uri}' --ldapbasedn='${ldap_basedn}' --update":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => 'cat /etc/sysconfig/authconfig | egrep "^USELDAPAUTH=yes$|^USELDAP=yes$" | wc -l | egrep "^2$"',
before => [ Augeas["pam-ldap-conf"],
File["/etc/openldap/ldap.conf"], ],
require => Package["authconfig", "nss_ldap"],
}
augeas { "pam-ldap-conf":
context => "/files/etc/ldap.conf",
changes => [ "set nss_paged_results yes",
"set pam_password exop",
"set ssl ${ssl}", ],
notify => Service["nscd"],
}
}
}
}
"Ubuntu": {
package { [ "libpam-ldapd", "libnss-ldapd", "auth-client-config", ]:
ensure => installed,
}
exec { "auth-client-config -t nss -p ldap_example":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
unless => "auth-client-config -t nss -p ldap_example -s",
require => Package["auth-client-config"],
before => File["/etc/nslcd.conf"],
}
file { "/etc/nslcd.conf":
ensure => present,
content => template("ldap/nslcd.conf.erb"),
mode => "0640",
owner => "root",
group => "nslcd",
require => Package["libnss-ldapd"],
notify => Service["nslcd"],
}
if $auth == "gssapi" {
augeas { "ldap-auth-set-principal":
context => "/files/etc/default/nslcd",
changes => "set K5START_PRINCIPAL \"\'${principal}\'\"",
notify => Service["nslcd"],
}
}
service { "nslcd":
ensure => running,
enable => true,
before => Class["nscd"],
}
}
"OpenBSD": {
if ! $ldap_login_umask {
$ldap_login_umask = "077"
}
package { "login_ldap":
ensure => installed,
}
file { "/etc/login.conf":
ensure => present,
content => template("ldap/login.conf.erb"),
mode => "0644",
owner => root,
group => wheel,
require => [ File["/etc/openldap/ldap.conf"],
Package["login_ldap"], ]
}
}
default: {
fail("ldap::auth not supported on ${::operatingsystem}")
}
}
}
# Install and configure ldap client
#
# === Global variables
#
# $ldap_server:
# Array containing LDAP server URI's.
#
# $ldap_basedn:
# LDAP base DN.
#
class ldap::client {
package { "openldap-client":
name => $::operatingsystem ? {
"debian" => "ldap-utils",
"ubuntu" => "ldap-utils",
"openbsd" => "openldap-client",
default => "openldap-clients",
},
ensure => $::operatingsystem ? {
darwin => absent,
default => installed,
},
}
file { "/etc/openldap/ldap.conf":
ensure => present,
content => template("ldap/ldap.conf.erb"),
path => $::operatingsystem ? {
"debian" => "/etc/ldap/ldap.conf",
"ubuntu" => "/etc/ldap/ldap.conf",
default => "/etc/openldap/ldap.conf",
},
mode => "0644",
owner => root,
group => $::operatingsystem ? {
"darwin" => wheel,
"openbsd" => wheel,
default => root,
},
require => Package["openldap-client"],
}
}
# Install python ldap bindings.
#
class ldap::client::python {
package { "python-ldap":
name => $::operatingsystem ? {
openbsd => "py-ldap",
default => "python-ldap",
},
ensure => installed,
}
file { "${::pythonsitedir}/dynldap.py":
ensure => present,
source => "puppet:///modules/ldap/dynldap.py",
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => Package["python-ldap"],
}
python::compile { "${::pythonsitedir}/dynldap.py": }
}
# Install Ruby ldap bindings.
#
class ldap::client::ruby {
case $::operatingsystem {
"ubuntu","debian": {
$pkgname = regsubst($rubyversion, '^([0-9]+\.[0-9]+)\..*', 'libldap-ruby\1')
}
default: {
$pkgname = "ruby-ldap"
}
}
package { "ruby-ldap":
ensure => installed,
name => $pkgname,
}
}
# Install OpenLDAP server.
#
# === Global variables
#
# $ldap_datadir:
# Directory for LDAP databases. Defaults to /srv/ldap.
#
# $ldap_modules:
# List of dynamic modules to load, syncprov and ppolicy modules
# are always loaded.
#
# $ldap_server_key:
# Path to SSL private key. Defaults to puppet client key.
#
# $ldap_server_cert:
# Path to SSL certificate. Defaults to puppet client certificate.
#
class ldap::server {
require ssl
if !$ldap_server_key {
$ldap_server_key = "${puppet_ssldir}/private_keys/${homename}.pem"
}
if !$ldap_server_cert {
$ldap_server_cert = "${puppet_ssldir}/certs/${homename}.pem"
}
case $::operatingsystem {
"debian","ubuntu": {
$user = "openldap"
$group = "openldap"
$package_name = "slapd"
$service_name = "slapd"
$config = "/etc/ldap"
$modulepath = "/usr/lib/ldap"
$rundir = "/var/run/slapd"
exec { "usermod-openldap":
path => "/bin:/usr/bin:/sbin:/usr/sbin",
command => "usermod -a -G ssl-cert openldap",
unless => "id -n -G openldap | grep '\\bssl-cert\\b'",
require => Package["openldap-server"],
before => Exec["slaptest"],
}
}
"fedora": {
$user = "ldap"
$group = "ldap"
$package_name = "openldap-servers"
$service_name = "slapd"
$config = "/etc/openldap"
$modulepath = $architecture ? {
"x86_64" => "/usr/lib64/openldap",
default => "/usr/lib/openldap",
}
$rundir = "/var/run/openldap"
}
"centos","redhat": {
$user = "ldap"
$group = "ldap"
$package_name = $::operatingsystemrelease ? {
/^5/ => [ "openldap-servers", "openldap-servers-overlays" ],
/^6/ => "openldap-servers",
}
$service_name = $::operatingsystemrelease ? {
/^5/ => "ldap",
/^6/ => "slapd",
}
$config = "/etc/openldap"
$modulepath = $architecture ? {
"x86_64" => "/usr/lib64/openldap",
default => "/usr/lib/openldap",
}
$rundir = "/var/run/openldap"
}
"openbsd": {
$user = "_openldap"
$group = "_openldap"
$package_name = "openldap-server"
$service_name = "slapd"
$config = "/etc/openldap"
$modulepath = ""
$rundir = "/var/run/openldap"
}
}
package { "openldap-server":
ensure => installed,
name => $package_name,
}
file { "${ssl::certs}/slapd.crt":
ensure => present,
source => $ldap_server_cert,
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => Package["openldap-server"],
notify => Exec["slaptest"],
}
file { "${ssl::private}/slapd.key":
ensure => present,
source => $ldap_server_key,
mode => "0640",
owner => "root",
group => $group,
require => Package["openldap-server"],
notify => Exec["slaptest"],
}
file { "slapd.conf":
ensure => present,
path => "${config}/slapd.conf",
content => template("ldap/slapd.conf.erb"),
mode => "0640",
owner => "root",
group => $group,
notify => Exec["slaptest"],
require => Package["openldap-server"],
}
file { "${config}/slapd.conf.d":
ensure => directory,
source => "puppet:///modules/custom/empty",
mode => "0640",
owner => "root",
group => $group,
purge => true,
recurse => true,
force => true,
require => Package["openldap-server"],
notify => Exec["generate-slapd-database-config"],
}
case $::operatingsystem {
"centos","redhat": {
if $::operatinsystemrelease !~ /^5\./ {
file { "/etc/sysconfig/ldap":
ensure => present,
content => template("ldap/ldap.sysconfig.erb"),
mode => "0644",
owner => "root",
group => "root",
notify => Exec["slaptest"],
require => Package["openldap-server"],
}
}
}
"debian","ubuntu": {
file { "/etc/default/slapd":
source => "puppet:///modules/ldap/slapd.default",
mode => "0644",
owner => "root",
group => "root",
notify => Exec["slaptest"],
require => Package["openldap-server"],
}
}
}
exec { "slaptest":
command => "slaptest -f ${config}/slapd.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/sbin",
refreshonly => true,
require => File["${config}/slapd.conf.d"],
notify => Service["slapd"],
}
service { "slapd":
name => $service_name,
start => $::operatingsystem ? {
"openbsd" => "/usr/local/libexec/slapd -u _openldap -h ldap:///\\ ldaps:///\\ ldapi:///",
default => undef,
},
ensure => running,
enable => true,
require => Package["openldap-server"]
}
if $ldap_datadir {
file { $ldap_datadir:
ensure => directory,
mode => "0700",
owner => $user,
group => $group,
seltype => "slapd_db_t",
require => Package["openldap-server"],
}
file { "/srv/ldap":
ensure => link,
target => $ldap_datadir,
seltype => "slapd_db_t",
require => File[$ldap_datadir],
}
} else {
file { "/srv/ldap":
ensure => directory,
mode => "0700",
owner => $user,
group => $group,
seltype => "slapd_db_t",
require => Package["openldap-server"],
}
}
selinux::manage_fcontext { "/srv/ldap(/.*)?":
type => "slapd_db_t",
before => File["/srv/ldap"],
}
if $ldap_datadir {
selinux::manage_fcontext { "${ldap_datadir}(/.*)?":
type => "slapd_db_t",
before => File[$ldap_datadir],
}
}
file { "${config}/schema":
ensure => directory,
source => "puppet:///modules/custom/empty",
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
purge => true,
recurse => true,
force => true,
require => Package["openldap-server"],
notify => Exec["generate-slapd-schema-config"],
}
file { "${config}/slapd.conf.d/schema.conf":
ensure => present,
mode => "0640",
owner => "root",
group => $group,
require => Exec["generate-slapd-schema-config"],
}
exec { "generate-slapd-schema-config":
command => "find ${config}/schema/ -name [0-9][0-9]-\\*.schema -exec echo 'include {}' \\; | sort -n > ${config}/slapd.conf.d/schema.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
require => File["${config}/slapd.conf.d"],
notify => Exec["slaptest"],
}
ldap::server::schema { [ "core", "cosine", "ppolicy", ]:
idx => 10,
}
file { "${config}/slapd.conf.d/database.conf":
ensure => present,
mode => "0640",
owner => "root",
group => $group,
require => Exec["generate-slapd-database-config"],
notify => Exec["slaptest"],
}
exec { "generate-slapd-database-config":
command => "find ${config}/slapd.conf.d/db.*.conf -exec echo 'include {}' \\; > ${config}/slapd.conf.d/database.conf",
path => "/bin:/usr/bin:/sbin:/usr/sbin",
refreshonly => true,
notify => Exec["slaptest"],
}
}
# Create new LDAP database.
#
# === Parameters
#
# $name:
# Database suffix (base DN).
#
# $aclsource:
# Source file for custom ACL's. Default is to use template.
#
# $master:
# Master LDAP server URI when creating slave database.
#
# $syncpw:
# Password for uid=replicator,cn=config,${name} user on master.
# Only needed for slave databases.
#
# $rid:
# Replica ID. Must be unique per replica per database.
#
# $moduleoptions:
# Options for overlay modules.
#
# === Sample usage
#
# ldap::server::database { "dc=example,dc=com":
# moduleoptions => [ "smbkrb5pwd-enable=samba", ]
# }
#
define ldap::server::database($aclsource = "", $master = "", $syncpw = "", $rid = "", $moduleoptions = []) {
include ldap::server
if $rid == "" {
$rid_real = fqdn_rand(999)
} else {
$rid_real = $rid
}
file { "${ldap::server::config}/slapd.conf.d/db.${name}.conf":
ensure => present,
content => template("ldap/slapd-database.conf.erb"),
mode => "0640",
owner => "root",
group => $ldap::server::group,
notify => Exec["generate-slapd-database-config"],
}
file { "${ldap::server::config}/slapd.conf.d/acl.${name}.conf":
ensure => present,
source => $aclsource ? {
"" => undef,
default => $aclsource,
},
content => $aclsource ? {
"" => template("ldap/slapd-acl.conf.erb"),
default => undef,
},
mode => "0640",
owner => "root",
group => $ldap::server::group,
notify => Exec["slaptest"],
}
file { "${ldap::server::config}/slapd.conf.d/index.${name}.conf":
ensure => present,
source => [ "puppet:///files/ldap/slapd-index.conf.${name}",
"puppet:///files/ldap/slapd-index.conf",
"puppet:///modules/ldap/slapd-index.conf", ],
mode => "0640",
owner => "root",
group => $ldap::server::group,
notify => Exec["slaptest"],
}
file { "/srv/ldap/${name}":
ensure => directory,
mode => "0700",
owner => $ldap::server::user,
group => $ldap::server::group,
seltype => "slapd_db_t",
require => File["/srv/ldap"],
}
file { "/srv/ldap/${name}/DB_CONFIG":
ensure => present,
source => [ "puppet:///files/ldap/DB_CONFIG.${name}",
"puppet:///files/ldap/DB_CONFIG",
"puppet:///modules/ldap/DB_CONFIG", ],
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
seltype => "slapd_db_t",
require => File["/srv/ldap/${name}"],
before => Exec["slaptest"],
}
}
# Install custom schema to OpenLDAP.
#
# === Parameters
#
# $name:
# Schema name.
#
# $idx:
# Schema load order. Defaults to 50.
#
# === Sample usage
#
# ldap::server::schema { "samba": }
#
define ldap::server::schema($idx = 50) {
include ldap::server
file { "${name}.schema":
ensure => present,
path => "${ldap::server::config}/schema/${idx}-${name}.schema",
source => [ "puppet:///files/ldap/${name}.schema",
"puppet:///modules/ldap/${name}.schema", ],
mode => "0644",
owner => "root",
group => $::operatingsystem ? {
"openbsd" => "wheel",
default => "root",
},
require => Package["openldap-server"],
notify => Exec["generate-slapd-schema-config"],
}
}
Reference in a new issue View git blame Copy permalink