]>
Commit | Line | Data |
---|---|---|
54806111 IB |
1 | class base_installation::ldap inherits base_installation { |
2 | ensure_packages(["openldap"]) | |
3 | ||
4 | File { | |
5 | mode => "0644", | |
6 | owner => "root", | |
7 | group => "root", | |
8 | } | |
9 | ||
10 | file { '/etc/openldap': | |
11 | ensure => directory, | |
12 | require => Package["openldap"], | |
13 | recurse => true, | |
14 | purge => true, | |
15 | force => true, | |
16 | } | |
17 | ||
18 | file { '/etc/openldap/ldap.conf': | |
19 | ensure => present, | |
20 | content => template("base_installation/ldap/ldap.conf.erb"), | |
21 | require => File['/etc/openldap'], | |
22 | } | |
23 | ||
7b26c44a | 24 | $password_seed = lookup("base_installation::puppet_pass_seed") |
f84d9190 IB |
25 | unless empty(find_file($password_seed)) { |
26 | $ldap_server = lookup("base_installation::ldap_server") | |
27 | $ldap_base = lookup("base_installation::ldap_base") | |
28 | $ldap_dn = lookup("base_installation::ldap_dn") | |
29 | $ldap_password = generate_password(24, $password_seed, "ldap") | |
30 | $ldap_attribute = "uid" | |
7b26c44a | 31 | |
f84d9190 IB |
32 | ensure_packages(["pam_ldap", "ruby-augeas"]) |
33 | file { "/etc/pam_ldap.conf": | |
34 | ensure => "present", | |
35 | mode => "0400", | |
36 | owner => "root", | |
37 | group => "root", | |
38 | content => template("base_installation/ldap/pam_ldap.conf.erb"), | |
7b26c44a | 39 | } |
7b26c44a | 40 | |
f84d9190 IB |
41 | ["system-auth", "passwd"].each |$service| { |
42 | pam { "Allow to change ldap password via $service": | |
7b26c44a IB |
43 | ensure => present, |
44 | service => $service, | |
f84d9190 | 45 | type => "password", |
25c99a63 | 46 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", |
7b26c44a | 47 | module => "pam_ldap.so", |
25c99a63 | 48 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], |
f84d9190 | 49 | position => 'before *[type="password" and module="pam_unix.so"]', |
35a719cb | 50 | require => Package["ruby-augeas"], |
7b26c44a IB |
51 | } |
52 | } | |
f84d9190 IB |
53 | |
54 | ["system-auth", "su", "su-l"].each |$service| { | |
55 | ["auth", "account"].each |$type| { | |
56 | pam { "Allow $service to $type with ldap password": | |
57 | ensure => present, | |
58 | service => $service, | |
59 | type => $type, | |
25c99a63 | 60 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", |
f84d9190 | 61 | module => "pam_ldap.so", |
25c99a63 | 62 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], |
f84d9190 IB |
63 | position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", |
64 | require => Package["ruby-augeas"], | |
65 | } | |
66 | } | |
67 | } | |
7b26c44a | 68 | } |
54806111 | 69 | } |