[perso/Immae/Projets/Puppet.git] / modules / base_installation / manifests / ldap.pp

class base_installation::ldap inherits base_installation {
  ensure_packages(["openldap"])

  File {
    mode  => "0644",
    owner => "root",
    group => "root",
  }

  file { '/etc/openldap':
    ensure  => directory,
    require => Package["openldap"],
    recurse => true,
    purge   => true,
    force   => true,
  }

  file { '/etc/openldap/ldap.conf':
    ensure  => present,
    content => template("base_installation/ldap/ldap.conf.erb"),
    require => File['/etc/openldap'],
  }

  $password_seed  = lookup("base_installation::puppet_pass_seed")
  unless empty(find_file($password_seed)) {
    $ldap_server    = lookup("base_installation::ldap_server")
    $ldap_base      = lookup("base_installation::ldap_base")
    $ldap_dn        = lookup("base_installation::ldap_dn")
    $ldap_password  = generate_password(24, $password_seed, "ldap")
    $ldap_attribute = "uid"

    ensure_packages(["pam_ldap", "ruby-augeas"])
    file { "/etc/pam_ldap.conf":
      ensure  => "present",
      mode    => "0400",
      owner   => "root",
      group   => "root",
      content => template("base_installation/ldap/pam_ldap.conf.erb"),
    }

    ["system-auth", "passwd"].each |$service| {
      pam { "Allow to change ldap password via $service":
        ensure    => present,
        service   => $service,
        type      => "password",
        control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
        module    => "pam_ldap.so",
        arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
        position  => 'before *[type="password" and module="pam_unix.so"]',
        require   => Package["ruby-augeas"],
      }
    }

    ["system-auth", "su", "su-l"].each |$service| {
      ["auth", "account"].each |$type| {
        pam { "Allow $service to $type with ldap password":
          ensure    => present,
          service   => $service,
          type      => $type,
          control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
          module    => "pam_ldap.so",
          arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
          position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
          require   => Package["ruby-augeas"],
        }
      }
    }
  }
}
Commit	Line	Data
54806111 IB	1	class base_installation::ldap inherits base_installation {
	2	ensure_packages(["openldap"])
	3
	4	File {
	5	mode => "0644",
	6	owner => "root",
	7	group => "root",
	8	}
	9
	10	file { '/etc/openldap':
	11	ensure => directory,
	12	require => Package["openldap"],
	13	recurse => true,
	14	purge => true,
	15	force => true,
	16	}
	17
	18	file { '/etc/openldap/ldap.conf':
	19	ensure => present,
	20	content => template("base_installation/ldap/ldap.conf.erb"),
	21	require => File['/etc/openldap'],
	22	}
	23
7b26c44a	24	$password_seed = lookup("base_installation::puppet_pass_seed")
f84d9190 IB	25	unless empty(find_file($password_seed)) {
	26	$ldap_server = lookup("base_installation::ldap_server")
	27	$ldap_base = lookup("base_installation::ldap_base")
	28	$ldap_dn = lookup("base_installation::ldap_dn")
	29	$ldap_password = generate_password(24, $password_seed, "ldap")
	30	$ldap_attribute = "uid"
7b26c44a	31
f84d9190 IB	32	ensure_packages(["pam_ldap", "ruby-augeas"])
	33	file { "/etc/pam_ldap.conf":
	34	ensure => "present",
	35	mode => "0400",
	36	owner => "root",
	37	group => "root",
	38	content => template("base_installation/ldap/pam_ldap.conf.erb"),
7b26c44a	39	}
7b26c44a	40
f84d9190 IB	41	["system-auth", "passwd"].each \|$service\| {
f84d9190 IB	42	pam { "Allow to change ldap password via $service":
7b26c44a IB	43	ensure => present,
7b26c44a IB	44	service => $service,
f84d9190	45	type => "password",
25c99a63	46	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
7b26c44a	47	module => "pam_ldap.so",
25c99a63	48	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
f84d9190	49	position => 'before *[type="password" and module="pam_unix.so"]',
35a719cb	50	require => Package["ruby-augeas"],
7b26c44a IB	51	}
7b26c44a IB	52	}
f84d9190 IB	53
	54	["system-auth", "su", "su-l"].each \|$service\| {
	55	["auth", "account"].each \|$type\| {
	56	pam { "Allow $service to $type with ldap password":
	57	ensure => present,
	58	service => $service,
	59	type => $type,
25c99a63	60	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
f84d9190	61	module => "pam_ldap.so",
25c99a63	62	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
f84d9190 IB	63	position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
	64	require => Package["ruby-augeas"],
	65	}
	66	}
	67	}
7b26c44a	68	}
54806111	69	}