]>
Commit | Line | Data |
---|---|---|
1 | class base_installation::ldap inherits base_installation { | |
2 | ensure_packages(["openldap"]) | |
3 | ||
4 | File { | |
5 | mode => "0644", | |
6 | owner => "root", | |
7 | group => "root", | |
8 | } | |
9 | ||
10 | file { '/etc/openldap': | |
11 | ensure => directory, | |
12 | require => Package["openldap"], | |
13 | recurse => true, | |
14 | purge => true, | |
15 | force => true, | |
16 | } | |
17 | ||
18 | file { '/etc/openldap/ldap.conf': | |
19 | ensure => present, | |
20 | content => template("base_installation/ldap/ldap.conf.erb"), | |
21 | require => File['/etc/openldap'], | |
22 | } | |
23 | ||
24 | $password_seed = lookup("base_installation::puppet_pass_seed") | |
25 | unless empty(find_file($password_seed)) { | |
26 | $ldap_server = lookup("base_installation::ldap_server") | |
27 | $ldap_base = lookup("base_installation::ldap_base") | |
28 | $ldap_dn = lookup("base_installation::ldap_dn") | |
29 | $ldap_password = generate_password(24, $password_seed, "ldap") | |
30 | $ldap_attribute = "uid" | |
31 | ||
32 | ensure_packages(["pam_ldap", "ruby-augeas"]) | |
33 | file { "/etc/pam_ldap.conf": | |
34 | ensure => "present", | |
35 | mode => "0400", | |
36 | owner => "root", | |
37 | group => "root", | |
38 | content => template("base_installation/ldap/pam_ldap.conf.erb"), | |
39 | } | |
40 | ||
41 | ["system-auth", "passwd"].each |$service| { | |
42 | pam { "Allow to change ldap password via $service": | |
43 | ensure => present, | |
44 | service => $service, | |
45 | type => "password", | |
46 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", | |
47 | module => "pam_ldap.so", | |
48 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], | |
49 | position => 'before *[type="password" and module="pam_unix.so"]', | |
50 | require => Package["ruby-augeas"], | |
51 | } | |
52 | } | |
53 | ||
54 | ["system-auth", "su", "su-l"].each |$service| { | |
55 | ["auth", "account"].each |$type| { | |
56 | pam { "Allow $service to $type with ldap password": | |
57 | ensure => present, | |
58 | service => $service, | |
59 | type => $type, | |
60 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", | |
61 | module => "pam_ldap.so", | |
62 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], | |
63 | position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", | |
64 | require => Package["ruby-augeas"], | |
65 | } | |
66 | } | |
67 | } | |
68 | } | |
69 | } |