From: Ismaël Bouya <ismael.bouya@normalesup.org>
Date: Sat, 30 Jun 2018 16:17:34 +0000 (+0200)
Subject: Don’t add ldap authentication on first pass
X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;ds=sidebyside;h=f84d9190aa7e14ae13256e1d6a47a1be09506674;p=perso%2FImmae%2FProjets%2FPuppet.git

Don’t add ldap authentication on first pass
---

diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index d5d871c..5a35327 100644
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -22,46 +22,48 @@ class base_installation::ldap inherits base_installation {
   }
 
   $password_seed  = lookup("base_installation::puppet_pass_seed")
-  $ldap_server    = lookup("base_installation::ldap_server")
-  $ldap_base      = lookup("base_installation::ldap_base")
-  $ldap_dn        = lookup("base_installation::ldap_dn")
-  $ldap_password  = generate_password(24, $password_seed, "ldap")
-  $ldap_attribute = "uid"
+  unless empty(find_file($password_seed)) {
+    $ldap_server    = lookup("base_installation::ldap_server")
+    $ldap_base      = lookup("base_installation::ldap_base")
+    $ldap_dn        = lookup("base_installation::ldap_dn")
+    $ldap_password  = generate_password(24, $password_seed, "ldap")
+    $ldap_attribute = "uid"
 
-  ensure_packages(["pam_ldap", "ruby-augeas"])
-  file { "/etc/pam_ldap.conf":
-    ensure  => "present",
-    mode    => "0400",
-    owner   => "root",
-    group   => "root",
-    content => template("base_installation/ldap/pam_ldap.conf.erb"),
-  }
-
-  ["system-auth", "passwd"].each |$service| {
-    pam { "Allow to change ldap password via $service":
-      ensure    => present,
-      service   => $service,
-      type      => "password",
-      control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
-      module    => "pam_ldap.so",
-      arguments => "ignore_unknown_user",
-      position  => 'before *[type="password" and module="pam_unix.so"]',
-      require   => Package["ruby-augeas"],
+    ensure_packages(["pam_ldap", "ruby-augeas"])
+    file { "/etc/pam_ldap.conf":
+      ensure  => "present",
+      mode    => "0400",
+      owner   => "root",
+      group   => "root",
+      content => template("base_installation/ldap/pam_ldap.conf.erb"),
     }
-  }
 
-  ["system-auth", "su", "su-l"].each |$service| {
-    ["auth", "account"].each |$type| {
-      pam { "Allow $service to $type with ldap password":
+    ["system-auth", "passwd"].each |$service| {
+      pam { "Allow to change ldap password via $service":
         ensure    => present,
         service   => $service,
-        type      => $type,
+        type      => "password",
         control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
         module    => "pam_ldap.so",
         arguments => "ignore_unknown_user",
-        position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+        position  => 'before *[type="password" and module="pam_unix.so"]',
         require   => Package["ruby-augeas"],
       }
     }
+
+    ["system-auth", "su", "su-l"].each |$service| {
+      ["auth", "account"].each |$type| {
+        pam { "Allow $service to $type with ldap password":
+          ensure    => present,
+          service   => $service,
+          type      => $type,
+          control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
+          module    => "pam_ldap.so",
+          arguments => "ignore_unknown_user",
+          position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+          require   => Package["ruby-augeas"],
+        }
+      }
+    }
   }
 }