Add ldap authentication

diff --git a/.gitmodules b/.gitmodules
index d68cf4e6b0533f72af19a5ffa8ef25a8d0c34c8b..f8ff2b7d2408139af6eb886f46869c94323e2b14 100644 (file)
--- a/.gitmodules
+++ b/.gitmodules
@@ -67,3 +67,9 @@
 [submodule "external_modules/patch"]
        path = external_modules/patch
        url = git://git.immae.eu/github/tohuwabohu/puppet-patch.git
+[submodule "external_modules/augeasproviders_pam"]
+       path = external_modules/augeasproviders_pam
+       url = git://git.immae.eu/github/hercules-team/augeasproviders_pam.git
+[submodule "external_modules/augeasproviders_core"]
+       path = external_modules/augeasproviders_core
+       url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git

diff --git a/external_modules/augeasproviders_core b/external_modules/augeasproviders_core
new file mode 160000 (submodule)
index 0000000..604680c
--- /dev/null
+++ b/external_modules/augeasproviders_core
@@ -0,0 +1 @@
+Subproject commit 604680cb5fe7e32fd1ad1051fc34ef100a4d6923

diff --git a/external_modules/augeasproviders_pam b/external_modules/augeasproviders_pam
new file mode 160000 (submodule)
index 0000000..e207968
--- /dev/null
+++ b/external_modules/augeasproviders_pam
@@ -0,0 +1 @@
+Subproject commit e20796872f094c56a201519bab7716f099c78819

diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index 1825700ede6d3fb588cc42ba26375bcc3e57816e..acc0014a9153f6a8914d29a80ab9396c2086947c 100644 (file)
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -21,4 +21,45 @@ class base_installation::ldap inherits base_installation {
     require => File['/etc/openldap'],
   }
 
+  $password_seed  = lookup("base_installation::puppet_pass_seed")
+  $ldap_server    = lookup("base_installation::ldap_server")
+  $ldap_base      = lookup("base_installation::ldap_base")
+  $ldap_dn        = lookup("base_installation::ldap_dn")
+  $ldap_password  = generate_password(24, $password_seed, "ldap")
+  $ldap_attribute = "uid"
+
+  ensure_packages(["pam_ldap"])
+  file { "/etc/pam_ldap.conf":
+    ensure  => "present",
+    mode    => "0400",
+    owner   => "root",
+    group   => "root",
+    content => template("base_installation/ldap/pam_ldap.conf.erb"),
+  }
+
+  ["system-auth", "passwd"].each |$service| {
+    pam { "Allow to change ldap password via $service":
+      ensure    => present,
+      service   => $service,
+      type      => "password",
+      control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
+      module    => "pam_ldap.so",
+      arguments => "ignore_unknown_user",
+      position  => 'before *[type="password" and module="pam_unix.so"]',
+    }
+  }
+
+  ["system-auth", "su", "su-l"].each |$service| {
+    ["auth", "account"].each |$type| {
+      pam { "Allow $service to $type with ldap password":
+        ensure    => present,
+        service   => $service,
+        type      => $type,
+        control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
+        module    => "pam_ldap.so",
+        arguments => "ignore_unknown_user",
+        position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+      }
+    }
+  }
 }

diff --git a/modules/base_installation/templates/ldap/pam_ldap.conf.erb b/modules/base_installation/templates/ldap/pam_ldap.conf.erb
new file mode 100644 (file)
index 0000000..f07490a
--- /dev/null
+++ b/modules/base_installation/templates/ldap/pam_ldap.conf.erb
@@ -0,0 +1,7 @@
+host <%= @ldap_server %>
+
+base <%= @ldap_base %>
+binddn <%= @ldap_dn %>
+bindpw <%= @ldap_password %>
+pam_login_attribute <%= @ldap_attribute %>
+