Don’t add ldap authentication on first pass

author Ismaël Bouya <ismael.bouya@normalesup.org>

Sat, 30 Jun 2018 16:17:34 +0000 (18:17 +0200)

committer Ismaël Bouya <ismael.bouya@normalesup.org>

Sat, 30 Jun 2018 16:17:34 +0000 (18:17 +0200)
author Ismaël Bouya <ismael.bouya@normalesup.org>
Sat, 30 Jun 2018 16:17:34 +0000 (18:17 +0200)
committer Ismaël Bouya <ismael.bouya@normalesup.org>
Sat, 30 Jun 2018 16:17:34 +0000 (18:17 +0200)
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp

index d5d871c2eb5d22226e415e6976cf916303d47d57..5a3532716793a7ac84b2700cc685d735071d2aac 100644 (file)
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -22,46 +22,48 @@ class base_installation::ldap inherits base_installation {
    }
  
    $password_seed  = lookup("base_installation::puppet_pass_seed")
-  $ldap_server    = lookup("base_installation::ldap_server")
-  $ldap_base      = lookup("base_installation::ldap_base")
-  $ldap_dn        = lookup("base_installation::ldap_dn")
-  $ldap_password  = generate_password(24, $password_seed, "ldap")
-  $ldap_attribute = "uid"
+  unless empty(find_file($password_seed)) {
+    $ldap_server    = lookup("base_installation::ldap_server")
+    $ldap_base      = lookup("base_installation::ldap_base")
+    $ldap_dn        = lookup("base_installation::ldap_dn")
+    $ldap_password  = generate_password(24, $password_seed, "ldap")
+    $ldap_attribute = "uid"
  
-  ensure_packages(["pam_ldap", "ruby-augeas"])
-  file { "/etc/pam_ldap.conf":
-    ensure  => "present",
-    mode    => "0400",
-    owner   => "root",
-    group   => "root",
-    content => template("base_installation/ldap/pam_ldap.conf.erb"),
-  }
-
-  ["system-auth", "passwd"].each |$service| {
-    pam { "Allow to change ldap password via $service":
-      ensure    => present,
-      service   => $service,
-      type      => "password",
-      control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
-      module    => "pam_ldap.so",
-      arguments => "ignore_unknown_user",
-      position  => 'before *[type="password" and module="pam_unix.so"]',
-      require   => Package["ruby-augeas"],
+    ensure_packages(["pam_ldap", "ruby-augeas"])
+    file { "/etc/pam_ldap.conf":
+      ensure  => "present",
+      mode    => "0400",
+      owner   => "root",
+      group   => "root",
+      content => template("base_installation/ldap/pam_ldap.conf.erb"),
      }
-  }
  
-  ["system-auth", "su", "su-l"].each |$service| {
-    ["auth", "account"].each |$type| {
-      pam { "Allow $service to $type with ldap password":
+    ["system-auth", "passwd"].each |$service| {
+      pam { "Allow to change ldap password via $service":
          ensure    => present,
          service   => $service,
-        type      => $type,
+        type      => "password",
          control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
          module    => "pam_ldap.so",
          arguments => "ignore_unknown_user",
-        position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+        position  => 'before *[type="password" and module="pam_unix.so"]',
          require   => Package["ruby-augeas"],
        }
      }
+
+    ["system-auth", "su", "su-l"].each |$service| {
+      ["auth", "account"].each |$type| {
+        pam { "Allow $service to $type with ldap password":
+          ensure    => present,
+          service   => $service,
+          type      => $type,
+          control   => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
+          module    => "pam_ldap.so",
+          arguments => "ignore_unknown_user",
+          position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+          require   => Package["ruby-augeas"],
+        }
+      }
+    }
    }
  }
author	Ismaël Bouya <ismael.bouya@normalesup.org>
	Sat, 30 Jun 2018 16:17:34 +0000 (18:17 +0200)
committer	Ismaël Bouya <ismael.bouya@normalesup.org>
	Sat, 30 Jun 2018 16:17:34 +0000 (18:17 +0200)