diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-30 15:53:16 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-30 17:29:42 +0200 |
commit | 7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e (patch) | |
tree | 3f777d7c00e38d1d4d7c442f53acabfbd8ccdd8b | |
parent | 41790868cb155d490975e8e4480ddd2c889a3e75 (diff) | |
download | Puppet-7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e.tar.gz Puppet-7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e.tar.zst Puppet-7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e.zip |
Add ldap authentication
-rw-r--r-- | .gitmodules | 6 | ||||
m--------- | external_modules/augeasproviders_core | 0 | ||||
m--------- | external_modules/augeasproviders_pam | 0 | ||||
-rw-r--r-- | modules/base_installation/manifests/ldap.pp | 41 | ||||
-rw-r--r-- | modules/base_installation/templates/ldap/pam_ldap.conf.erb | 7 |
5 files changed, 54 insertions, 0 deletions
diff --git a/.gitmodules b/.gitmodules index d68cf4e..f8ff2b7 100644 --- a/.gitmodules +++ b/.gitmodules | |||
@@ -67,3 +67,9 @@ | |||
67 | [submodule "external_modules/patch"] | 67 | [submodule "external_modules/patch"] |
68 | path = external_modules/patch | 68 | path = external_modules/patch |
69 | url = git://git.immae.eu/github/tohuwabohu/puppet-patch.git | 69 | url = git://git.immae.eu/github/tohuwabohu/puppet-patch.git |
70 | [submodule "external_modules/augeasproviders_pam"] | ||
71 | path = external_modules/augeasproviders_pam | ||
72 | url = git://git.immae.eu/github/hercules-team/augeasproviders_pam.git | ||
73 | [submodule "external_modules/augeasproviders_core"] | ||
74 | path = external_modules/augeasproviders_core | ||
75 | url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git | ||
diff --git a/external_modules/augeasproviders_core b/external_modules/augeasproviders_core new file mode 160000 | |||
Subproject 604680cb5fe7e32fd1ad1051fc34ef100a4d692 | |||
diff --git a/external_modules/augeasproviders_pam b/external_modules/augeasproviders_pam new file mode 160000 | |||
Subproject e20796872f094c56a201519bab7716f099c7881 | |||
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index 1825700..acc0014 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp | |||
@@ -21,4 +21,45 @@ class base_installation::ldap inherits base_installation { | |||
21 | require => File['/etc/openldap'], | 21 | require => File['/etc/openldap'], |
22 | } | 22 | } |
23 | 23 | ||
24 | $password_seed = lookup("base_installation::puppet_pass_seed") | ||
25 | $ldap_server = lookup("base_installation::ldap_server") | ||
26 | $ldap_base = lookup("base_installation::ldap_base") | ||
27 | $ldap_dn = lookup("base_installation::ldap_dn") | ||
28 | $ldap_password = generate_password(24, $password_seed, "ldap") | ||
29 | $ldap_attribute = "uid" | ||
30 | |||
31 | ensure_packages(["pam_ldap"]) | ||
32 | file { "/etc/pam_ldap.conf": | ||
33 | ensure => "present", | ||
34 | mode => "0400", | ||
35 | owner => "root", | ||
36 | group => "root", | ||
37 | content => template("base_installation/ldap/pam_ldap.conf.erb"), | ||
38 | } | ||
39 | |||
40 | ["system-auth", "passwd"].each |$service| { | ||
41 | pam { "Allow to change ldap password via $service": | ||
42 | ensure => present, | ||
43 | service => $service, | ||
44 | type => "password", | ||
45 | control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", | ||
46 | module => "pam_ldap.so", | ||
47 | arguments => "ignore_unknown_user", | ||
48 | position => 'before *[type="password" and module="pam_unix.so"]', | ||
49 | } | ||
50 | } | ||
51 | |||
52 | ["system-auth", "su", "su-l"].each |$service| { | ||
53 | ["auth", "account"].each |$type| { | ||
54 | pam { "Allow $service to $type with ldap password": | ||
55 | ensure => present, | ||
56 | service => $service, | ||
57 | type => $type, | ||
58 | control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", | ||
59 | module => "pam_ldap.so", | ||
60 | arguments => "ignore_unknown_user", | ||
61 | position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", | ||
62 | } | ||
63 | } | ||
64 | } | ||
24 | } | 65 | } |
diff --git a/modules/base_installation/templates/ldap/pam_ldap.conf.erb b/modules/base_installation/templates/ldap/pam_ldap.conf.erb new file mode 100644 index 0000000..f07490a --- /dev/null +++ b/modules/base_installation/templates/ldap/pam_ldap.conf.erb | |||
@@ -0,0 +1,7 @@ | |||
1 | host <%= @ldap_server %> | ||
2 | |||
3 | base <%= @ldap_base %> | ||
4 | binddn <%= @ldap_dn %> | ||
5 | bindpw <%= @ldap_password %> | ||
6 | pam_login_attribute <%= @ldap_attribute %> | ||
7 | |||