aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-30 15:53:16 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-30 17:29:42 +0200
commit7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e (patch)
tree3f777d7c00e38d1d4d7c442f53acabfbd8ccdd8b /modules
parent41790868cb155d490975e8e4480ddd2c889a3e75 (diff)
downloadPuppet-7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e.tar.gz
Puppet-7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e.tar.zst
Puppet-7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e.zip
Add ldap authentication
Diffstat (limited to 'modules')
-rw-r--r--modules/base_installation/manifests/ldap.pp41
-rw-r--r--modules/base_installation/templates/ldap/pam_ldap.conf.erb7
2 files changed, 48 insertions, 0 deletions
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index 1825700..acc0014 100644
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -21,4 +21,45 @@ class base_installation::ldap inherits base_installation {
21 require => File['/etc/openldap'], 21 require => File['/etc/openldap'],
22 } 22 }
23 23
24 $password_seed = lookup("base_installation::puppet_pass_seed")
25 $ldap_server = lookup("base_installation::ldap_server")
26 $ldap_base = lookup("base_installation::ldap_base")
27 $ldap_dn = lookup("base_installation::ldap_dn")
28 $ldap_password = generate_password(24, $password_seed, "ldap")
29 $ldap_attribute = "uid"
30
31 ensure_packages(["pam_ldap"])
32 file { "/etc/pam_ldap.conf":
33 ensure => "present",
34 mode => "0400",
35 owner => "root",
36 group => "root",
37 content => template("base_installation/ldap/pam_ldap.conf.erb"),
38 }
39
40 ["system-auth", "passwd"].each |$service| {
41 pam { "Allow to change ldap password via $service":
42 ensure => present,
43 service => $service,
44 type => "password",
45 control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
46 module => "pam_ldap.so",
47 arguments => "ignore_unknown_user",
48 position => 'before *[type="password" and module="pam_unix.so"]',
49 }
50 }
51
52 ["system-auth", "su", "su-l"].each |$service| {
53 ["auth", "account"].each |$type| {
54 pam { "Allow $service to $type with ldap password":
55 ensure => present,
56 service => $service,
57 type => $type,
58 control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
59 module => "pam_ldap.so",
60 arguments => "ignore_unknown_user",
61 position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
62 }
63 }
64 }
24} 65}
diff --git a/modules/base_installation/templates/ldap/pam_ldap.conf.erb b/modules/base_installation/templates/ldap/pam_ldap.conf.erb
new file mode 100644
index 0000000..f07490a
--- /dev/null
+++ b/modules/base_installation/templates/ldap/pam_ldap.conf.erb
@@ -0,0 +1,7 @@
1host <%= @ldap_server %>
2
3base <%= @ldap_base %>
4binddn <%= @ldap_dn %>
5bindpw <%= @ldap_password %>
6pam_login_attribute <%= @ldap_attribute %>
7