diff options
| author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-30 18:17:34 +0200 |
|---|---|---|
| committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2018-06-30 18:17:34 +0200 |
| commit | f84d9190aa7e14ae13256e1d6a47a1be09506674 (patch) | |
| tree | 5b45071769a8beef6802724a1089ff97112cff92 /modules | |
| parent | 77d4b0b7672ee0a840fb721463964c7edf0eb044 (diff) | |
| download | Puppet-f84d9190aa7e14ae13256e1d6a47a1be09506674.tar.gz Puppet-f84d9190aa7e14ae13256e1d6a47a1be09506674.tar.zst Puppet-f84d9190aa7e14ae13256e1d6a47a1be09506674.zip | |
Don’t add ldap authentication on first pass
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/base_installation/manifests/ldap.pp | 62 |
1 files changed, 32 insertions, 30 deletions
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index d5d871c..5a35327 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp | |||
| @@ -22,46 +22,48 @@ class base_installation::ldap inherits base_installation { | |||
| 22 | } | 22 | } |
| 23 | 23 | ||
| 24 | $password_seed = lookup("base_installation::puppet_pass_seed") | 24 | $password_seed = lookup("base_installation::puppet_pass_seed") |
| 25 | $ldap_server = lookup("base_installation::ldap_server") | 25 | unless empty(find_file($password_seed)) { |
| 26 | $ldap_base = lookup("base_installation::ldap_base") | 26 | $ldap_server = lookup("base_installation::ldap_server") |
| 27 | $ldap_dn = lookup("base_installation::ldap_dn") | 27 | $ldap_base = lookup("base_installation::ldap_base") |
| 28 | $ldap_password = generate_password(24, $password_seed, "ldap") | 28 | $ldap_dn = lookup("base_installation::ldap_dn") |
| 29 | $ldap_attribute = "uid" | 29 | $ldap_password = generate_password(24, $password_seed, "ldap") |
| 30 | $ldap_attribute = "uid" | ||
| 30 | 31 | ||
| 31 | ensure_packages(["pam_ldap", "ruby-augeas"]) | 32 | ensure_packages(["pam_ldap", "ruby-augeas"]) |
| 32 | file { "/etc/pam_ldap.conf": | 33 | file { "/etc/pam_ldap.conf": |
| 33 | ensure => "present", | 34 | ensure => "present", |
| 34 | mode => "0400", | 35 | mode => "0400", |
| 35 | owner => "root", | 36 | owner => "root", |
| 36 | group => "root", | 37 | group => "root", |
| 37 | content => template("base_installation/ldap/pam_ldap.conf.erb"), | 38 | content => template("base_installation/ldap/pam_ldap.conf.erb"), |
| 38 | } | ||
| 39 | |||
| 40 | ["system-auth", "passwd"].each |$service| { | ||
| 41 | pam { "Allow to change ldap password via $service": | ||
| 42 | ensure => present, | ||
| 43 | service => $service, | ||
| 44 | type => "password", | ||
| 45 | control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", | ||
| 46 | module => "pam_ldap.so", | ||
| 47 | arguments => "ignore_unknown_user", | ||
| 48 | position => 'before *[type="password" and module="pam_unix.so"]', | ||
| 49 | require => Package["ruby-augeas"], | ||
| 50 | } | 39 | } |
| 51 | } | ||
| 52 | 40 | ||
| 53 | ["system-auth", "su", "su-l"].each |$service| { | 41 | ["system-auth", "passwd"].each |$service| { |
| 54 | ["auth", "account"].each |$type| { | 42 | pam { "Allow to change ldap password via $service": |
| 55 | pam { "Allow $service to $type with ldap password": | ||
| 56 | ensure => present, | 43 | ensure => present, |
| 57 | service => $service, | 44 | service => $service, |
| 58 | type => $type, | 45 | type => "password", |
| 59 | control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", | 46 | control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", |
| 60 | module => "pam_ldap.so", | 47 | module => "pam_ldap.so", |
| 61 | arguments => "ignore_unknown_user", | 48 | arguments => "ignore_unknown_user", |
| 62 | position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", | 49 | position => 'before *[type="password" and module="pam_unix.so"]', |
| 63 | require => Package["ruby-augeas"], | 50 | require => Package["ruby-augeas"], |
| 64 | } | 51 | } |
| 65 | } | 52 | } |
| 53 | |||
| 54 | ["system-auth", "su", "su-l"].each |$service| { | ||
| 55 | ["auth", "account"].each |$type| { | ||
| 56 | pam { "Allow $service to $type with ldap password": | ||
| 57 | ensure => present, | ||
| 58 | service => $service, | ||
| 59 | type => $type, | ||
| 60 | control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", | ||
| 61 | module => "pam_ldap.so", | ||
| 62 | arguments => "ignore_unknown_user", | ||
| 63 | position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", | ||
| 64 | require => Package["ruby-augeas"], | ||
| 65 | } | ||
| 66 | } | ||
| 67 | } | ||
| 66 | } | 68 | } |
| 67 | } | 69 | } |