aboutsummaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-30 18:17:34 +0200
committerIsmaël Bouya <ismael.bouya@normalesup.org>2018-06-30 18:17:34 +0200
commitf84d9190aa7e14ae13256e1d6a47a1be09506674 (patch)
tree5b45071769a8beef6802724a1089ff97112cff92 /modules
parent77d4b0b7672ee0a840fb721463964c7edf0eb044 (diff)
downloadPuppet-f84d9190aa7e14ae13256e1d6a47a1be09506674.tar.gz
Puppet-f84d9190aa7e14ae13256e1d6a47a1be09506674.tar.zst
Puppet-f84d9190aa7e14ae13256e1d6a47a1be09506674.zip
Don’t add ldap authentication on first pass
Diffstat (limited to 'modules')
-rw-r--r--modules/base_installation/manifests/ldap.pp62
1 files changed, 32 insertions, 30 deletions
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index d5d871c..5a35327 100644
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -22,46 +22,48 @@ class base_installation::ldap inherits base_installation {
22 } 22 }
23 23
24 $password_seed = lookup("base_installation::puppet_pass_seed") 24 $password_seed = lookup("base_installation::puppet_pass_seed")
25 $ldap_server = lookup("base_installation::ldap_server") 25 unless empty(find_file($password_seed)) {
26 $ldap_base = lookup("base_installation::ldap_base") 26 $ldap_server = lookup("base_installation::ldap_server")
27 $ldap_dn = lookup("base_installation::ldap_dn") 27 $ldap_base = lookup("base_installation::ldap_base")
28 $ldap_password = generate_password(24, $password_seed, "ldap") 28 $ldap_dn = lookup("base_installation::ldap_dn")
29 $ldap_attribute = "uid" 29 $ldap_password = generate_password(24, $password_seed, "ldap")
30 $ldap_attribute = "uid"
30 31
31 ensure_packages(["pam_ldap", "ruby-augeas"]) 32 ensure_packages(["pam_ldap", "ruby-augeas"])
32 file { "/etc/pam_ldap.conf": 33 file { "/etc/pam_ldap.conf":
33 ensure => "present", 34 ensure => "present",
34 mode => "0400", 35 mode => "0400",
35 owner => "root", 36 owner => "root",
36 group => "root", 37 group => "root",
37 content => template("base_installation/ldap/pam_ldap.conf.erb"), 38 content => template("base_installation/ldap/pam_ldap.conf.erb"),
38 }
39
40 ["system-auth", "passwd"].each |$service| {
41 pam { "Allow to change ldap password via $service":
42 ensure => present,
43 service => $service,
44 type => "password",
45 control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
46 module => "pam_ldap.so",
47 arguments => "ignore_unknown_user",
48 position => 'before *[type="password" and module="pam_unix.so"]',
49 require => Package["ruby-augeas"],
50 } 39 }
51 }
52 40
53 ["system-auth", "su", "su-l"].each |$service| { 41 ["system-auth", "passwd"].each |$service| {
54 ["auth", "account"].each |$type| { 42 pam { "Allow to change ldap password via $service":
55 pam { "Allow $service to $type with ldap password":
56 ensure => present, 43 ensure => present,
57 service => $service, 44 service => $service,
58 type => $type, 45 type => "password",
59 control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", 46 control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
60 module => "pam_ldap.so", 47 module => "pam_ldap.so",
61 arguments => "ignore_unknown_user", 48 arguments => "ignore_unknown_user",
62 position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", 49 position => 'before *[type="password" and module="pam_unix.so"]',
63 require => Package["ruby-augeas"], 50 require => Package["ruby-augeas"],
64 } 51 }
65 } 52 }
53
54 ["system-auth", "su", "su-l"].each |$service| {
55 ["auth", "account"].each |$type| {
56 pam { "Allow $service to $type with ldap password":
57 ensure => present,
58 service => $service,
59 type => $type,
60 control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
61 module => "pam_ldap.so",
62 arguments => "ignore_unknown_user",
63 position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
64 require => Package["ruby-augeas"],
65 }
66 }
67 }
66 } 68 }
67} 69}