12 files changed, 217 insertions, 1 deletions
diff --git a/environments/production/data/common.yaml b/environments/production/data/common.yaml
index 01bbcac..32e0aa3 100644
--- a/environments/production/data/common.yaml
+++ b/environments/production/data/common.yaml
@@ -2,7 +2,15 @@
 classes:
  stdlib: ~
+base_installation::ldap_base: "dc=immae,dc=eu"
+base_installation::ldap_dn: "cn=%{facts.ec2_metadata.hostname},ou=hosts,dc=immae,dc=eu"
+base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}"
+base_installation::ldap_server: "ldap.immae.eu"
+base_installation::ldap_uri: "ldaps://ldap.immae.eu"
+base_installation::puppet_conf_path: "/etc/puppetlabs/puppet"
 base_installation::puppet_code_path: "/etc/puppetlabs/code"
+base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed"
+base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl"
 base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"]
 base_installation::system_timezone: "Europe/Paris"
 base_installation::system_users:
diff --git a/environments/production/data/types/vps-ovhssd-1.yaml b/environments/production/data/types/vps-ovhssd-1.yaml
index eb4934b..217dd82 100644
--- a/environments/production/data/types/vps-ovhssd-1.yaml
+++ b/environments/production/data/types/vps-ovhssd-1.yaml
@@ -3,5 +3,6 @@ classes:
  base_installation:
    stage: "setup"
-base_installation::system_hostname: "new.immae.eu"
 base_installation::grub_device: "/dev/sdb"
+base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt"
+base_installation::system_hostname: "new.immae.eu"
diff --git a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb
new file mode 100644
index 0000000..384d81b
--- /dev/null
+++ b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb
@@ -0,0 +1,31 @@
+module Puppet::Parser::Functions
+  newfunction(:generate_password, :type => :rvalue, :doc => <<-EOS
+Returns a semi-random string based on a seed and a value. Will always generate the same value with the same entry.
+Prototype:
+  generate_password(length, seed_file, password_key)
+EOS
+) do |*arguments|
+  arguments = arguments.shift if arguments.first.is_a?(Array)
+  raise Puppet::ParseError, "generate_password(): Wrong number of arguments " +
+    "given (#{arguments.size} for 3)" if arguments.size != 3
+  size = arguments.shift
+  seed_file = arguments.shift
+  password_key = arguments.shift
+  unless size.class.ancestors.include?(Numeric) or size.is_a?(String)
+    raise Puppet::ParseError, 'generate_password(): Requires a numeric first argument'
+  end
+  size = size.to_i
+  set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
+  key = "#{File.open(seed_file).read}:#{password_key}"
+  size.times.collect do |i|
+    set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
+  end.join
+end
+end
diff --git a/modules/base_installation/lib/puppet/type/notify_refresh.rb b/modules/base_installation/lib/puppet/type/notify_refresh.rb
new file mode 100644
index 0000000..35f0cda
--- /dev/null
+++ b/modules/base_installation/lib/puppet/type/notify_refresh.rb
@@ -0,0 +1,45 @@
+#
+# Simple module for logging messages on the client-side
+module Puppet
+  Type.newtype(:notify_refresh) do
+    @doc = "Sends an arbitrary message to the agent run-time log."
+    apply_to_all
+    newproperty(:message, :idempotent => false) do
+      desc "The message to be sent to the log."
+      def sync(refreshing = false)
+        if refreshing || !@resource.refreshonly?
+          Puppet.send(@resource[:loglevel], self.should)
+        end
+        return
+      end
+      def retrieve
+        :absent
+      end
+      def insync?(is)
+        true
+      end
+      defaultto { @resource[:name] }
+    end
+    def refresh
+      self.property(:message).sync(true)
+    end
+    newparam(:name) do
+      desc "An arbitrary tag for your own reference; the name of the message."
+      isnamevar
+    end
+    newparam(:refreshonly, :boolean => true, :parent => Puppet::Parameter::Boolean) do
+      defaultto false
+    end
+  end
+end
diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp
index 65c5178..f9fdcd4 100644
--- a/modules/base_installation/manifests/init.pp
+++ b/modules/base_installation/manifests/init.pp
@@ -1,6 +1,15 @@
 class base_installation (
  Optional[String]        $grub_device      = $base_installation::params::grub_device,
+  Optional[String]        $ldap_base        = $base_installation::params::ldap_base,
+  Optional[String]        $ldap_cert_path   = $base_installation::params::ldap_cert_path,
+  Optional[String]        $ldap_cn          = $base_installation::params::ldap_cn,
+  Optional[String]        $ldap_dn          = $base_installation::params::ldap_dn,
+  Optional[String]        $ldap_server      = $base_installation::params::ldap_server,
+  Optional[String]        $ldap_uri         = $base_installation::params::ldap_uri,
  Optional[String]        $puppet_code_path = $base_installation::params::puppet_code_path,
+  Optional[String]        $puppet_conf_path = $base_installation::params::puppet_conf_path,
+  Optional[String]        $puppet_pass_seed = $base_installation::params::puppet_pass_seed,
+  Optional[String]        $puppet_ssl_path  = $base_installation::params::puppet_ssl_path,
  Optional[String]        $system_hostname  = $base_installation::params::system_hostname,
  Optional[Array[String]] $system_locales   = $base_installation::params::system_locales,
  Optional[String]        $system_timezone  = $base_installation::params::system_timezone,
@@ -15,7 +24,9 @@ class base_installation (
  contain ::base_installation::logs
  contain ::base_installation::cronie
  contain ::base_installation::ssh
+  contain ::base_installation::ldap
  contain ::base_installation::services
  contain ::base_installation::users
  contain ::base_installation::package_managers
+  contain ::base_installation::puppet
 }
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
new file mode 100644
index 0000000..1825700
--- /dev/null
+++ b/modules/base_installation/manifests/ldap.pp
@@ -0,0 +1,24 @@
+class base_installation::ldap inherits base_installation {
+  ensure_packages(["openldap"])
+  File {
+    mode  => "0644",
+    owner => "root",
+    group => "root",
+  }
+  file { '/etc/openldap':
+    ensure  => directory,
+    require => Package["openldap"],
+    recurse => true,
+    purge   => true,
+    force   => true,
+  }
+  file { '/etc/openldap/ldap.conf':
+    ensure  => present,
+    content => template("base_installation/ldap/ldap.conf.erb"),
+    require => File['/etc/openldap'],
+  }
+}
diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp
index f09f01a..c03eb1e 100644
--- a/modules/base_installation/manifests/params.pp
+++ b/modules/base_installation/manifests/params.pp
@@ -1,6 +1,15 @@
 class base_installation::params {
  $puppet_code_path = "/etc/puppetlabs/code"
+  $puppet_conf_path = "/etc/puppetlabs/puppet"
+  $puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"
+  $puppet_ssl_path  = "/etc/puppetlabs/ssl"
  $grub_device      = "/dev/sda"
+  $ldap_base        = "dc=example,dc=com"
+  $ldap_cn          = "node"
+  $ldap_dn          = "cn=node,ou=hosts,dc=example,dc=com"
+  $ldap_cert_path   = "/etc/ssl/certs/ca-certificates.crt"
+  $ldap_uri         = "ldaps://ldap.example.com"
+  $ldap_server      = "ldap.example.com"
  $system_hostname  = "example.com"
  $system_locales   = ["en_US.UTF-8"]
  $system_timezone  = "UTC"
diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp
new file mode 100644
index 0000000..cd5697a
--- /dev/null
+++ b/modules/base_installation/manifests/puppet.pp
@@ -0,0 +1,55 @@
+class base_installation::puppet (
+  $password_seed = $base_installation::puppet_pass_seed
+) inherits base_installation {
+  File {
+    mode  => "0600",
+    owner => "root",
+    group => "root",
+  }
+  exec { 'generate_password_seed':
+    command     => "/usr/bin/openssl rand -base64 -out $password_seed 256",
+    creates     => $password_seed,
+    environment => "RANDFILE=/dev/null",
+  }
+  unless empty(find_file($password_seed)) {
+    $ldap_password = generate_password(24, $password_seed, "ldap")
+    $ssha_ldap_seed = generate_password(5, $password_seed, "ldap_seed")
+    package { 'gem:ruby-ldap':
+      name            => "ruby-ldap",
+      ensure          => present,
+      provider        => "gem",
+      install_options => "--no-user-install"
+    }
+    file { $password_seed:
+      mode => "0600",
+    }
+    file { $base_installation::puppet_conf_path:
+      ensure  => directory,
+      require => [Package["puppet"], Package["gem:ruby-ldap"]],
+      recurse => true,
+      purge   => true,
+      force   => true,
+    }
+    file { "$base_installation::puppet_conf_path/puppet.conf":
+      content => template("base_installation/puppet/puppet.conf.erb"),
+      require => File[$base_installation::puppet_conf_path],
+    }
+    file { "$base_installation::puppet_conf_path/host_ldap.info":
+      content => template("base_installation/puppet/host_ldap.info.erb"),
+      require => File[$base_installation::puppet_conf_path],
+      notify  => Notify_refresh["notify-ldap-password"],
+    }
+    notify_refresh { "notify-ldap-password":
+      message     => template("base_installation/puppet/host_ldap.info.erb"),
+      refreshonly => true
+    }
+  }
+}
diff --git a/modules/base_installation/templates/ldap/ldap.conf.erb b/modules/base_installation/templates/ldap/ldap.conf.erb
new file mode 100644
index 0000000..626a986
--- /dev/null
+++ b/modules/base_installation/templates/ldap/ldap.conf.erb
@@ -0,0 +1,3 @@
+uri        <%= @ldap_uri %>
+base       <%= @ldap_base %>
+tls_cacert <%= @ldap_cert_path %>
diff --git a/modules/base_installation/templates/puppet/host_ldap.info.erb b/modules/base_installation/templates/puppet/host_ldap.info.erb
new file mode 100644
index 0000000..a350c37
--- /dev/null
+++ b/modules/base_installation/templates/puppet/host_ldap.info.erb
@@ -0,0 +1,17 @@
+#### Please add this node to LDAP:
+ldapadd -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
+dn: <%= @ldap_dn %>
+cn: <%= @ldap_cn %>
+objectclass: device
+objectclass: top
+objectclass: simpleSecurityObject
+objectclass: puppetClient
+userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
+EOF
+#### Or modify an existing entry:
+ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
+dn: <%= @ldap_dn %>
+changetype: modify
+replace: userPassword
+userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
+EOF
diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb
new file mode 100644
index 0000000..99d9fc3
--- /dev/null
+++ b/modules/base_installation/templates/puppet/puppet.conf.erb
@@ -0,0 +1,12 @@
+[main]
+ssldir = <%= @puppet_ssl_path %>
+node_terminus = ldap
+ldapserver = <%= @ldap_server %>
+ldaptls = true
+ldapbase = <%= @ldap_base %>
+ldapuser = <%= @ldap_dn %>
+ldappassword = <%= @ldap_password %>
+ldapclassattrs = puppetClass
+ldapparentattr = parentNode
+ldapstackedattrs = puppetVar
diff --git a/modules/inifile b/modules/inifile
-Subproject 16fd47d7c74e9bf44ec6f6a9197f16e9a3f5709
+Subproject e5d624da43c3571e476ddfa4bbfde4acc5800f9

diff --git a/environments/production/data/common.yaml b/environments/production/data/common.yaml index 01bbcac..32e0aa3 100644 --- a/environments/production/data/common.yaml +++ b/environments/production/data/common.yaml
@@ -2,7 +2,15 @@
2	classes:	2	classes:
3	stdlib: ~	3	stdlib: ~
4		4
		5	base_installation::ldap_base: "dc=immae,dc=eu"
		6	base_installation::ldap_dn: "cn=%{facts.ec2_metadata.hostname},ou=hosts,dc=immae,dc=eu"
		7	base_installation::ldap_cn: "%{facts.ec2_metadata.hostname}"
		8	base_installation::ldap_server: "ldap.immae.eu"
		9	base_installation::ldap_uri: "ldaps://ldap.immae.eu"
		10	base_installation::puppet_conf_path: "/etc/puppetlabs/puppet"
5	base_installation::puppet_code_path: "/etc/puppetlabs/code"	11	base_installation::puppet_code_path: "/etc/puppetlabs/code"
		12	base_installation::puppet_pass_seed: "/etc/puppetlabs/puppet/password_seed"
		13	base_installation::puppet_ssl_path: "/etc/puppetlabs/ssl"
6	base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"]	14	base_installation::system_locales: ["fr_FR.UTF-8", "en_US.UTF-8"]
7	base_installation::system_timezone: "Europe/Paris"	15	base_installation::system_timezone: "Europe/Paris"
8	base_installation::system_users:	16	base_installation::system_users:


diff --git a/environments/production/data/types/vps-ovhssd-1.yaml b/environments/production/data/types/vps-ovhssd-1.yaml index eb4934b..217dd82 100644 --- a/environments/production/data/types/vps-ovhssd-1.yaml +++ b/environments/production/data/types/vps-ovhssd-1.yaml
@@ -3,5 +3,6 @@ classes:
3	base_installation:	3	base_installation:
4	stage: "setup"	4	stage: "setup"
5		5
6	base_installation::system_hostname: "new.immae.eu"
7	base_installation::grub_device: "/dev/sdb"	6	base_installation::grub_device: "/dev/sdb"
		7	base_installation::ldap_cert_path: "/etc/ssl/certs/ca-certificates.crt"
		8	base_installation::system_hostname: "new.immae.eu"


diff --git a/modules/base_installation/lib/puppet/parser/functions/generate_password.rb b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb new file mode 100644 index 0000000..384d81b --- /dev/null +++ b/modules/base_installation/lib/puppet/parser/functions/generate_password.rb
@@ -0,0 +1,31 @@
		1	module Puppet::Parser::Functions
		2	newfunction(:generate_password, :type => :rvalue, :doc => <<-EOS
		3	Returns a semi-random string based on a seed and a value. Will always generate the same value with the same entry.
		4	Prototype:
		5	generate_password(length, seed_file, password_key)
		6	EOS
		7	) do \|*arguments\|
		8	arguments = arguments.shift if arguments.first.is_a?(Array)
		9
		10	raise Puppet::ParseError, "generate_password(): Wrong number of arguments " +
		11	"given (#{arguments.size} for 3)" if arguments.size != 3
		12
		13	size = arguments.shift
		14	seed_file = arguments.shift
		15	password_key = arguments.shift
		16
		17	unless size.class.ancestors.include?(Numeric) or size.is_a?(String)
		18	raise Puppet::ParseError, 'generate_password(): Requires a numeric first argument'
		19	end
		20
		21	size = size.to_i
		22
		23	set = ('a' .. 'z').to_a + ('A' .. 'Z').to_a + ('0' .. '9').to_a
		24
		25	key = "#{File.open(seed_file).read}:#{password_key}"
		26
		27	size.times.collect do \|i\|
		28	set[OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, i.to_s).to_i(16) % set.size]
		29	end.join
		30	end
		31	end


diff --git a/modules/base_installation/lib/puppet/type/notify_refresh.rb b/modules/base_installation/lib/puppet/type/notify_refresh.rb new file mode 100644 index 0000000..35f0cda --- /dev/null +++ b/modules/base_installation/lib/puppet/type/notify_refresh.rb
@@ -0,0 +1,45 @@
		1	#
		2	# Simple module for logging messages on the client-side
		3
		4
		5	module Puppet
		6	Type.newtype(:notify_refresh) do
		7	@doc = "Sends an arbitrary message to the agent run-time log."
		8
		9	apply_to_all
		10
		11	newproperty(:message, :idempotent => false) do
		12	desc "The message to be sent to the log."
		13	def sync(refreshing = false)
		14	if refreshing \|\| !@resource.refreshonly?
		15	Puppet.send(@resource[:loglevel], self.should)
		16	end
		17	return
		18	end
		19
		20	def retrieve
		21	:absent
		22	end
		23
		24	def insync?(is)
		25	true
		26	end
		27
		28	defaultto { @resource[:name] }
		29	end
		30
		31	def refresh
		32	self.property(:message).sync(true)
		33	end
		34
		35	newparam(:name) do
		36	desc "An arbitrary tag for your own reference; the name of the message."
		37	isnamevar
		38	end
		39
		40	newparam(:refreshonly, :boolean => true, :parent => Puppet::Parameter::Boolean) do
		41	defaultto false
		42	end
		43
		44	end
		45	end


diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp index 65c5178..f9fdcd4 100644 --- a/modules/base_installation/manifests/init.pp +++ b/modules/base_installation/manifests/init.pp
@@ -1,6 +1,15 @@
1	class base_installation (	1	class base_installation (
2	Optional[String] $grub_device = $base_installation::params::grub_device,	2	Optional[String] $grub_device = $base_installation::params::grub_device,
		3	Optional[String] $ldap_base = $base_installation::params::ldap_base,
		4	Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path,
		5	Optional[String] $ldap_cn = $base_installation::params::ldap_cn,
		6	Optional[String] $ldap_dn = $base_installation::params::ldap_dn,
		7	Optional[String] $ldap_server = $base_installation::params::ldap_server,
		8	Optional[String] $ldap_uri = $base_installation::params::ldap_uri,
3	Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path,	9	Optional[String] $puppet_code_path = $base_installation::params::puppet_code_path,
		10	Optional[String] $puppet_conf_path = $base_installation::params::puppet_conf_path,
		11	Optional[String] $puppet_pass_seed = $base_installation::params::puppet_pass_seed,
		12	Optional[String] $puppet_ssl_path = $base_installation::params::puppet_ssl_path,
4	Optional[String] $system_hostname = $base_installation::params::system_hostname,	13	Optional[String] $system_hostname = $base_installation::params::system_hostname,
5	Optional[Array[String]] $system_locales = $base_installation::params::system_locales,	14	Optional[Array[String]] $system_locales = $base_installation::params::system_locales,
6	Optional[String] $system_timezone = $base_installation::params::system_timezone,	15	Optional[String] $system_timezone = $base_installation::params::system_timezone,
@@ -15,7 +24,9 @@ class base_installation (
15	contain ::base_installation::logs	24	contain ::base_installation::logs
16	contain ::base_installation::cronie	25	contain ::base_installation::cronie
17	contain ::base_installation::ssh	26	contain ::base_installation::ssh
		27	contain ::base_installation::ldap
18	contain ::base_installation::services	28	contain ::base_installation::services
19	contain ::base_installation::users	29	contain ::base_installation::users
20	contain ::base_installation::package_managers	30	contain ::base_installation::package_managers
		31	contain ::base_installation::puppet
21	}	32	}


diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp new file mode 100644 index 0000000..1825700 --- /dev/null +++ b/modules/base_installation/manifests/ldap.pp
@@ -0,0 +1,24 @@
		1	class base_installation::ldap inherits base_installation {
		2	ensure_packages(["openldap"])
		3
		4	File {
		5	mode => "0644",
		6	owner => "root",
		7	group => "root",
		8	}
		9
		10	file { '/etc/openldap':
		11	ensure => directory,
		12	require => Package["openldap"],
		13	recurse => true,
		14	purge => true,
		15	force => true,
		16	}
		17
		18	file { '/etc/openldap/ldap.conf':
		19	ensure => present,
		20	content => template("base_installation/ldap/ldap.conf.erb"),
		21	require => File['/etc/openldap'],
		22	}
		23
		24	}


diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp index f09f01a..c03eb1e 100644 --- a/modules/base_installation/manifests/params.pp +++ b/modules/base_installation/manifests/params.pp
@@ -1,6 +1,15 @@
1	class base_installation::params {	1	class base_installation::params {
2	$puppet_code_path = "/etc/puppetlabs/code"	2	$puppet_code_path = "/etc/puppetlabs/code"
		3	$puppet_conf_path = "/etc/puppetlabs/puppet"
		4	$puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"
		5	$puppet_ssl_path = "/etc/puppetlabs/ssl"
3	$grub_device = "/dev/sda"	6	$grub_device = "/dev/sda"
		7	$ldap_base = "dc=example,dc=com"
		8	$ldap_cn = "node"
		9	$ldap_dn = "cn=node,ou=hosts,dc=example,dc=com"
		10	$ldap_cert_path = "/etc/ssl/certs/ca-certificates.crt"
		11	$ldap_uri = "ldaps://ldap.example.com"
		12	$ldap_server = "ldap.example.com"
4	$system_hostname = "example.com"	13	$system_hostname = "example.com"
5	$system_locales = ["en_US.UTF-8"]	14	$system_locales = ["en_US.UTF-8"]
6	$system_timezone = "UTC"	15	$system_timezone = "UTC"


diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp new file mode 100644 index 0000000..cd5697a --- /dev/null +++ b/modules/base_installation/manifests/puppet.pp
@@ -0,0 +1,55 @@
		1	class base_installation::puppet (
		2	$password_seed = $base_installation::puppet_pass_seed
		3	) inherits base_installation {
		4	File {
		5	mode => "0600",
		6	owner => "root",
		7	group => "root",
		8	}
		9
		10	exec { 'generate_password_seed':
		11	command => "/usr/bin/openssl rand -base64 -out $password_seed 256",
		12	creates => $password_seed,
		13	environment => "RANDFILE=/dev/null",
		14	}
		15
		16	unless empty(find_file($password_seed)) {
		17	$ldap_password = generate_password(24, $password_seed, "ldap")
		18	$ssha_ldap_seed = generate_password(5, $password_seed, "ldap_seed")
		19
		20	package { 'gem:ruby-ldap':
		21	name => "ruby-ldap",
		22	ensure => present,
		23	provider => "gem",
		24	install_options => "--no-user-install"
		25	}
		26
		27	file { $password_seed:
		28	mode => "0600",
		29	}
		30
		31	file { $base_installation::puppet_conf_path:
		32	ensure => directory,
		33	require => [Package["puppet"], Package["gem:ruby-ldap"]],
		34	recurse => true,
		35	purge => true,
		36	force => true,
		37	}
		38
		39	file { "$base_installation::puppet_conf_path/puppet.conf":
		40	content => template("base_installation/puppet/puppet.conf.erb"),
		41	require => File[$base_installation::puppet_conf_path],
		42	}
		43
		44	file { "$base_installation::puppet_conf_path/host_ldap.info":
		45	content => template("base_installation/puppet/host_ldap.info.erb"),
		46	require => File[$base_installation::puppet_conf_path],
		47	notify => Notify_refresh["notify-ldap-password"],
		48	}
		49
		50	notify_refresh { "notify-ldap-password":
		51	message => template("base_installation/puppet/host_ldap.info.erb"),
		52	refreshonly => true
		53	}
		54	}
		55	}


diff --git a/modules/base_installation/templates/ldap/ldap.conf.erb b/modules/base_installation/templates/ldap/ldap.conf.erb new file mode 100644 index 0000000..626a986 --- /dev/null +++ b/modules/base_installation/templates/ldap/ldap.conf.erb
@@ -0,0 +1,3 @@
		1	uri <%= @ldap_uri %>
		2	base <%= @ldap_base %>
		3	tls_cacert <%= @ldap_cert_path %>


diff --git a/modules/base_installation/templates/puppet/host_ldap.info.erb b/modules/base_installation/templates/puppet/host_ldap.info.erb new file mode 100644 index 0000000..a350c37 --- /dev/null +++ b/modules/base_installation/templates/puppet/host_ldap.info.erb
@@ -0,0 +1,17 @@
		1	#### Please add this node to LDAP:
		2	ldapadd -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
		3	dn: <%= @ldap_dn %>
		4	cn: <%= @ldap_cn %>
		5	objectclass: device
		6	objectclass: top
		7	objectclass: simpleSecurityObject
		8	objectclass: puppetClient
		9	userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
		10	EOF
		11	#### Or modify an existing entry:
		12	ldapmodify -D "cn=root,<%= @ldap_base %>" -W << 'EOF'
		13	dn: <%= @ldap_dn %>
		14	changetype: modify
		15	replace: userPassword
		16	userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha_ldap_seed)+@ssha_ldap_seed).chomp! %>
		17	EOF


diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb new file mode 100644 index 0000000..99d9fc3 --- /dev/null +++ b/modules/base_installation/templates/puppet/puppet.conf.erb
@@ -0,0 +1,12 @@
		1	[main]
		2	ssldir = <%= @puppet_ssl_path %>
		3
		4	node_terminus = ldap
		5	ldapserver = <%= @ldap_server %>
		6	ldaptls = true
		7	ldapbase = <%= @ldap_base %>
		8	ldapuser = <%= @ldap_dn %>
		9	ldappassword = <%= @ldap_password %>
		10	ldapclassattrs = puppetClass
		11	ldapparentattr = parentNode
		12	ldapstackedattrs = puppetVar


diff --git a/modules/inifile b/modules/inifile
	Subproject 16fd47d7c74e9bf44ec6f6a9197f16e9a3f5709		Subproject e5d624da43c3571e476ddfa4bbfde4acc5800f9