1 files changed, 52 insertions, 50 deletions
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index 9291402..7c48be3 100644
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -1,69 +1,71 @@
 class base_installation::ldap inherits base_installation {
-  ensure_packages(["openldap"])
+  if ($base_installation::ldap_enabled) {
+    ensure_packages(["openldap"])
-  File {
+    File {
-    mode  => "0644",
+      mode  => "0644",
-    owner => "root",
+      owner => "root",
-    group => "root",
+      group => "root",
-  }
+    }
-  file { '/etc/openldap':
-    ensure  => directory,
-    require => Package["openldap"],
-    recurse => true,
-    purge   => true,
-    force   => true,
-  }
-  file { '/etc/openldap/ldap.conf':
-    ensure  => present,
-    content => template("base_installation/ldap/ldap.conf.erb"),
-    require => File['/etc/openldap'],
-  }
-  $password_seed  = lookup("base_installation::puppet_pass_seed")
+    file { '/etc/openldap':
-  unless empty(find_file($password_seed)) {
+      ensure  => directory,
-    $ldap_server    = lookup("base_installation::ldap_server")
+      require => Package["openldap"],
-    $ldap_base      = lookup("base_installation::ldap_base")
+      recurse => true,
-    $ldap_dn        = lookup("base_installation::ldap_dn")
+      purge   => true,
-    $ldap_password  = generate_password(24, $password_seed, "ldap")
+      force   => true,
-    $ldap_attribute = "uid"
+    }
-    ensure_packages(["pam_ldap", "ruby-augeas"])
+    file { '/etc/openldap/ldap.conf':
-    file { "/etc/pam_ldap.conf":
+      ensure  => present,
-      ensure  => "present",
+      content => template("base_installation/ldap/ldap.conf.erb"),
-      mode    => "0400",
+      require => File['/etc/openldap'],
-      owner   => "root",
-      group   => "root",
-      content => template("base_installation/ldap/pam_ldap.conf.erb"),
    }
-    ["system-auth", "passwd"].each |$service| {
+    $password_seed  = lookup("base_installation::puppet_pass_seed")
-      pam { "Allow to change ldap password via $service":
+    unless empty(find_file($password_seed)) {
-        ensure    => present,
+      $ldap_server    = lookup("base_installation::ldap_server")
-        service   => $service,
+      $ldap_base      = lookup("base_installation::ldap_base")
-        type      => "password",
+      $ldap_dn        = lookup("base_installation::ldap_dn")
-        control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
+      $ldap_password  = generate_password(24, $password_seed, "ldap")
-        module    => "pam_ldap.so",
+      $ldap_attribute = "uid"
-        arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
-        position  => 'before *[type="password" and module="pam_unix.so"]',
+      ensure_packages(["pam_ldap", "ruby-augeas"])
-        require   => Package["ruby-augeas"],
+      file { "/etc/pam_ldap.conf":
+        ensure  => "present",
+        mode    => "0400",
+        owner   => "root",
+        group   => "root",
+        content => template("base_installation/ldap/pam_ldap.conf.erb"),
      }
-    }
-    ["system-auth", "su", "su-l"].each |$service| {
+      ["system-auth", "passwd"].each |$service| {
-      ["auth", "account"].each |$type| {
+        pam { "Allow to change ldap password via $service":
-        pam { "Allow $service to $type with ldap password":
          ensure    => present,
          service   => $service,
-          type      => $type,
+          type      => "password",
          control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
          module    => "pam_ldap.so",
          arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
-          position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+          position  => 'before *[type="password" and module="pam_unix.so"]',
          require   => Package["ruby-augeas"],
        }
      }
+      ["system-auth", "su", "su-l"].each |$service| {
+        ["auth", "account"].each |$type| {
+          pam { "Allow $service to $type with ldap password":
+            ensure    => present,
+            service   => $service,
+            type      => $type,
+            control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
+            module    => "pam_ldap.so",
+            arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
+            position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+            require   => Package["ruby-augeas"],
+          }
+        }
+      }
    }
  }
 }

diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index 9291402..7c48be3 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp
@@ -1,69 +1,71 @@
1	class base_installation::ldap inherits base_installation {	1	class base_installation::ldap inherits base_installation {
2	ensure_packages(["openldap"])	2	if ($base_installation::ldap_enabled) {
		3	ensure_packages(["openldap"])
3		4
4	File {	5	File {
5	mode => "0644",	6	mode => "0644",
6	owner => "root",	7	owner => "root",
7	group => "root",	8	group => "root",
8	}	9	}
9
10	file { '/etc/openldap':
11	ensure => directory,
12	require => Package["openldap"],
13	recurse => true,
14	purge => true,
15	force => true,
16	}
17
18	file { '/etc/openldap/ldap.conf':
19	ensure => present,
20	content => template("base_installation/ldap/ldap.conf.erb"),
21	require => File['/etc/openldap'],
22	}
23		10
24	$password_seed = lookup("base_installation::puppet_pass_seed")	11	file { '/etc/openldap':
25	unless empty(find_file($password_seed)) {	12	ensure => directory,
26	$ldap_server = lookup("base_installation::ldap_server")	13	require => Package["openldap"],
27	$ldap_base = lookup("base_installation::ldap_base")	14	recurse => true,
28	$ldap_dn = lookup("base_installation::ldap_dn")	15	purge => true,
29	$ldap_password = generate_password(24, $password_seed, "ldap")	16	force => true,
30	$ldap_attribute = "uid"	17	}
31		18
32	ensure_packages(["pam_ldap", "ruby-augeas"])	19	file { '/etc/openldap/ldap.conf':
33	file { "/etc/pam_ldap.conf":	20	ensure => present,
34	ensure => "present",	21	content => template("base_installation/ldap/ldap.conf.erb"),
35	mode => "0400",	22	require => File['/etc/openldap'],
36	owner => "root",
37	group => "root",
38	content => template("base_installation/ldap/pam_ldap.conf.erb"),
39	}	23	}
40		24
41	["system-auth", "passwd"].each \|$service\| {	25	$password_seed = lookup("base_installation::puppet_pass_seed")
42	pam { "Allow to change ldap password via $service":	26	unless empty(find_file($password_seed)) {
43	ensure => present,	27	$ldap_server = lookup("base_installation::ldap_server")
44	service => $service,	28	$ldap_base = lookup("base_installation::ldap_base")
45	type => "password",	29	$ldap_dn = lookup("base_installation::ldap_dn")
46	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",	30	$ldap_password = generate_password(24, $password_seed, "ldap")
47	module => "pam_ldap.so",	31	$ldap_attribute = "uid"
48	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],	32
49	position => 'before *[type="password" and module="pam_unix.so"]',	33	ensure_packages(["pam_ldap", "ruby-augeas"])
50	require => Package["ruby-augeas"],	34	file { "/etc/pam_ldap.conf":
		35	ensure => "present",
		36	mode => "0400",
		37	owner => "root",
		38	group => "root",
		39	content => template("base_installation/ldap/pam_ldap.conf.erb"),
51	}	40	}
52	}
53		41
54	["system-auth", "su", "su-l"].each \|$service\| {	42	["system-auth", "passwd"].each \|$service\| {
55	["auth", "account"].each \|$type\| {	43	pam { "Allow to change ldap password via $service":
56	pam { "Allow $service to $type with ldap password":
57	ensure => present,	44	ensure => present,
58	service => $service,	45	service => $service,
59	type => $type,	46	type => "password",
60	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",	47	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
61	module => "pam_ldap.so",	48	module => "pam_ldap.so",
62	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],	49	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
63	position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",	50	position => 'before *[type="password" and module="pam_unix.so"]',
64	require => Package["ruby-augeas"],	51	require => Package["ruby-augeas"],
65	}	52	}
66	}	53	}
		54
		55	["system-auth", "su", "su-l"].each \|$service\| {
		56	["auth", "account"].each \|$type\| {
		57	pam { "Allow $service to $type with ldap password":
		58	ensure => present,
		59	service => $service,
		60	type => $type,
		61	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
		62	module => "pam_ldap.so",
		63	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
		64	position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
		65	require => Package["ruby-augeas"],
		66	}
		67	}
		68	}
67	}	69	}
68	}	70	}
69	}	71	}