diff options
Diffstat (limited to 'modules/base_installation/manifests/ldap.pp')
-rw-r--r-- | modules/base_installation/manifests/ldap.pp | 102 |
1 files changed, 52 insertions, 50 deletions
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index 9291402..7c48be3 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp | |||
@@ -1,69 +1,71 @@ | |||
1 | class base_installation::ldap inherits base_installation { | 1 | class base_installation::ldap inherits base_installation { |
2 | ensure_packages(["openldap"]) | 2 | if ($base_installation::ldap_enabled) { |
3 | ensure_packages(["openldap"]) | ||
3 | 4 | ||
4 | File { | 5 | File { |
5 | mode => "0644", | 6 | mode => "0644", |
6 | owner => "root", | 7 | owner => "root", |
7 | group => "root", | 8 | group => "root", |
8 | } | 9 | } |
9 | |||
10 | file { '/etc/openldap': | ||
11 | ensure => directory, | ||
12 | require => Package["openldap"], | ||
13 | recurse => true, | ||
14 | purge => true, | ||
15 | force => true, | ||
16 | } | ||
17 | |||
18 | file { '/etc/openldap/ldap.conf': | ||
19 | ensure => present, | ||
20 | content => template("base_installation/ldap/ldap.conf.erb"), | ||
21 | require => File['/etc/openldap'], | ||
22 | } | ||
23 | 10 | ||
24 | $password_seed = lookup("base_installation::puppet_pass_seed") | 11 | file { '/etc/openldap': |
25 | unless empty(find_file($password_seed)) { | 12 | ensure => directory, |
26 | $ldap_server = lookup("base_installation::ldap_server") | 13 | require => Package["openldap"], |
27 | $ldap_base = lookup("base_installation::ldap_base") | 14 | recurse => true, |
28 | $ldap_dn = lookup("base_installation::ldap_dn") | 15 | purge => true, |
29 | $ldap_password = generate_password(24, $password_seed, "ldap") | 16 | force => true, |
30 | $ldap_attribute = "uid" | 17 | } |
31 | 18 | ||
32 | ensure_packages(["pam_ldap", "ruby-augeas"]) | 19 | file { '/etc/openldap/ldap.conf': |
33 | file { "/etc/pam_ldap.conf": | 20 | ensure => present, |
34 | ensure => "present", | 21 | content => template("base_installation/ldap/ldap.conf.erb"), |
35 | mode => "0400", | 22 | require => File['/etc/openldap'], |
36 | owner => "root", | ||
37 | group => "root", | ||
38 | content => template("base_installation/ldap/pam_ldap.conf.erb"), | ||
39 | } | 23 | } |
40 | 24 | ||
41 | ["system-auth", "passwd"].each |$service| { | 25 | $password_seed = lookup("base_installation::puppet_pass_seed") |
42 | pam { "Allow to change ldap password via $service": | 26 | unless empty(find_file($password_seed)) { |
43 | ensure => present, | 27 | $ldap_server = lookup("base_installation::ldap_server") |
44 | service => $service, | 28 | $ldap_base = lookup("base_installation::ldap_base") |
45 | type => "password", | 29 | $ldap_dn = lookup("base_installation::ldap_dn") |
46 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", | 30 | $ldap_password = generate_password(24, $password_seed, "ldap") |
47 | module => "pam_ldap.so", | 31 | $ldap_attribute = "uid" |
48 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], | 32 | |
49 | position => 'before *[type="password" and module="pam_unix.so"]', | 33 | ensure_packages(["pam_ldap", "ruby-augeas"]) |
50 | require => Package["ruby-augeas"], | 34 | file { "/etc/pam_ldap.conf": |
35 | ensure => "present", | ||
36 | mode => "0400", | ||
37 | owner => "root", | ||
38 | group => "root", | ||
39 | content => template("base_installation/ldap/pam_ldap.conf.erb"), | ||
51 | } | 40 | } |
52 | } | ||
53 | 41 | ||
54 | ["system-auth", "su", "su-l"].each |$service| { | 42 | ["system-auth", "passwd"].each |$service| { |
55 | ["auth", "account"].each |$type| { | 43 | pam { "Allow to change ldap password via $service": |
56 | pam { "Allow $service to $type with ldap password": | ||
57 | ensure => present, | 44 | ensure => present, |
58 | service => $service, | 45 | service => $service, |
59 | type => $type, | 46 | type => "password", |
60 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", | 47 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", |
61 | module => "pam_ldap.so", | 48 | module => "pam_ldap.so", |
62 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], | 49 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], |
63 | position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", | 50 | position => 'before *[type="password" and module="pam_unix.so"]', |
64 | require => Package["ruby-augeas"], | 51 | require => Package["ruby-augeas"], |
65 | } | 52 | } |
66 | } | 53 | } |
54 | |||
55 | ["system-auth", "su", "su-l"].each |$service| { | ||
56 | ["auth", "account"].each |$type| { | ||
57 | pam { "Allow $service to $type with ldap password": | ||
58 | ensure => present, | ||
59 | service => $service, | ||
60 | type => $type, | ||
61 | control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]", | ||
62 | module => "pam_ldap.so", | ||
63 | arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"], | ||
64 | position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", | ||
65 | require => Package["ruby-augeas"], | ||
66 | } | ||
67 | } | ||
68 | } | ||
67 | } | 69 | } |
68 | } | 70 | } |
69 | } | 71 | } |