11 files changed, 167 insertions, 125 deletions
diff --git a/modules/base_installation/lib/facter/ldapvar.rb b/modules/base_installation/lib/facter/ldapvar.rb
index 08d58e4..c3379e8 100644
--- a/modules/base_installation/lib/facter/ldapvar.rb
+++ b/modules/base_installation/lib/facter/ldapvar.rb
@@ -5,7 +5,7 @@ begin
  Facter.add("ldapvar") do
    setcode do
      if Puppet[:node_terminus].to_sym != :ldap
-        data = []
+        data = {}
      else
        begin
          conn = Puppet::Util::Ldap::Connection.instance
diff --git a/modules/base_installation/manifests/grub.pp b/modules/base_installation/manifests/grub.pp
index 208b745..9ced43f 100644
--- a/modules/base_installation/manifests/grub.pp
+++ b/modules/base_installation/manifests/grub.pp
@@ -1,22 +1,41 @@
 class base_installation::grub inherits base_installation {
  ensure_packages(['grub'])
-  # unless empty($base_installation::grub_device) {
+  if !empty($base_installation::grub_efi_device) {
-  #   exec { 'install GRUB':
+    ensure_packages(['efibootmgr'])
-  #     command   => "/usr/bin/grub-install --target=i386-pc $base_installation::device",
+    exec { 'install GRUB UEFI':
-  #     subscribe => Package["grub"],
+      command   => "/usr/bin/mkdir /boot/efi && /usr/bin/mount ${base_installation::grub_efi_device} /boot/efi && /usr/bin/grub-install --efi-directory=/boot/efi --target=x86_64-efi && /usr/bin/umount /boot/efi && /usr/bin/rmdir /boot/efi",
-  #   }
+      creates   => "/boot/grub/x86_64-efi",
-  # }
+      subscribe => Package["grub"],
+    }
+  } elsif !empty($base_installation::grub_device) {
+    exec { 'install GRUB MBR':
+      command   => "/usr/bin/grub-install --target=i386-pc $base_installation::grub_device",
+      creates   => "/boot/grub/i386-pc",
+      subscribe => Package["grub"],
+    }
+  }
-  file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
+  if ($environment == "workstation" and !empty($base_installation::cryptroot_device)) {
-    path    => "/etc/default/grub",
+    file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
-    line    => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"',
+      path    => "/etc/default/grub",
-    match   => '^GRUB_CMDLINE_LINUX=',
+      line    => "GRUB_CMDLINE_LINUX=\" cryptdevice=UUID=${base_installation::cryptroot_device}:cryptroot\"",
-    require => Package["grub"],
+      match   => '^GRUB_CMDLINE_LINUX=',
+      require => Package["grub"],
+      notify  => Exec["update GRUB config"],
+    }
+  } elsif ($environment != "workstation") {
+    file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
+      path    => "/etc/default/grub",
+      line    => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"',
+      match   => '^GRUB_CMDLINE_LINUX=',
+      require => Package["grub"],
+      notify  => Exec["update GRUB config"],
+    }
  }
-  # exec { 'update GRUB config':
+  exec { 'update GRUB config':
-  #   command     => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg",
+    command     => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg",
-  #   refreshonly => true
+    refreshonly => true
-  # }
+  }
 }
diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp
index a1b5ca8..5726494 100644
--- a/modules/base_installation/manifests/init.pp
+++ b/modules/base_installation/manifests/init.pp
@@ -1,5 +1,8 @@
 class base_installation (
+  Optional[String]        $cryptroot_device     = $base_installation::params::cryptroot_device,
+  Optional[String]        $grub_efi_device      = $base_installation::params::grub_efi_device,
  Optional[String]        $grub_device          = $base_installation::params::grub_device,
+  Optional[Boolean]       $ldap_enabled         = $base_installation::params::ldap_enabled,
  Optional[String]        $ldap_base            = $base_installation::params::ldap_base,
  Optional[String]        $ldap_cert_path       = $base_installation::params::ldap_cert_path,
  Optional[String]        $ldap_cn              = $base_installation::params::ldap_cn,
diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index 9291402..7c48be3 100644
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -1,69 +1,71 @@
 class base_installation::ldap inherits base_installation {
-  ensure_packages(["openldap"])
+  if ($base_installation::ldap_enabled) {
+    ensure_packages(["openldap"])
-  File {
+    File {
-    mode  => "0644",
+      mode  => "0644",
-    owner => "root",
+      owner => "root",
-    group => "root",
+      group => "root",
-  }
+    }
-  file { '/etc/openldap':
-    ensure  => directory,
-    require => Package["openldap"],
-    recurse => true,
-    purge   => true,
-    force   => true,
-  }
-  file { '/etc/openldap/ldap.conf':
-    ensure  => present,
-    content => template("base_installation/ldap/ldap.conf.erb"),
-    require => File['/etc/openldap'],
-  }
-  $password_seed  = lookup("base_installation::puppet_pass_seed")
+    file { '/etc/openldap':
-  unless empty(find_file($password_seed)) {
+      ensure  => directory,
-    $ldap_server    = lookup("base_installation::ldap_server")
+      require => Package["openldap"],
-    $ldap_base      = lookup("base_installation::ldap_base")
+      recurse => true,
-    $ldap_dn        = lookup("base_installation::ldap_dn")
+      purge   => true,
-    $ldap_password  = generate_password(24, $password_seed, "ldap")
+      force   => true,
-    $ldap_attribute = "uid"
+    }
-    ensure_packages(["pam_ldap", "ruby-augeas"])
+    file { '/etc/openldap/ldap.conf':
-    file { "/etc/pam_ldap.conf":
+      ensure  => present,
-      ensure  => "present",
+      content => template("base_installation/ldap/ldap.conf.erb"),
-      mode    => "0400",
+      require => File['/etc/openldap'],
-      owner   => "root",
-      group   => "root",
-      content => template("base_installation/ldap/pam_ldap.conf.erb"),
    }
-    ["system-auth", "passwd"].each |$service| {
+    $password_seed  = lookup("base_installation::puppet_pass_seed")
-      pam { "Allow to change ldap password via $service":
+    unless empty(find_file($password_seed)) {
-        ensure    => present,
+      $ldap_server    = lookup("base_installation::ldap_server")
-        service   => $service,
+      $ldap_base      = lookup("base_installation::ldap_base")
-        type      => "password",
+      $ldap_dn        = lookup("base_installation::ldap_dn")
-        control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
+      $ldap_password  = generate_password(24, $password_seed, "ldap")
-        module    => "pam_ldap.so",
+      $ldap_attribute = "uid"
-        arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
-        position  => 'before *[type="password" and module="pam_unix.so"]',
+      ensure_packages(["pam_ldap", "ruby-augeas"])
-        require   => Package["ruby-augeas"],
+      file { "/etc/pam_ldap.conf":
+        ensure  => "present",
+        mode    => "0400",
+        owner   => "root",
+        group   => "root",
+        content => template("base_installation/ldap/pam_ldap.conf.erb"),
      }
-    }
-    ["system-auth", "su", "su-l"].each |$service| {
+      ["system-auth", "passwd"].each |$service| {
-      ["auth", "account"].each |$type| {
+        pam { "Allow to change ldap password via $service":
-        pam { "Allow $service to $type with ldap password":
          ensure    => present,
          service   => $service,
-          type      => $type,
+          type      => "password",
          control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
          module    => "pam_ldap.so",
          arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
-          position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+          position  => 'before *[type="password" and module="pam_unix.so"]',
          require   => Package["ruby-augeas"],
        }
      }
+      ["system-auth", "su", "su-l"].each |$service| {
+        ["auth", "account"].each |$type| {
+          pam { "Allow $service to $type with ldap password":
+            ensure    => present,
+            service   => $service,
+            type      => $type,
+            control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
+            module    => "pam_ldap.so",
+            arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
+            position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+            require   => Package["ruby-augeas"],
+          }
+        }
+      }
    }
  }
 }
diff --git a/modules/base_installation/manifests/locales.pp b/modules/base_installation/manifests/locales.pp
index 0f31e0b..90dabee 100644
--- a/modules/base_installation/manifests/locales.pp
+++ b/modules/base_installation/manifests/locales.pp
@@ -29,9 +29,16 @@ class base_installation::locales inherits base_installation {
  }
-  file { "/etc/vconsole.conf":
+  if ($environment == "workstation") {
-    ensure => "link",
+    file { "/etc/vconsole.conf":
-    target => "/dev/null",
+      ensure  => "file",
+      content => "KEYMAP=fr",
+    }
+  } else {
+    file { "/etc/vconsole.conf":
+      ensure => "link",
+      target => "/dev/null",
+    }
  }
 }
diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp
index f336b65..0ceb99c 100644
--- a/modules/base_installation/manifests/params.pp
+++ b/modules/base_installation/manifests/params.pp
@@ -4,7 +4,10 @@ class base_installation::params {
  $puppet_notifies_path = "/etc/puppetlabs/notifies"
  $puppet_pass_seed     = "/etc/puppetlabs/puppet/password_seed"
  $puppet_ssl_path      = "/etc/puppetlabs/ssl"
-  $grub_device          = "/dev/sda"
+  $cryptroot_device     = ""
+  $grub_device          = ""
+  $grub_efi_device      = ""
+  $ldap_enabled         = true
  $ldap_base            = "dc=example,dc=com"
  $ldap_cn              = "node"
  $ldap_dn              = "cn=node,ou=hosts,dc=example,dc=com"
diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp
index 603a961..8040017 100644
--- a/modules/base_installation/manifests/puppet.pp
+++ b/modules/base_installation/manifests/puppet.pp
@@ -52,21 +52,25 @@ class base_installation::puppet (
  }
  unless empty(find_file($password_seed)) {
-    $ldap_password = generate_password(24, $password_seed, "ldap")
+    if ($base_installation::ldap_enabled) {
-    $ssha_ldap_seed = generate_password(5, $password_seed, "ldap_seed")
+      $ldap_password = generate_password(24, $password_seed, "ldap")
+      $ssha_ldap_seed = generate_password(5, $password_seed, "ldap_seed")
-    package { 'gem:ruby-ldap':
-      name            => "ruby-ldap",
+      package { 'gem:ruby-ldap':
-      ensure          => present,
+        name            => "ruby-ldap",
-      provider        => "gem",
+        ensure          => present,
-      install_options => "--no-user-install"
+        provider        => "gem",
-    }
+        install_options => "--no-user-install",
+        before          => File["$base_installation::puppet_conf_path"]
+      }
-    package { 'gem:xmpp4r':
+      package { 'gem:xmpp4r':
-      name            => "xmpp4r",
+        name            => "xmpp4r",
-      ensure          => present,
+        ensure          => present,
-      provider        => "gem",
+        provider        => "gem",
-      install_options => "--no-user-install"
+        install_options => "--no-user-install",
+        before          => File["$base_installation::puppet_conf_path"]
+      }
    }
    file { $password_seed:
@@ -75,7 +79,7 @@ class base_installation::puppet (
    file { $base_installation::puppet_conf_path:
      ensure  => directory,
-      require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],
+      require => [Package["puppet"]],
      recurse => true,
      purge   => true,
      force   => true,
@@ -103,47 +107,49 @@ class base_installation::puppet (
      }
    }
-    if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and
+    if ($base_installation::ldap_enabled) {
-      empty($facts["ldapvar"]) {
+      if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and
-        fail("LDAP was activated but facts are not available")
+        empty($facts["ldapvar"]) {
-    }
+          fail("LDAP was activated but facts are not available")
+      }
-    file { $base_installation::puppet_notifies_path:
+      file { $base_installation::puppet_notifies_path:
-      ensure  => directory,
+        ensure  => directory,
-      require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],
+        require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],
-      recurse => true,
+        recurse => true,
-      purge   => true,
+        purge   => true,
-      force   => true,
+        force   => true,
-    }
+      }
-    $ips = lookup("ips", { 'default_value' => undef })
+      $ips = lookup("ips", { 'default_value' => undef })
-    concat { "$base_installation::puppet_notifies_path/host_ldap.info":
+      concat { "$base_installation::puppet_notifies_path/host_ldap.info":
-      ensure         => "present",
+        ensure         => "present",
-      mode           => "0600",
+        mode           => "0600",
-      require        => File[$base_installation::puppet_notifies_path],
+        require        => File[$base_installation::puppet_notifies_path],
-      ensure_newline => true,
+        ensure_newline => true,
-    }
+      }
-    concat::fragment { "host_ldap add top":
+      concat::fragment { "host_ldap add top":
-      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+        target  => "$base_installation::puppet_notifies_path/host_ldap.info",
-      content => template("base_installation/puppet/host_ldap_add_top.info.erb"),
+        content => template("base_installation/puppet/host_ldap_add_top.info.erb"),
-      order   => "00-01",
+        order   => "00-01",
-    }
+      }
-    concat::fragment { "host_ldap add bottom":
+      concat::fragment { "host_ldap add bottom":
-      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+        target  => "$base_installation::puppet_notifies_path/host_ldap.info",
-      content => "EOF",
+        content => "EOF",
-      order   => "00-99",
+        order   => "00-99",
-    }
+      }
-    concat::fragment { "host_ldap mod top":
+      concat::fragment { "host_ldap mod top":
-      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+        target  => "$base_installation::puppet_notifies_path/host_ldap.info",
-      content => template("base_installation/puppet/host_ldap_mod_top.info.erb"),
+        content => template("base_installation/puppet/host_ldap_mod_top.info.erb"),
-      order   => "01-01",
+        order   => "01-01",
-    }
+      }
-    concat::fragment { "host_ldap mod bottom":
+      concat::fragment { "host_ldap mod bottom":
-      target  => "$base_installation::puppet_notifies_path/host_ldap.info",
+        target  => "$base_installation::puppet_notifies_path/host_ldap.info",
-      content => "EOF",
+        content => "EOF",
-      order   => "01-99",
+        order   => "01-99",
+      }
    }
  }
 }
diff --git a/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
index 3aafc19..544f445 100644
--- a/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
+++ b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
@@ -6,7 +6,7 @@ objectclass: device
 objectclass: top
 objectclass: simpleSecurityObject
 objectclass: puppetClient
-<%- unless @ips.empty? -%>
+<%- unless @ips.nil? || @ips.empty? -%>
 objectclass: ipHost
 <% unless @ips["v4"].nil? -%>ipHostNumber: <%= @ips["v4"]["ipAddress"] %><%- end %>
 <% unless @ips["v6"].nil? -%>ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %><%- end %>
diff --git a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
index d7a1294..b1a4906 100644
--- a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
+++ b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
@@ -7,7 +7,7 @@ userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha
 -
 replace: environment
 environment: <%= @environment %>
-<%- unless @ips.empty? -%>
+<%- unless @ips.nil? || @ips.empty? -%>
 -
 delete: ipHostNumber
 <%- unless @ips["v4"].nil? -%>
diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb
index 38a0c1b..4233b86 100644
--- a/modules/base_installation/templates/puppet/puppet.conf.erb
+++ b/modules/base_installation/templates/puppet/puppet.conf.erb
@@ -16,6 +16,7 @@ ssldir = <%= @puppet_ssl_path %>
 environment = <%= @environment %>
+<% if @ldap_enabled %>
 node_terminus = ldap
 certname = <%= @real_hostname %>
 ldapserver = <%= @ldap_server %>
@@ -26,3 +27,4 @@ ldappassword = <%= @ldap_password %>
 ldapclassattrs = puppetClass
 ldapparentattr = parentNode
 ldapstackedattrs = puppetVar
+<% end %>
diff --git a/modules/base_installation/templates/services/en-dhcp.network.erb b/modules/base_installation/templates/services/en-dhcp.network.erb
index 0255595..98cb446 100644
--- a/modules/base_installation/templates/services/en-dhcp.network.erb
+++ b/modules/base_installation/templates/services/en-dhcp.network.erb
@@ -4,7 +4,7 @@ Name=en*
 [Network]
 DHCP=ipv4
-<%- unless @ip6.empty? -%>
+<%- unless @ip6.nil? || @ip6.empty? -%>
 Gateway=<%= @ip6["gateway"] %>
 [Address]

diff --git a/modules/base_installation/lib/facter/ldapvar.rb b/modules/base_installation/lib/facter/ldapvar.rb index 08d58e4..c3379e8 100644 --- a/modules/base_installation/lib/facter/ldapvar.rb +++ b/modules/base_installation/lib/facter/ldapvar.rb
@@ -5,7 +5,7 @@ begin
5	Facter.add("ldapvar") do	5	Facter.add("ldapvar") do
6	setcode do	6	setcode do
7	if Puppet[:node_terminus].to_sym != :ldap	7	if Puppet[:node_terminus].to_sym != :ldap
8	data = []	8	data = {}
9	else	9	else
10	begin	10	begin
11	conn = Puppet::Util::Ldap::Connection.instance	11	conn = Puppet::Util::Ldap::Connection.instance


diff --git a/modules/base_installation/manifests/grub.pp b/modules/base_installation/manifests/grub.pp index 208b745..9ced43f 100644 --- a/modules/base_installation/manifests/grub.pp +++ b/modules/base_installation/manifests/grub.pp
@@ -1,22 +1,41 @@
1	class base_installation::grub inherits base_installation {	1	class base_installation::grub inherits base_installation {
2	ensure_packages(['grub'])	2	ensure_packages(['grub'])
3		3
4	# unless empty($base_installation::grub_device) {	4	if !empty($base_installation::grub_efi_device) {
5	# exec { 'install GRUB':	5	ensure_packages(['efibootmgr'])
6	# command => "/usr/bin/grub-install --target=i386-pc $base_installation::device",	6	exec { 'install GRUB UEFI':
7	# subscribe => Package["grub"],	7	command => "/usr/bin/mkdir /boot/efi && /usr/bin/mount ${base_installation::grub_efi_device} /boot/efi && /usr/bin/grub-install --efi-directory=/boot/efi --target=x86_64-efi && /usr/bin/umount /boot/efi && /usr/bin/rmdir /boot/efi",
8	# }	8	creates => "/boot/grub/x86_64-efi",
9	# }	9	subscribe => Package["grub"],
		10	}
		11	} elsif !empty($base_installation::grub_device) {
		12	exec { 'install GRUB MBR':
		13	command => "/usr/bin/grub-install --target=i386-pc $base_installation::grub_device",
		14	creates => "/boot/grub/i386-pc",
		15	subscribe => Package["grub"],
		16	}
		17	}
10		18
11	file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":	19	if ($environment == "workstation" and !empty($base_installation::cryptroot_device)) {
12	path => "/etc/default/grub",	20	file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
13	line => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"',	21	path => "/etc/default/grub",
14	match => '^GRUB_CMDLINE_LINUX=',	22	line => "GRUB_CMDLINE_LINUX=\" cryptdevice=UUID=${base_installation::cryptroot_device}:cryptroot\"",
15	require => Package["grub"],	23	match => '^GRUB_CMDLINE_LINUX=',
		24	require => Package["grub"],
		25	notify => Exec["update GRUB config"],
		26	}
		27	} elsif ($environment != "workstation") {
		28	file_line { "/etc/default/grub#GRUB_CMDLINE_LINUX":
		29	path => "/etc/default/grub",
		30	line => 'GRUB_CMDLINE_LINUX=" console=tty0 console=ttyS0,115200"',
		31	match => '^GRUB_CMDLINE_LINUX=',
		32	require => Package["grub"],
		33	notify => Exec["update GRUB config"],
		34	}
16	}	35	}
17		36
18	# exec { 'update GRUB config':	37	exec { 'update GRUB config':
19	# command => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg",	38	command => "/usr/bin/grub-mkconfig -o /boot/grub/grub.cfg",
20	# refreshonly => true	39	refreshonly => true
21	# }	40	}
22	}	41	}


diff --git a/modules/base_installation/manifests/init.pp b/modules/base_installation/manifests/init.pp index a1b5ca8..5726494 100644 --- a/modules/base_installation/manifests/init.pp +++ b/modules/base_installation/manifests/init.pp
@@ -1,5 +1,8 @@
1	class base_installation (	1	class base_installation (
		2	Optional[String] $cryptroot_device = $base_installation::params::cryptroot_device,
		3	Optional[String] $grub_efi_device = $base_installation::params::grub_efi_device,
2	Optional[String] $grub_device = $base_installation::params::grub_device,	4	Optional[String] $grub_device = $base_installation::params::grub_device,
		5	Optional[Boolean] $ldap_enabled = $base_installation::params::ldap_enabled,
3	Optional[String] $ldap_base = $base_installation::params::ldap_base,	6	Optional[String] $ldap_base = $base_installation::params::ldap_base,
4	Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path,	7	Optional[String] $ldap_cert_path = $base_installation::params::ldap_cert_path,
5	Optional[String] $ldap_cn = $base_installation::params::ldap_cn,	8	Optional[String] $ldap_cn = $base_installation::params::ldap_cn,


diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index 9291402..7c48be3 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp
@@ -1,69 +1,71 @@
1	class base_installation::ldap inherits base_installation {	1	class base_installation::ldap inherits base_installation {
2	ensure_packages(["openldap"])	2	if ($base_installation::ldap_enabled) {
		3	ensure_packages(["openldap"])
3		4
4	File {	5	File {
5	mode => "0644",	6	mode => "0644",
6	owner => "root",	7	owner => "root",
7	group => "root",	8	group => "root",
8	}	9	}
9
10	file { '/etc/openldap':
11	ensure => directory,
12	require => Package["openldap"],
13	recurse => true,
14	purge => true,
15	force => true,
16	}
17
18	file { '/etc/openldap/ldap.conf':
19	ensure => present,
20	content => template("base_installation/ldap/ldap.conf.erb"),
21	require => File['/etc/openldap'],
22	}
23		10
24	$password_seed = lookup("base_installation::puppet_pass_seed")	11	file { '/etc/openldap':
25	unless empty(find_file($password_seed)) {	12	ensure => directory,
26	$ldap_server = lookup("base_installation::ldap_server")	13	require => Package["openldap"],
27	$ldap_base = lookup("base_installation::ldap_base")	14	recurse => true,
28	$ldap_dn = lookup("base_installation::ldap_dn")	15	purge => true,
29	$ldap_password = generate_password(24, $password_seed, "ldap")	16	force => true,
30	$ldap_attribute = "uid"	17	}
31		18
32	ensure_packages(["pam_ldap", "ruby-augeas"])	19	file { '/etc/openldap/ldap.conf':
33	file { "/etc/pam_ldap.conf":	20	ensure => present,
34	ensure => "present",	21	content => template("base_installation/ldap/ldap.conf.erb"),
35	mode => "0400",	22	require => File['/etc/openldap'],
36	owner => "root",
37	group => "root",
38	content => template("base_installation/ldap/pam_ldap.conf.erb"),
39	}	23	}
40		24
41	["system-auth", "passwd"].each \|$service\| {	25	$password_seed = lookup("base_installation::puppet_pass_seed")
42	pam { "Allow to change ldap password via $service":	26	unless empty(find_file($password_seed)) {
43	ensure => present,	27	$ldap_server = lookup("base_installation::ldap_server")
44	service => $service,	28	$ldap_base = lookup("base_installation::ldap_base")
45	type => "password",	29	$ldap_dn = lookup("base_installation::ldap_dn")
46	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",	30	$ldap_password = generate_password(24, $password_seed, "ldap")
47	module => "pam_ldap.so",	31	$ldap_attribute = "uid"
48	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],	32
49	position => 'before *[type="password" and module="pam_unix.so"]',	33	ensure_packages(["pam_ldap", "ruby-augeas"])
50	require => Package["ruby-augeas"],	34	file { "/etc/pam_ldap.conf":
		35	ensure => "present",
		36	mode => "0400",
		37	owner => "root",
		38	group => "root",
		39	content => template("base_installation/ldap/pam_ldap.conf.erb"),
51	}	40	}
52	}
53		41
54	["system-auth", "su", "su-l"].each \|$service\| {	42	["system-auth", "passwd"].each \|$service\| {
55	["auth", "account"].each \|$type\| {	43	pam { "Allow to change ldap password via $service":
56	pam { "Allow $service to $type with ldap password":
57	ensure => present,	44	ensure => present,
58	service => $service,	45	service => $service,
59	type => $type,	46	type => "password",
60	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",	47	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
61	module => "pam_ldap.so",	48	module => "pam_ldap.so",
62	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],	49	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
63	position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",	50	position => 'before *[type="password" and module="pam_unix.so"]',
64	require => Package["ruby-augeas"],	51	require => Package["ruby-augeas"],
65	}	52	}
66	}	53	}
		54
		55	["system-auth", "su", "su-l"].each \|$service\| {
		56	["auth", "account"].each \|$type\| {
		57	pam { "Allow $service to $type with ldap password":
		58	ensure => present,
		59	service => $service,
		60	type => $type,
		61	control => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
		62	module => "pam_ldap.so",
		63	arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
		64	position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
		65	require => Package["ruby-augeas"],
		66	}
		67	}
		68	}
67	}	69	}
68	}	70	}
69	}	71	}


diff --git a/modules/base_installation/manifests/locales.pp b/modules/base_installation/manifests/locales.pp index 0f31e0b..90dabee 100644 --- a/modules/base_installation/manifests/locales.pp +++ b/modules/base_installation/manifests/locales.pp
@@ -29,9 +29,16 @@ class base_installation::locales inherits base_installation {
29	}	29	}
30		30
31		31
32	file { "/etc/vconsole.conf":	32	if ($environment == "workstation") {
33	ensure => "link",	33	file { "/etc/vconsole.conf":
34	target => "/dev/null",	34	ensure => "file",
		35	content => "KEYMAP=fr",
		36	}
		37	} else {
		38	file { "/etc/vconsole.conf":
		39	ensure => "link",
		40	target => "/dev/null",
		41	}
35	}	42	}
36		43
37	}	44	}


diff --git a/modules/base_installation/manifests/params.pp b/modules/base_installation/manifests/params.pp index f336b65..0ceb99c 100644 --- a/modules/base_installation/manifests/params.pp +++ b/modules/base_installation/manifests/params.pp
@@ -4,7 +4,10 @@ class base_installation::params {
4	$puppet_notifies_path = "/etc/puppetlabs/notifies"	4	$puppet_notifies_path = "/etc/puppetlabs/notifies"
5	$puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"	5	$puppet_pass_seed = "/etc/puppetlabs/puppet/password_seed"
6	$puppet_ssl_path = "/etc/puppetlabs/ssl"	6	$puppet_ssl_path = "/etc/puppetlabs/ssl"
7	$grub_device = "/dev/sda"	7	$cryptroot_device = ""
		8	$grub_device = ""
		9	$grub_efi_device = ""
		10	$ldap_enabled = true
8	$ldap_base = "dc=example,dc=com"	11	$ldap_base = "dc=example,dc=com"
9	$ldap_cn = "node"	12	$ldap_cn = "node"
10	$ldap_dn = "cn=node,ou=hosts,dc=example,dc=com"	13	$ldap_dn = "cn=node,ou=hosts,dc=example,dc=com"


diff --git a/modules/base_installation/manifests/puppet.pp b/modules/base_installation/manifests/puppet.pp index 603a961..8040017 100644 --- a/modules/base_installation/manifests/puppet.pp +++ b/modules/base_installation/manifests/puppet.pp
@@ -52,21 +52,25 @@ class base_installation::puppet (
52	}	52	}
53		53
54	unless empty(find_file($password_seed)) {	54	unless empty(find_file($password_seed)) {
55	$ldap_password = generate_password(24, $password_seed, "ldap")	55	if ($base_installation::ldap_enabled) {
56	$ssha_ldap_seed = generate_password(5, $password_seed, "ldap_seed")	56	$ldap_password = generate_password(24, $password_seed, "ldap")
57		57	$ssha_ldap_seed = generate_password(5, $password_seed, "ldap_seed")
58	package { 'gem:ruby-ldap':	58
59	name => "ruby-ldap",	59	package { 'gem:ruby-ldap':
60	ensure => present,	60	name => "ruby-ldap",
61	provider => "gem",	61	ensure => present,
62	install_options => "--no-user-install"	62	provider => "gem",
63	}	63	install_options => "--no-user-install",
		64	before => File["$base_installation::puppet_conf_path"]
		65	}
64		66
65	package { 'gem:xmpp4r':	67	package { 'gem:xmpp4r':
66	name => "xmpp4r",	68	name => "xmpp4r",
67	ensure => present,	69	ensure => present,
68	provider => "gem",	70	provider => "gem",
69	install_options => "--no-user-install"	71	install_options => "--no-user-install",
		72	before => File["$base_installation::puppet_conf_path"]
		73	}
70	}	74	}
71		75
72	file { $password_seed:	76	file { $password_seed:
@@ -75,7 +79,7 @@ class base_installation::puppet (
75		79
76	file { $base_installation::puppet_conf_path:	80	file { $base_installation::puppet_conf_path:
77	ensure => directory,	81	ensure => directory,
78	require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],	82	require => [Package["puppet"]],
79	recurse => true,	83	recurse => true,
80	purge => true,	84	purge => true,
81	force => true,	85	force => true,
@@ -103,47 +107,49 @@ class base_installation::puppet (
103	}	107	}
104	}	108	}
105		109
106	if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and	110	if ($base_installation::ldap_enabled) {
107	empty($facts["ldapvar"]) {	111	if file("$base_installation::puppet_notifies_path/host_ldap.info", "/dev/null") != "" and
108	fail("LDAP was activated but facts are not available")	112	empty($facts["ldapvar"]) {
109	}	113	fail("LDAP was activated but facts are not available")
		114	}
110		115
111	file { $base_installation::puppet_notifies_path:	116	file { $base_installation::puppet_notifies_path:
112	ensure => directory,	117	ensure => directory,
113	require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],	118	require => [Package["puppet"], Package["gem:xmpp4r"], Package["gem:ruby-ldap"]],
114	recurse => true,	119	recurse => true,
115	purge => true,	120	purge => true,
116	force => true,	121	force => true,
117	}	122	}
118		123
119	$ips = lookup("ips", { 'default_value' => undef })	124	$ips = lookup("ips", { 'default_value' => undef })
120	concat { "$base_installation::puppet_notifies_path/host_ldap.info":	125	concat { "$base_installation::puppet_notifies_path/host_ldap.info":
121	ensure => "present",	126	ensure => "present",
122	mode => "0600",	127	mode => "0600",
123	require => File[$base_installation::puppet_notifies_path],	128	require => File[$base_installation::puppet_notifies_path],
124	ensure_newline => true,	129	ensure_newline => true,
125	}	130	}
126		131
127	concat::fragment { "host_ldap add top":	132	concat::fragment { "host_ldap add top":
128	target => "$base_installation::puppet_notifies_path/host_ldap.info",	133	target => "$base_installation::puppet_notifies_path/host_ldap.info",
129	content => template("base_installation/puppet/host_ldap_add_top.info.erb"),	134	content => template("base_installation/puppet/host_ldap_add_top.info.erb"),
130	order => "00-01",	135	order => "00-01",
131	}	136	}
132	concat::fragment { "host_ldap add bottom":	137	concat::fragment { "host_ldap add bottom":
133	target => "$base_installation::puppet_notifies_path/host_ldap.info",	138	target => "$base_installation::puppet_notifies_path/host_ldap.info",
134	content => "EOF",	139	content => "EOF",
135	order => "00-99",	140	order => "00-99",
136	}	141	}
137		142
138	concat::fragment { "host_ldap mod top":	143	concat::fragment { "host_ldap mod top":
139	target => "$base_installation::puppet_notifies_path/host_ldap.info",	144	target => "$base_installation::puppet_notifies_path/host_ldap.info",
140	content => template("base_installation/puppet/host_ldap_mod_top.info.erb"),	145	content => template("base_installation/puppet/host_ldap_mod_top.info.erb"),
141	order => "01-01",	146	order => "01-01",
142	}	147	}
143	concat::fragment { "host_ldap mod bottom":	148	concat::fragment { "host_ldap mod bottom":
144	target => "$base_installation::puppet_notifies_path/host_ldap.info",	149	target => "$base_installation::puppet_notifies_path/host_ldap.info",
145	content => "EOF",	150	content => "EOF",
146	order => "01-99",	151	order => "01-99",
		152	}
147	}	153	}
148	}	154	}
149	}	155	}


diff --git a/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb index 3aafc19..544f445 100644 --- a/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb +++ b/modules/base_installation/templates/puppet/host_ldap_add_top.info.erb
@@ -6,7 +6,7 @@ objectclass: device
6	objectclass: top	6	objectclass: top
7	objectclass: simpleSecurityObject	7	objectclass: simpleSecurityObject
8	objectclass: puppetClient	8	objectclass: puppetClient
9	<%- unless @ips.empty? -%>	9	<%- unless @ips.nil? \|\| @ips.empty? -%>
10	objectclass: ipHost	10	objectclass: ipHost
11	<% unless @ips["v4"].nil? -%>ipHostNumber: <%= @ips["v4"]["ipAddress"] %><%- end %>	11	<% unless @ips["v4"].nil? -%>ipHostNumber: <%= @ips["v4"]["ipAddress"] %><%- end %>
12	<% unless @ips["v6"].nil? -%>ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %><%- end %>	12	<% unless @ips["v6"].nil? -%>ipHostNumber: <%= @ips["v6"]["ipAddress"] %>/<%= @ips["v6"]["mask"] %><%- end %>


diff --git a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb index d7a1294..b1a4906 100644 --- a/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb +++ b/modules/base_installation/templates/puppet/host_ldap_mod_top.info.erb
@@ -7,7 +7,7 @@ userpassword: {SSHA}<%= Base64.encode64(Digest::SHA1.digest(@ldap_password+@ssha
7	-	7	-
8	replace: environment	8	replace: environment
9	environment: <%= @environment %>	9	environment: <%= @environment %>
10	<%- unless @ips.empty? -%>	10	<%- unless @ips.nil? \|\| @ips.empty? -%>
11	-	11	-
12	delete: ipHostNumber	12	delete: ipHostNumber
13	<%- unless @ips["v4"].nil? -%>	13	<%- unless @ips["v4"].nil? -%>


diff --git a/modules/base_installation/templates/puppet/puppet.conf.erb b/modules/base_installation/templates/puppet/puppet.conf.erb index 38a0c1b..4233b86 100644 --- a/modules/base_installation/templates/puppet/puppet.conf.erb +++ b/modules/base_installation/templates/puppet/puppet.conf.erb
@@ -16,6 +16,7 @@ ssldir = <%= @puppet_ssl_path %>
16		16
17	environment = <%= @environment %>	17	environment = <%= @environment %>
18		18
		19	<% if @ldap_enabled %>
19	node_terminus = ldap	20	node_terminus = ldap
20	certname = <%= @real_hostname %>	21	certname = <%= @real_hostname %>
21	ldapserver = <%= @ldap_server %>	22	ldapserver = <%= @ldap_server %>
@@ -26,3 +27,4 @@ ldappassword = <%= @ldap_password %>
26	ldapclassattrs = puppetClass	27	ldapclassattrs = puppetClass
27	ldapparentattr = parentNode	28	ldapparentattr = parentNode
28	ldapstackedattrs = puppetVar	29	ldapstackedattrs = puppetVar
		30	<% end %>


diff --git a/modules/base_installation/templates/services/en-dhcp.network.erb b/modules/base_installation/templates/services/en-dhcp.network.erb index 0255595..98cb446 100644 --- a/modules/base_installation/templates/services/en-dhcp.network.erb +++ b/modules/base_installation/templates/services/en-dhcp.network.erb
@@ -4,7 +4,7 @@ Name=en*
4	[Network]	4	[Network]
5	DHCP=ipv4	5	DHCP=ipv4
6		6
7	<%- unless @ip6.empty? -%>	7	<%- unless @ip6.nil? \|\| @ip6.empty? -%>
8	Gateway=<%= @ip6["gateway"] %>	8	Gateway=<%= @ip6["gateway"] %>
9		9
10	[Address]	10	[Address]