From 7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 30 Jun 2018 15:53:16 +0200 Subject: Add ldap authentication --- .gitmodules | 6 ++++ external_modules/augeasproviders_core | 1 + external_modules/augeasproviders_pam | 1 + modules/base_installation/manifests/ldap.pp | 41 ++++++++++++++++++++++ .../templates/ldap/pam_ldap.conf.erb | 7 ++++ 5 files changed, 56 insertions(+) create mode 160000 external_modules/augeasproviders_core create mode 160000 external_modules/augeasproviders_pam create mode 100644 modules/base_installation/templates/ldap/pam_ldap.conf.erb diff --git a/.gitmodules b/.gitmodules index d68cf4e..f8ff2b7 100644 --- a/.gitmodules +++ b/.gitmodules @@ -67,3 +67,9 @@ [submodule "external_modules/patch"] path = external_modules/patch url = git://git.immae.eu/github/tohuwabohu/puppet-patch.git +[submodule "external_modules/augeasproviders_pam"] + path = external_modules/augeasproviders_pam + url = git://git.immae.eu/github/hercules-team/augeasproviders_pam.git +[submodule "external_modules/augeasproviders_core"] + path = external_modules/augeasproviders_core + url = git://git.immae.eu/github/hercules-team/augeasproviders_core.git diff --git a/external_modules/augeasproviders_core b/external_modules/augeasproviders_core new file mode 160000 index 0000000..604680c --- /dev/null +++ b/external_modules/augeasproviders_core @@ -0,0 +1 @@ +Subproject commit 604680cb5fe7e32fd1ad1051fc34ef100a4d6923 diff --git a/external_modules/augeasproviders_pam b/external_modules/augeasproviders_pam new file mode 160000 index 0000000..e207968 --- /dev/null +++ b/external_modules/augeasproviders_pam @@ -0,0 +1 @@ +Subproject commit e20796872f094c56a201519bab7716f099c78819 diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index 1825700..acc0014 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp @@ -21,4 +21,45 @@ class base_installation::ldap inherits base_installation { require => File['/etc/openldap'], } + $password_seed = lookup("base_installation::puppet_pass_seed") + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "uid" + + ensure_packages(["pam_ldap"]) + file { "/etc/pam_ldap.conf": + ensure => "present", + mode => "0400", + owner => "root", + group => "root", + content => template("base_installation/ldap/pam_ldap.conf.erb"), + } + + ["system-auth", "passwd"].each |$service| { + pam { "Allow to change ldap password via $service": + ensure => present, + service => $service, + type => "password", + control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", + module => "pam_ldap.so", + arguments => "ignore_unknown_user", + position => 'before *[type="password" and module="pam_unix.so"]', + } + } + + ["system-auth", "su", "su-l"].each |$service| { + ["auth", "account"].each |$type| { + pam { "Allow $service to $type with ldap password": + ensure => present, + service => $service, + type => $type, + control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", + module => "pam_ldap.so", + arguments => "ignore_unknown_user", + position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", + } + } + } } diff --git a/modules/base_installation/templates/ldap/pam_ldap.conf.erb b/modules/base_installation/templates/ldap/pam_ldap.conf.erb new file mode 100644 index 0000000..f07490a --- /dev/null +++ b/modules/base_installation/templates/ldap/pam_ldap.conf.erb @@ -0,0 +1,7 @@ +host <%= @ldap_server %> + +base <%= @ldap_base %> +binddn <%= @ldap_dn %> +bindpw <%= @ldap_password %> +pam_login_attribute <%= @ldap_attribute %> + -- cgit v1.2.3 From 3f379c2a19006fe21da9775c2fa9649d8e1bd8c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 30 Jun 2018 17:50:07 +0200 Subject: Fix apache owner --- modules/profile/manifests/apache.pp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/profile/manifests/apache.pp b/modules/profile/manifests/apache.pp index 382633b..7187350 100644 --- a/modules/profile/manifests/apache.pp +++ b/modules/profile/manifests/apache.pp @@ -4,6 +4,8 @@ class profile::apache { root_directory_options => ["All"], default_mods => false, default_vhost => false, + user => "http", + group => "http", log_formats => { combined => '%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %p', common => '%h %l %u %t \"%r\" %>s %b', -- cgit v1.2.3 From 35a719cb7c2c6c5c1807b75f747782678c359406 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 30 Jun 2018 18:02:49 +0200 Subject: Fix missing package --- modules/base_installation/manifests/ldap.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index acc0014..d5d871c 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp @@ -28,7 +28,7 @@ class base_installation::ldap inherits base_installation { $ldap_password = generate_password(24, $password_seed, "ldap") $ldap_attribute = "uid" - ensure_packages(["pam_ldap"]) + ensure_packages(["pam_ldap", "ruby-augeas"]) file { "/etc/pam_ldap.conf": ensure => "present", mode => "0400", @@ -46,6 +46,7 @@ class base_installation::ldap inherits base_installation { module => "pam_ldap.so", arguments => "ignore_unknown_user", position => 'before *[type="password" and module="pam_unix.so"]', + require => Package["ruby-augeas"], } } @@ -59,6 +60,7 @@ class base_installation::ldap inherits base_installation { module => "pam_ldap.so", arguments => "ignore_unknown_user", position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", + require => Package["ruby-augeas"], } } } -- cgit v1.2.3 From 77d4b0b7672ee0a840fb721463964c7edf0eb044 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 30 Jun 2018 18:06:26 +0200 Subject: Fix duplicate package ruby-augeas --- modules/profile/manifests/redis.pp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/profile/manifests/redis.pp b/modules/profile/manifests/redis.pp index 79871b1..d912c59 100644 --- a/modules/profile/manifests/redis.pp +++ b/modules/profile/manifests/redis.pp @@ -17,9 +17,8 @@ class profile::redis { notify => Service["redis"], } - package { "ruby-augeas": - ensure => installed, - } -> + ensure_packages(["ruby-augeas"]) + class { '::redis': unixsocket => "/run/redis/redis.sock", unixsocketperm => "777", @@ -28,7 +27,10 @@ class profile::redis { config_file => "/etc/redis.conf", config_file_orig => "/etc/redis.conf.puppet", port => 0, - require => File["/etc/systemd/system/redis.service.d/socket_shutdown.conf"], + require => [ + File["/etc/systemd/system/redis.service.d/socket_shutdown.conf"], + Package["ruby-augeas"] + ] } } -- cgit v1.2.3