From 98a071604ea9f7569aa0fa0688bc9d35081770c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= <ismael.bouya@normalesup.org>
Date: Tue, 2 Oct 2018 22:53:29 +0200
Subject: Add Flony workstation

---
 modules/base_installation/manifests/ldap.pp | 102 ++++++++++++++--------------
 1 file changed, 52 insertions(+), 50 deletions(-)

(limited to 'modules/base_installation/manifests/ldap.pp')

diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp
index 9291402..7c48be3 100644
--- a/modules/base_installation/manifests/ldap.pp
+++ b/modules/base_installation/manifests/ldap.pp
@@ -1,69 +1,71 @@
 class base_installation::ldap inherits base_installation {
-  ensure_packages(["openldap"])
+  if ($base_installation::ldap_enabled) {
+    ensure_packages(["openldap"])
 
-  File {
-    mode  => "0644",
-    owner => "root",
-    group => "root",
-  }
-
-  file { '/etc/openldap':
-    ensure  => directory,
-    require => Package["openldap"],
-    recurse => true,
-    purge   => true,
-    force   => true,
-  }
-
-  file { '/etc/openldap/ldap.conf':
-    ensure  => present,
-    content => template("base_installation/ldap/ldap.conf.erb"),
-    require => File['/etc/openldap'],
-  }
+    File {
+      mode  => "0644",
+      owner => "root",
+      group => "root",
+    }
 
-  $password_seed  = lookup("base_installation::puppet_pass_seed")
-  unless empty(find_file($password_seed)) {
-    $ldap_server    = lookup("base_installation::ldap_server")
-    $ldap_base      = lookup("base_installation::ldap_base")
-    $ldap_dn        = lookup("base_installation::ldap_dn")
-    $ldap_password  = generate_password(24, $password_seed, "ldap")
-    $ldap_attribute = "uid"
+    file { '/etc/openldap':
+      ensure  => directory,
+      require => Package["openldap"],
+      recurse => true,
+      purge   => true,
+      force   => true,
+    }
 
-    ensure_packages(["pam_ldap", "ruby-augeas"])
-    file { "/etc/pam_ldap.conf":
-      ensure  => "present",
-      mode    => "0400",
-      owner   => "root",
-      group   => "root",
-      content => template("base_installation/ldap/pam_ldap.conf.erb"),
+    file { '/etc/openldap/ldap.conf':
+      ensure  => present,
+      content => template("base_installation/ldap/ldap.conf.erb"),
+      require => File['/etc/openldap'],
     }
 
-    ["system-auth", "passwd"].each |$service| {
-      pam { "Allow to change ldap password via $service":
-        ensure    => present,
-        service   => $service,
-        type      => "password",
-        control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
-        module    => "pam_ldap.so",
-        arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
-        position  => 'before *[type="password" and module="pam_unix.so"]',
-        require   => Package["ruby-augeas"],
+    $password_seed  = lookup("base_installation::puppet_pass_seed")
+    unless empty(find_file($password_seed)) {
+      $ldap_server    = lookup("base_installation::ldap_server")
+      $ldap_base      = lookup("base_installation::ldap_base")
+      $ldap_dn        = lookup("base_installation::ldap_dn")
+      $ldap_password  = generate_password(24, $password_seed, "ldap")
+      $ldap_attribute = "uid"
+
+      ensure_packages(["pam_ldap", "ruby-augeas"])
+      file { "/etc/pam_ldap.conf":
+        ensure  => "present",
+        mode    => "0400",
+        owner   => "root",
+        group   => "root",
+        content => template("base_installation/ldap/pam_ldap.conf.erb"),
       }
-    }
 
-    ["system-auth", "su", "su-l"].each |$service| {
-      ["auth", "account"].each |$type| {
-        pam { "Allow $service to $type with ldap password":
+      ["system-auth", "passwd"].each |$service| {
+        pam { "Allow to change ldap password via $service":
           ensure    => present,
           service   => $service,
-          type      => $type,
+          type      => "password",
           control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
           module    => "pam_ldap.so",
           arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
-          position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+          position  => 'before *[type="password" and module="pam_unix.so"]',
           require   => Package["ruby-augeas"],
         }
       }
+
+      ["system-auth", "su", "su-l"].each |$service| {
+        ["auth", "account"].each |$type| {
+          pam { "Allow $service to $type with ldap password":
+            ensure    => present,
+            service   => $service,
+            type      => $type,
+            control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
+            module    => "pam_ldap.so",
+            arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
+            position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
+            require   => Package["ruby-augeas"],
+          }
+        }
+      }
     }
   }
 }
-- 
cgit v1.2.3