From 7b26c44a88d4ba17b147ff53c3bdf4e6da51bb1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 30 Jun 2018 15:53:16 +0200 Subject: Add ldap authentication --- modules/base_installation/manifests/ldap.pp | 41 ++++++++++++++++++++++ .../templates/ldap/pam_ldap.conf.erb | 7 ++++ 2 files changed, 48 insertions(+) create mode 100644 modules/base_installation/templates/ldap/pam_ldap.conf.erb (limited to 'modules') diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index 1825700..acc0014 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp @@ -21,4 +21,45 @@ class base_installation::ldap inherits base_installation { require => File['/etc/openldap'], } + $password_seed = lookup("base_installation::puppet_pass_seed") + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "uid" + + ensure_packages(["pam_ldap"]) + file { "/etc/pam_ldap.conf": + ensure => "present", + mode => "0400", + owner => "root", + group => "root", + content => template("base_installation/ldap/pam_ldap.conf.erb"), + } + + ["system-auth", "passwd"].each |$service| { + pam { "Allow to change ldap password via $service": + ensure => present, + service => $service, + type => "password", + control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", + module => "pam_ldap.so", + arguments => "ignore_unknown_user", + position => 'before *[type="password" and module="pam_unix.so"]', + } + } + + ["system-auth", "su", "su-l"].each |$service| { + ["auth", "account"].each |$type| { + pam { "Allow $service to $type with ldap password": + ensure => present, + service => $service, + type => $type, + control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", + module => "pam_ldap.so", + arguments => "ignore_unknown_user", + position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", + } + } + } } diff --git a/modules/base_installation/templates/ldap/pam_ldap.conf.erb b/modules/base_installation/templates/ldap/pam_ldap.conf.erb new file mode 100644 index 0000000..f07490a --- /dev/null +++ b/modules/base_installation/templates/ldap/pam_ldap.conf.erb @@ -0,0 +1,7 @@ +host <%= @ldap_server %> + +base <%= @ldap_base %> +binddn <%= @ldap_dn %> +bindpw <%= @ldap_password %> +pam_login_attribute <%= @ldap_attribute %> + -- cgit v1.2.3