From f84d9190aa7e14ae13256e1d6a47a1be09506674 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Isma=C3=ABl=20Bouya?= Date: Sat, 30 Jun 2018 18:17:34 +0200 Subject: =?UTF-8?q?Don=E2=80=99t=20add=20ldap=20authentication=20on=20firs?= =?UTF-8?q?t=20pass?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- modules/base_installation/manifests/ldap.pp | 62 +++++++++++++++-------------- 1 file changed, 32 insertions(+), 30 deletions(-) (limited to 'modules') diff --git a/modules/base_installation/manifests/ldap.pp b/modules/base_installation/manifests/ldap.pp index d5d871c..5a35327 100644 --- a/modules/base_installation/manifests/ldap.pp +++ b/modules/base_installation/manifests/ldap.pp @@ -22,46 +22,48 @@ class base_installation::ldap inherits base_installation { } $password_seed = lookup("base_installation::puppet_pass_seed") - $ldap_server = lookup("base_installation::ldap_server") - $ldap_base = lookup("base_installation::ldap_base") - $ldap_dn = lookup("base_installation::ldap_dn") - $ldap_password = generate_password(24, $password_seed, "ldap") - $ldap_attribute = "uid" + unless empty(find_file($password_seed)) { + $ldap_server = lookup("base_installation::ldap_server") + $ldap_base = lookup("base_installation::ldap_base") + $ldap_dn = lookup("base_installation::ldap_dn") + $ldap_password = generate_password(24, $password_seed, "ldap") + $ldap_attribute = "uid" - ensure_packages(["pam_ldap", "ruby-augeas"]) - file { "/etc/pam_ldap.conf": - ensure => "present", - mode => "0400", - owner => "root", - group => "root", - content => template("base_installation/ldap/pam_ldap.conf.erb"), - } - - ["system-auth", "passwd"].each |$service| { - pam { "Allow to change ldap password via $service": - ensure => present, - service => $service, - type => "password", - control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", - module => "pam_ldap.so", - arguments => "ignore_unknown_user", - position => 'before *[type="password" and module="pam_unix.so"]', - require => Package["ruby-augeas"], + ensure_packages(["pam_ldap", "ruby-augeas"]) + file { "/etc/pam_ldap.conf": + ensure => "present", + mode => "0400", + owner => "root", + group => "root", + content => template("base_installation/ldap/pam_ldap.conf.erb"), } - } - ["system-auth", "su", "su-l"].each |$service| { - ["auth", "account"].each |$type| { - pam { "Allow $service to $type with ldap password": + ["system-auth", "passwd"].each |$service| { + pam { "Allow to change ldap password via $service": ensure => present, service => $service, - type => $type, + type => "password", control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", module => "pam_ldap.so", arguments => "ignore_unknown_user", - position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", + position => 'before *[type="password" and module="pam_unix.so"]', require => Package["ruby-augeas"], } } + + ["system-auth", "su", "su-l"].each |$service| { + ["auth", "account"].each |$type| { + pam { "Allow $service to $type with ldap password": + ensure => present, + service => $service, + type => $type, + control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]", + module => "pam_ldap.so", + arguments => "ignore_unknown_user", + position => "before *[type=\"$type\" and module=\"pam_unix.so\"]", + require => Package["ruby-augeas"], + } + } + } } } -- cgit v1.2.3