1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
class base_installation::ldap inherits base_installation {
ensure_packages(["openldap"])
File {
mode => "0644",
owner => "root",
group => "root",
}
file { '/etc/openldap':
ensure => directory,
require => Package["openldap"],
recurse => true,
purge => true,
force => true,
}
file { '/etc/openldap/ldap.conf':
ensure => present,
content => template("base_installation/ldap/ldap.conf.erb"),
require => File['/etc/openldap'],
}
$password_seed = lookup("base_installation::puppet_pass_seed")
unless empty(find_file($password_seed)) {
$ldap_server = lookup("base_installation::ldap_server")
$ldap_base = lookup("base_installation::ldap_base")
$ldap_dn = lookup("base_installation::ldap_dn")
$ldap_password = generate_password(24, $password_seed, "ldap")
$ldap_attribute = "uid"
ensure_packages(["pam_ldap", "ruby-augeas"])
file { "/etc/pam_ldap.conf":
ensure => "present",
mode => "0400",
owner => "root",
group => "root",
content => template("base_installation/ldap/pam_ldap.conf.erb"),
}
["system-auth", "passwd"].each |$service| {
pam { "Allow to change ldap password via $service":
ensure => present,
service => $service,
type => "password",
control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
module => "pam_ldap.so",
arguments => "ignore_unknown_user",
position => 'before *[type="password" and module="pam_unix.so"]',
require => Package["ruby-augeas"],
}
}
["system-auth", "su", "su-l"].each |$service| {
["auth", "account"].each |$type| {
pam { "Allow $service to $type with ldap password":
ensure => present,
service => $service,
type => $type,
control => "[success=done new_authtok_reqd=ok ignore=ignore default=bad]",
module => "pam_ldap.so",
arguments => "ignore_unknown_user",
position => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
require => Package["ruby-augeas"],
}
}
}
}
}
|