modules/base_installation/manifests/ldap.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

class base_installation::ldap inherits base_installation {
  ensure_packages(["openldap"])

  File {
    mode  => "0644",
    owner => "root",
    group => "root",
  }

  file { '/etc/openldap':
    ensure  => directory,
    require => Package["openldap"],
    recurse => true,
    purge   => true,
    force   => true,
  }

  file { '/etc/openldap/ldap.conf':
    ensure  => present,
    content => template("base_installation/ldap/ldap.conf.erb"),
    require => File['/etc/openldap'],
  }

  $password_seed  = lookup("base_installation::puppet_pass_seed")
  unless empty(find_file($password_seed)) {
    $ldap_server    = lookup("base_installation::ldap_server")
    $ldap_base      = lookup("base_installation::ldap_base")
    $ldap_dn        = lookup("base_installation::ldap_dn")
    $ldap_password  = generate_password(24, $password_seed, "ldap")
    $ldap_attribute = "uid"

    ensure_packages(["pam_ldap", "ruby-augeas"])
    file { "/etc/pam_ldap.conf":
      ensure  => "present",
      mode    => "0400",
      owner   => "root",
      group   => "root",
      content => template("base_installation/ldap/pam_ldap.conf.erb"),
    }

    ["system-auth", "passwd"].each |$service| {
      pam { "Allow to change ldap password via $service":
        ensure    => present,
        service   => $service,
        type      => "password",
        control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
        module    => "pam_ldap.so",
        arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
        position  => 'before *[type="password" and module="pam_unix.so"]',
        require   => Package["ruby-augeas"],
      }
    }

    ["system-auth", "su", "su-l"].each |$service| {
      ["auth", "account"].each |$type| {
        pam { "Allow $service to $type with ldap password":
          ensure    => present,
          service   => $service,
          type      => $type,
          control   => "[success=done new_authtok_reqd=ok authinfo_unavail=ignore ignore=ignore default=bad]",
          module    => "pam_ldap.so",
          arguments => ["ignore_unknown_user", "ignore_authinfo_unavail"],
          position  => "before *[type=\"$type\" and module=\"pam_unix.so\"]",
          require   => Package["ruby-augeas"],
        }
      }
    }
  }
}