puppet-wmdeit_ldap/manifests/init.pp

304 lines
6.8 KiB
Puppet
Raw Normal View History

2020-08-18 07:25:32 +00:00
#x
2020-08-18 07:45:47 +00:00
class wmdeit_ldap (
2020-08-18 07:25:32 +00:00
$log_level = 0,
$configdn = 'cn=admin,cn=config',
$configpw = '123',
$syncrepl_providers = [
],
$database = "dc=wikimedia,dc=de",
$rootdn = "cn=admin,dc=wikimedia,dc=de",
$rootpw = "123",
$serverid,
$simple_bind_tls = "128",
$schema_path = '/etc/ldap/schema',
$schema = [
"samba",
# "nis",
# "rfc2307bis",
# "solaris",
"dnszone",
"univention",
"univention-objecttype",
"krb5-kdc",
"directory",
"policy",
"msgpo",
"dhcp",
"univention-dhcp",
"mail",
# "automount",
"user",
"self-service-passwordreset",
"univention-saml",
"univention-virtual-machine-manager",
"nagios",
"share",
"network",
"portal",
"univention-default",
"univention-app",
"univention-object-metadata",
"univention-ldap-extension",
"license",
"ppolicy",
"template",
"lock",
"udm-extension",
"custom-attribute",
"univention-syntax",
2020-08-19 10:17:40 +00:00
"openssh",
# "nextcloud",
# "openproject",
# "networkaccess",
2020-08-18 07:25:32 +00:00
],
$ssldir = "/etc/ldap/ssl",
$acls = [
# grant accces to domain admins
'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
# super acces to local root user
'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
# let users modify their passwords
'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
'to attrs=entry,children,objectClass,uid by anonymous read by * break',
'to * by anonymous none by * break',
'to dn.base="" by * read',
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
]
){
$clientcert = $facts[clientcert]
$pubcert = "$ssldir/cert.pem"
$privkey = "$ssldir/priv.pem"
$cacert = "$ssldir/ca.pem"
2020-08-18 13:23:59 +00:00
class { 'openldap::server':
ssl_ca => "$cacert",
ssl_cert => "$pubcert",
ssl_key => "$privkey",
ldaps_ifs => ['/'],
}
2020-08-18 07:25:32 +00:00
file { "/etc/ldap":
ensure => directory
} ->
# SSL stuff ... copy CA cert and keys used by puppet agent to
# a separate directory and make them accesible by openldap
file { "$ssldir":
ensure => directory,
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$cacert": # copy CA cert
ensure => file,
source => "/var/lib/puppet/ssl/certs/ca.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$pubcert": # copy public key
ensure => file,
source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$privkey": # copy private key
ensure => file,
source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
2020-08-18 13:23:59 +00:00
}
2020-08-18 07:25:32 +00:00
# openldap::server::globalconf { 'TLSCACertificateFile':
# ensure => present,
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
# }
# openldap::server::globalconf { 'TLSCertificateKeyFile':
# ensure => present,
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
# }
# openldap::server::globalconf { 'TLSCertificateFile':
# ensure => present,
# value => "$ssldir/pubkey.pem"
# }
openldap::server::globalconf { 'LogLevel':
ensure => present,
value => { "LogLevel"=>"$log_level" }
}
openldap::server::globalconf { 'Security':
ensure => present,
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
}
# openldap::server::schema{"nis":
# ensure => absent
# }
# add schemas
$schema.each | $s | {
file { "$schema_path/$s.schema":
ensure => file,
content => file ("wmdeit_ldap/schema/$s.schema"),
2020-08-18 07:25:32 +00:00
}->
openldap::server::schema { "$s":
ensure => present,
path => "$schema_path/$s.schema",
}
}
openldap::server::module { 'memberof':
ensure => present,
}
openldap::server::module { 'syncprov':
ensure => present,
}
package { "heimdal-kdc":
ensure => installed,
}->
package {"slapd-smbk5pwd":
ensure => installed,
} ->
openldap::server::module { 'smbk5pwd':
ensure => present,
}
openldap::server::globalconf { 'ServerID':
ensure => present,
value => { "ServerID"=>"$serverid" }
}
openldap::server::globalconf { 'TLSVerifyClient':
ensure => present,
value => { "TLSVerifyClient"=>"never" }
}
# ensure config database is present and dn and pw are set
openldap::server::database { 'cn=config':
ensure => present,
backend => config,
rootdn => $configdn,
rootpw => $configpw
}
# Build list of syncrepl-entries, store it in $syncrepl
if !empty ($syncrepl_providers) {
$mirrormode=true
$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
$i = $index+1
"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
}
}
# create the main database
openldap::server::database { "$database":
ensure => present,
rootdn => $rootdn,
rootpw => $rootpw,
syncrepl => $syncrepl,
mirrormode => $mirrormode,
} ->
openldap::server::overlay { "memberof on $database":
ensure => present,
} ->
openldap::server::overlay { "syncprov on $database":
ensure => present,
} ->
openldap::server::overlay { "smbk5pwd on $database":
ensure => present,
}
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database",
# ensure => present,
# }
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database",
# ensure => present,
# }
#
# openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
# suffix => "$database",
# ensure => present,
## }
# openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
# suffix => "$database",
## ensure => present,
# }
# openldap::server::access { '{4}to dn.base="" by * read':
# suffix => "$database",
# ensure => present,
# }
#
# openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
# suffix => "$database",
# ensure => present,
# }
#
$acls.each |Integer $i, String $acl | {
# notify {"$i -> $acl":}
openldap::server::access { "{$i}$acl":
suffix => "$database",
ensure => present,
}
}
# openldap::server::dbindex { 'uid pres,eq':
# ensure => present,
# suffix => "$database",
# }
# openldap::server::dbindex { 'sn eq,approx,sub':
# ensure => present,
# suffix => "$database",
# }
}