diff --git a/README.md b/README.md index 04b1a8c..bb5ef1a 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,13 @@ Examples: password => "1234", password_salt => "5678", tree_suffix => "dc=wikimedia,dc=de", + admins => [ + "cn=admin,dc=wikimedia,dc=de", + ], + login_search_dn=>"cn=admin,dc=wikimedia,dc=de", + login_search_suffix=>"dc=wikimedia,dc=de", + login_search_password=>"123", + login_method=>"search" # or "listi or search allowed" } } } diff --git a/manifests/lam.pp b/manifests/lam.pp index 5b3e4f6..2cede2e 100644 --- a/manifests/lam.pp +++ b/manifests/lam.pp @@ -100,6 +100,10 @@ class wmdeit_ldap::lam( generate("/bin/sh","-c", "echo -n $password_salt | openssl base64") , '\n', "\n ")) + $base64pw = base64( 'encode',"LAM_OBFUSCATE:${conf['login_search_password']}") + $spw = strip (regsubst( + generate("/bin/sh","-c", "echo -n '$base64pw' | /usr/bin/rot13") + , '\n', "\n ")) wmdeit_ldap::lam::config {$name: encoded_password => $encoded_password, @@ -107,6 +111,22 @@ class wmdeit_ldap::lam( suffix_user => $conf['suffix_user'], suffix_group => $conf['suffix_group'], tree_suffix => $conf['tree_suffix'], + admins => $conf['admins'], + login_method => $conf['login_method'] ? {undef => "list", default => $conf['login_method']}, + login_search_suffix => $conf['login_search_suffix'], + login_search_dn => $conf['login_search_dn'], + login_search_filter => $conf['login_search_filter'] ? { + undef => "uid=%USER%", + default => $conf['login_search_filter'] + }, + + login_search_password => $conf['login_search_password'] ? { + undef => "", + default => $spw + }, + + + } } @@ -120,7 +140,14 @@ define wmdeit_ldap::lam::config $tree_suffix, $suffix_user = "ou=People,$tree_suffix", $suffix_group = "ou=Groups,$tree_suffix", - $docroot = $::wmdeit_ldap::lam::docroot + $docroot = $::wmdeit_ldap::lam::docroot, + $admins = [], + $login_method = "search", + $login_search_suffix = "", + $login_search_dn = "", + $login_search_filter = "", + $login_search_password = "", + ){ if (!$suffix_user) or (!$suffix_group) { fail("no suffix_user or suffix_group given") diff --git a/templates/wmde.conf.erb b/templates/wmde.conf.erb index 832c22e..678d96b 100644 --- a/templates/wmde.conf.erb +++ b/templates/wmde.conf.erb @@ -10,7 +10,13 @@ ServerURL: ldap://localhost:389 # list of users who are allowed to use LDAP Account Manager # names have to be seperated by semicolons # e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org -Admins: cn=admin,dc=wikimedia,dc=de +Admins: <%- s='' -%> +<%- @admins.each do | admin | -%> + <%= s %><%= admin -%> + <%- s=';' -%> + <%- end -%> + +#=admin,dc=wikimedia,dc=de # password to change these preferences via webfrontend (default: lam) #Passwd: {SSHA}T7uRmkbOgzr9k0BVJi1GvqqwJJQ= iaZAeQ== @@ -98,23 +104,23 @@ accessLevel: 100 # Login method. -loginMethod: list +loginMethod: <%= @login_method %> # Search suffix for LAM login. -loginSearchSuffix: dc=yourdomain,dc=org +loginSearchSuffix: <%= @login_search_suffix %> # Search filter for LAM login. -loginSearchFilter: uid=%USER% +loginSearchFilter: <%= @login_search_filter %> # Bind DN for login search. -loginSearchDN: +loginSearchDN: <%= @login_search_dn %> # Bind password for login search. -loginSearchPassword: +loginSearchPassword: <%= @login_search_password %> # HTTP authentication for LAM login.