From baae769be1ccf82ed7bde02d9ffa3d753fa9fef9 Mon Sep 17 00:00:00 2001
From: tohe <tobias.herre@wikimedia.de>
Date: Fri, 21 Aug 2020 21:28:40 +0200
Subject: [PATCH] lsc is installed and a posixgroup -> groupofnames syncher is
 configured

---
 manifests/init.pp     |   9 +++
 templates/lsc.xml.erb | 177 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 186 insertions(+)
 create mode 100644 templates/lsc.xml.erb

diff --git a/manifests/init.pp b/manifests/init.pp
index b24b65f..565ee0b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -259,9 +259,18 @@ class wmdeit_ldap (
 	file {"/etc/default/lsc":
 		ensure => file,
 		content => template("wmdeit_ldap/lsc.erb")
+	} ->
+	file {"/etc/lsc/lsc.xml":
+		ensure => file,
+		content => template("wmdeit_ldap/lsc.xml.erb")
+	} ->
+	service {"lsc":
+		ensure => running,
+		subscribe => File["/etc/lsc/lsc.xml"],
 	}
 
 
+
 #	openldap::server::globalconf { 'TLSVerifyClient':
 #		ensure  => present,
 #		value   => { "TLSVerifyClient"=>"never" }
diff --git a/templates/lsc.xml.erb b/templates/lsc.xml.erb
new file mode 100644
index 0000000..e05841b
--- /dev/null
+++ b/templates/lsc.xml.erb
@@ -0,0 +1,177 @@
+<?xml version="1.0" ?>
+<!-- 
+	In the following file, comments are describing each node. Elements are
+	referenced through XPath expression, whereas attributes are prefixed with
+	'@'
+
+	//lsc Root node of the XML configuration file
+	@xmlns XML Schema validation is not ready yet (Reserved for futur use)
+	@id optional, added by XML API
+	@revision mandatory, used by the Web Administration Interface to version
+				this file
+	 -->
+<lsc xmlns="http://lsc-project.org/XSD/lsc-core-2.1.xsd" revision="0">
+
+<!--  ./connections Connections list node, must contain at least two connections -->
+ 
+<connections>
+	<ldapConnection>
+		<name>ldap-conn</name>
+		<!--  ./url mandatory, the JNDI URL -->
+		<url>ldap://localhost:389/dc=wikimedia,dc=de</url>
+		<!--  ./username mandatory, the DN to bind with -->
+		<username>cn=admin,dc=wikimedia,dc=de</username>
+		<!--  ./password mandatory, credentials to bind with -->
+		<password>123</password>
+		<!--  ./authentication mandatory, must contain either 
+		ANONYMOUS, SIMPLE, SASL, GSSAPI or DIGEST_MD5 -->
+		<authentication>SIMPLE</authentication>
+		<!--  ./referral mandatory, must contain either IGNORE, 
+		THROUGH, THROW or FOLLOW -->
+		<referral>IGNORE</referral>
+		<!--  ./derefAliases mandatory, must contain either NEVER, 
+		SEARCH, FIND, ALWAYS -->
+		<derefAliases>NEVER</derefAliases>
+		<!--  ./version mandatory, must contain either VERSION_2, VERSION_3 -->
+		<version>VERSION_3</version>
+		<!--  ./pageSize optional, specify the paged size when searching -->
+		<pageSize>-1</pageSize>
+		<!--  ./factory mandatory, points to LDAP Context Factory, 
+		com.sun.jndi.ldap.LdapCtxFactory for a SUN JDK -->
+		<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
+		<!--  ./tlsActivated optional, specify if SSL/TLS is activated 
+		to connect to the LDAP server -->
+		<tlsActivated>false</tlsActivated>
+	</ldapConnection>
+</connections>
+
+<tasks>
+	<task>
+		<name>groupsync</name>
+		<bean>org.lsc.beans.SimpleBean</bean>
+
+		<ldapSourceService>
+			<name>group-source-service</name>
+			<connection reference="ldap-conn" />
+			<baseDn>dc=wikimedia,dc=de</baseDn>
+			<pivotAttributes>
+				<string>cn</string>
+			</pivotAttributes>
+			<fetchedAttributes>
+				<string>cn</string>
+				<string>memberUid</string>
+			</fetchedAttributes>
+			<getAllFilter><![CDATA[(objectClass=posixGroup)]]></getAllFilter>
+			<getOneFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></getOneFilter>
+			<cleanFilter><![CDATA[(&(objectClass=posixGroup)(cn={cn}))]]></cleanFilter>
+		</ldapSourceService>
+		<ldapDestinationService>
+			<name>group-dst-service</name>
+			<connection reference="ldap-conn" />
+			<baseDn>dc=wikimedia,dc=de</baseDn>
+			<pivotAttributes>
+				<string>cn</string>
+			</pivotAttributes>
+			<fetchedAttributes>
+				<string>cn</string>
+				<string>member</string>
+				<string>objectClass</string>
+			</fetchedAttributes>
+			<getAllFilter><![CDATA[(objectClass=groupeOfNames)]]></getAllFilter>
+			<getOneFilter><![CDATA[(&(objectClass=groupOfNames)(cn={cn}))]]></getOneFilter>
+		</ldapDestinationService>
+
+		<propertiesBasedSyncOptions>
+			<mainIdentifier>js:"cn=" + javax.naming.ldap.Rdn.escapeValue(srcBean.getDatasetFirstValueById("cn").toLowerCase()) + ",dc=wikimedia,dc=de"</mainIdentifier>
+			<defaultDelimiter>;</defaultDelimiter>
+			<defaultPolicy>FORCE</defaultPolicy>
+			<conditions>
+				<create>true</create>
+				<update>true</update>
+				<delete>true</delete>
+				<changeId>true</changeId>
+			</conditions>
+			<dataset>
+				<name>objectclass</name>
+				<policy>KEEP</policy>
+				<createValues>
+					<string>"groupOfNames"</string>
+					<string>"posixGroup"</string>
+					<string>"top"</string>
+				</createValues>
+			</dataset>  
+			<dataset>
+				<name>member</name>
+				<policy>FORCE</policy>
+				<forceValues>
+					<string>
+				         <![CDATA[rjs:
+			                var membersSrcUid = srcBean.getDatasetValuesById("memberUid");
+			                var membersDstDn = new java.util.ArrayList();
+			                for  (var i=0; i<membersSrcUid.size(); i++) {
+		                        var memberSrcUid = membersSrcUid.get(i);
+		                        var dn = "uid=" + memberSrcUid + ",ou=users,dc=example1000,dc=com";
+		                        membersDstDn.add(dn);
+                			}
+			                membersDstDn
+					]]> 				
+					</string>
+				</forceValues>
+			</dataset>		
+
+
+		</propertiesBasedSyncOptions>
+
+	</task>
+</tasks>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<!--  ./audits Audits list node -->
+  <audits>
+
+	<!--./audit Audit node, here a CSV audit, may also be a LDIF or any contributed audit type -->
+	<csvAudit>
+		<!--    ./name mandatory, audit name -->
+		<name>csv</name>
+		<!--    ./append optional, default to false, specify to create a new log file or to append to the existing one  -->
+		<append>true</append>
+		<!--    ./operations optional, comma separated list of operations (create, delete, update or rename) -->
+		<operations>create, delete</operations>
+		<!--	./file mandatory, define the location of the file where the CSV data will be written -->
+		<file>/tmp/dump.csv</file>
+		<!--    ./datasets optional, comma separated list of datasets modification to log -->
+		<datasets>cn, dn</datasets>
+		<!--    ./separator optional, default to ";", specify the values separator -->
+		<separator>,</separator>
+	</csvAudit>
+  </audits>
+
+<!-- ./security This mandatory node contains the security settings used by LSC -->
+  <security>
+<!-- ./encryption This optional node contains the encryption settings -->
+    <encryption>
+<!--  ./keyfile This optional node contains the keyfile location -->
+      <keyfile>etc/lsc.key</keyfile>
+<!--  ./algorithm This optional node contains the encryption algorithm -->
+      <algorithm>AES</algorithm>
+<!--  ./strength This optional node contains the algorithm key length -->
+      <strength>128</strength>
+    </encryption>
+  </security>
+</lsc>