From e6b6b959a7354d45f6b92868871c9995be9fa492 Mon Sep 17 00:00:00 2001
From: tohe <tobias.herre@wikimedia.de>
Date: Fri, 21 Aug 2020 11:51:37 +0200
Subject: [PATCH] Deletes all pre-installed schmeas, installs lsc

---
 manifests/init.pp | 232 ++++++++++++++++++++++++++--------------------
 1 file changed, 134 insertions(+), 98 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index eddf334..5de1607 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -16,42 +16,51 @@ class wmdeit_ldap (
 	$simple_bind_tls = "128",
 
 	$schema_path = '/etc/ldap/schema',
+
 	$schema = [
+		"core",
+		"cosine",
+		"inetorgperson",
+#		"nis",
+		"rfc2307bis",
+		"krb5-kdc",
 		"samba",
+
+#		"samba",
 #		"nis",
 #		"rfc2307bis",
 #		"solaris",
-		"dnszone",
-		"univention",
-		"univention-objecttype",
-		"krb5-kdc",
-		"directory",
-		"policy",
-		"msgpo",
-		"dhcp",
-		"univention-dhcp",
-		"mail",
+#		"dnszone",
+#		"univention",
+#		"univention-objecttype",
+#		"krb5-kdc",
+#		"directory",
+#		"policy",
+#		"msgpo",
+#		"dhcp",
+#		"univention-dhcp",
+#		"mail",
 #		"automount",
-		"user",
-		"self-service-passwordreset",
-		"univention-saml",
-		"univention-virtual-machine-manager",
-		"nagios",
-		"share",
-		"network",
-		"portal",
-		"univention-default",
-		"univention-app",
-		"univention-object-metadata",
-		"univention-ldap-extension",
-		"license",
-		"ppolicy",
-		"template",
-		"lock",
-		"udm-extension",
-		"custom-attribute",
-		"univention-syntax",
-		"openssh",
+#		"user",
+#		"self-service-passwordreset",
+#		"univention-saml",
+#		"univention-virtual-machine-manager",
+#		"nagios",
+#		"share",
+#		"network",
+#		"portal",
+#		"univention-default",
+#		"univention-app",
+#		"univention-object-metadata",
+#		"univention-ldap-extension",
+#		"license",
+#		"ppolicy",
+#		"template",
+#		"lock",
+#		"udm-extension",
+#		"custom-attribute",
+#		"univention-syntax",
+#		"openssh",
 #		"nextcloud",
 #		"openproject",
 #		"networkaccess",
@@ -86,16 +95,55 @@ class wmdeit_ldap (
 	$privkey = "$ssldir/priv.pem"
 	$cacert = "$ssldir/ca.pem"
 
+
+	# required modules
+	openldap::server::module { 'back_mdb':
+		ensure => present
+	} ->
+	openldap::server::module { 'memberof':
+		ensure => present,
+	} -> 
+	openldap::server::module { 'syncprov':
+		ensure => present,
+	}  
+
+
+	package { "heimdal-kdc": 
+		ensure => installed,
+	}->
+	package {"slapd-smbk5pwd":
+		ensure => installed,
+	} ->
+	openldap::server::module { 'smbk5pwd':
+		ensure => present,
+	}  
+
+
 	class { 'openldap::server': 
 		ssl_ca => "$cacert",
 		ssl_cert => "$pubcert",
 		ssl_key => "$privkey",
 		ldaps_ifs => ['/'],
-	}   
+	} 
+
+	# delete all schema and databases created by default during installation
+	# This is some kind of a dirty hack because we use 
+	# in before => and irequire => some internal classes of module openldap 
+	exec { 'wmdemanaged':
+		before => Class['::openldap::server::config'],
+		require => Class['::openldap::server::install'],
+
+		creates => "/etc/ldap/wmde.managed",
+		command => @(CMD/L),
+		/sbin/service slapd stop &&
+		rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
+		rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
+		rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
+		/sbin/service slapd start &&
+		touch /etc/ldap/wmde.managed
+		| CMD
+	} 
 
-	file { "/etc/ldap":
-		ensure => directory
-	} -> 
 
 	# SSL stuff ... copy CA cert and keys  used by puppet agent to
 	# a separate directory and make them accesible by openldap
@@ -125,8 +173,7 @@ class wmdeit_ldap (
 		owner => "openldap",
 		group => "openldap",
 		mode => "0600",
-	}
-
+	} 
 	
 
 #	openldap::server::globalconf { 'TLSCACertificateFile':
@@ -157,55 +204,25 @@ class wmdeit_ldap (
 		value   => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
 	} 
 
-#	openldap::server::schema{"nis":
-#		ensure => absent
-
-#	}  
-
 
 	# add schemas
 	$schema.each | $s | {	
-
+		$ensure = present		
 		file { "$schema_path/$s.schema":
 			ensure => file,
 			content => file ("wmdeit_ldap/schema/$s.schema"),
 
 		}-> 
 		openldap::server::schema { "$s":
-			ensure  => present,
+			ensure  => $ensure,
 			path    => "$schema_path/$s.schema",
 		}
 	}
 
-
-	openldap::server::module { 'memberof':
-		ensure => present,
-	}  
-	openldap::server::module { 'syncprov':
-		ensure => present,
-	}  
-
-	package { "heimdal-kdc": 
-		ensure => installed,
-	}->
-	package {"slapd-smbk5pwd":
-		ensure => installed,
-	} ->
-	openldap::server::module { 'smbk5pwd':
-		ensure => present,
-	}  
-
 	openldap::server::globalconf { 'ServerID':
 		ensure  => present,
 		value   => { "ServerID"=>"$serverid" }
 	} 
-
-	openldap::server::globalconf { 'TLSVerifyClient':
-		ensure  => present,
-		value   => { "TLSVerifyClient"=>"never" }
-	} 
-
-
 	# ensure config database is present and dn and pw are set
 	openldap::server::database { 'cn=config':
 		ensure => present,
@@ -214,37 +231,67 @@ class wmdeit_ldap (
 		rootpw => $configpw
 	}
 
+
+	apt::source { 'lsc':
+		location => 'http://lsc-project.org/debian',
+		repos    => 'main',
+		release => 'lsc',
+		key => {
+			id => "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5",
+			source => "https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project",
+		}
+	} ->
+	package {"lsc":
+		ensure => installed
+	}
+
+
+#	openldap::server::globalconf { 'TLSVerifyClient':
+#		ensure  => present,
+#		value   => { "TLSVerifyClient"=>"never" }
+#	} 
+
+
 	
 	# Build list of syncrepl-entries, store it in $syncrepl
-	if !empty ($syncrepl_providers) {
-		$mirrormode=true
-		$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
-			$i = $index+1
-			"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
-		}
-
-	}
+#	if !empty ($syncrepl_providers) {
+#		$mirrormode=true
+#		$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
+#			$i = $index+1
+#			"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
+#		}
+#	}
 
 
 	# create the main database
 	openldap::server::database { "$database":
+		backend => mdb,
 		ensure => present,
 		rootdn => $rootdn,
 		rootpw => $rootpw,
-		syncrepl => $syncrepl,
+#		syncrepl => $syncrepl,
 		mirrormode => $mirrormode,
-	} ->
-	openldap::server::overlay { "memberof on $database":
-		ensure => present,
-	} -> 
-	openldap::server::overlay { "syncprov on $database":
-		ensure => present,
-	} ->
-	openldap::server::overlay { "smbk5pwd on $database":
-		ensure => present,
-	}
+	} #->
+#	openldap::server::overlay { "memberof on $database":
+#		ensure => present,
+#	} -> 
+#	openldap::server::overlay { "syncprov on $database":
+#		ensure => present,
+#	} ->
+#	openldap::server::overlay { "smbk5pwd on $database":
+#		ensure => present,
+#	}
 
+#	$acls.each |Integer $i, String $acl | {
+#		openldap::server::access { "{$i}$acl":
+#			suffix   => "$database",
+#			ensure => present,
+#		}
+#	}
 
+#'''''##################################################################################################
+#
+#
 
 ##	openldap::server::access { '{0}to *  by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
 #		suffix   => "$database",
@@ -276,17 +323,6 @@ class wmdeit_ldap (
 #		ensure => present,
 #	}
 #
-	$acls.each |Integer $i, String $acl | {
-
-#		notify {"$i -> $acl":}
-
-		openldap::server::access { "{$i}$acl":
-			suffix   => "$database",
-			ensure => present,
-		}
-
-	}
-
 #	openldap::server::dbindex { 'uid pres,eq':
 #		ensure => present,
 #		suffix => "$database",