Deletes all pre-installed schmeas, installs lsc
This commit is contained in:
parent
444829a97c
commit
e6b6b959a7
|
@ -16,42 +16,51 @@ class wmdeit_ldap (
|
||||||
$simple_bind_tls = "128",
|
$simple_bind_tls = "128",
|
||||||
|
|
||||||
$schema_path = '/etc/ldap/schema',
|
$schema_path = '/etc/ldap/schema',
|
||||||
|
|
||||||
$schema = [
|
$schema = [
|
||||||
|
"core",
|
||||||
|
"cosine",
|
||||||
|
"inetorgperson",
|
||||||
|
# "nis",
|
||||||
|
"rfc2307bis",
|
||||||
|
"krb5-kdc",
|
||||||
"samba",
|
"samba",
|
||||||
|
|
||||||
|
# "samba",
|
||||||
# "nis",
|
# "nis",
|
||||||
# "rfc2307bis",
|
# "rfc2307bis",
|
||||||
# "solaris",
|
# "solaris",
|
||||||
"dnszone",
|
# "dnszone",
|
||||||
"univention",
|
# "univention",
|
||||||
"univention-objecttype",
|
# "univention-objecttype",
|
||||||
"krb5-kdc",
|
# "krb5-kdc",
|
||||||
"directory",
|
# "directory",
|
||||||
"policy",
|
# "policy",
|
||||||
"msgpo",
|
# "msgpo",
|
||||||
"dhcp",
|
# "dhcp",
|
||||||
"univention-dhcp",
|
# "univention-dhcp",
|
||||||
"mail",
|
# "mail",
|
||||||
# "automount",
|
# "automount",
|
||||||
"user",
|
# "user",
|
||||||
"self-service-passwordreset",
|
# "self-service-passwordreset",
|
||||||
"univention-saml",
|
# "univention-saml",
|
||||||
"univention-virtual-machine-manager",
|
# "univention-virtual-machine-manager",
|
||||||
"nagios",
|
# "nagios",
|
||||||
"share",
|
# "share",
|
||||||
"network",
|
# "network",
|
||||||
"portal",
|
# "portal",
|
||||||
"univention-default",
|
# "univention-default",
|
||||||
"univention-app",
|
# "univention-app",
|
||||||
"univention-object-metadata",
|
# "univention-object-metadata",
|
||||||
"univention-ldap-extension",
|
# "univention-ldap-extension",
|
||||||
"license",
|
# "license",
|
||||||
"ppolicy",
|
# "ppolicy",
|
||||||
"template",
|
# "template",
|
||||||
"lock",
|
# "lock",
|
||||||
"udm-extension",
|
# "udm-extension",
|
||||||
"custom-attribute",
|
# "custom-attribute",
|
||||||
"univention-syntax",
|
# "univention-syntax",
|
||||||
"openssh",
|
# "openssh",
|
||||||
# "nextcloud",
|
# "nextcloud",
|
||||||
# "openproject",
|
# "openproject",
|
||||||
# "networkaccess",
|
# "networkaccess",
|
||||||
|
@ -86,6 +95,30 @@ class wmdeit_ldap (
|
||||||
$privkey = "$ssldir/priv.pem"
|
$privkey = "$ssldir/priv.pem"
|
||||||
$cacert = "$ssldir/ca.pem"
|
$cacert = "$ssldir/ca.pem"
|
||||||
|
|
||||||
|
|
||||||
|
# required modules
|
||||||
|
openldap::server::module { 'back_mdb':
|
||||||
|
ensure => present
|
||||||
|
} ->
|
||||||
|
openldap::server::module { 'memberof':
|
||||||
|
ensure => present,
|
||||||
|
} ->
|
||||||
|
openldap::server::module { 'syncprov':
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
package { "heimdal-kdc":
|
||||||
|
ensure => installed,
|
||||||
|
}->
|
||||||
|
package {"slapd-smbk5pwd":
|
||||||
|
ensure => installed,
|
||||||
|
} ->
|
||||||
|
openldap::server::module { 'smbk5pwd':
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
class { 'openldap::server':
|
class { 'openldap::server':
|
||||||
ssl_ca => "$cacert",
|
ssl_ca => "$cacert",
|
||||||
ssl_cert => "$pubcert",
|
ssl_cert => "$pubcert",
|
||||||
|
@ -93,9 +126,24 @@ class wmdeit_ldap (
|
||||||
ldaps_ifs => ['/'],
|
ldaps_ifs => ['/'],
|
||||||
}
|
}
|
||||||
|
|
||||||
file { "/etc/ldap":
|
# delete all schema and databases created by default during installation
|
||||||
ensure => directory
|
# This is some kind of a dirty hack because we use
|
||||||
} ->
|
# in before => and irequire => some internal classes of module openldap
|
||||||
|
exec { 'wmdemanaged':
|
||||||
|
before => Class['::openldap::server::config'],
|
||||||
|
require => Class['::openldap::server::install'],
|
||||||
|
|
||||||
|
creates => "/etc/ldap/wmde.managed",
|
||||||
|
command => @(CMD/L),
|
||||||
|
/sbin/service slapd stop &&
|
||||||
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
|
||||||
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
|
||||||
|
rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
|
||||||
|
/sbin/service slapd start &&
|
||||||
|
touch /etc/ldap/wmde.managed
|
||||||
|
| CMD
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# SSL stuff ... copy CA cert and keys used by puppet agent to
|
# SSL stuff ... copy CA cert and keys used by puppet agent to
|
||||||
# a separate directory and make them accesible by openldap
|
# a separate directory and make them accesible by openldap
|
||||||
|
@ -128,7 +176,6 @@ class wmdeit_ldap (
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# openldap::server::globalconf { 'TLSCACertificateFile':
|
# openldap::server::globalconf { 'TLSCACertificateFile':
|
||||||
# ensure => present,
|
# ensure => present,
|
||||||
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
||||||
|
@ -157,55 +204,25 @@ class wmdeit_ldap (
|
||||||
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
|
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
|
||||||
}
|
}
|
||||||
|
|
||||||
# openldap::server::schema{"nis":
|
|
||||||
# ensure => absent
|
|
||||||
|
|
||||||
# }
|
|
||||||
|
|
||||||
|
|
||||||
# add schemas
|
# add schemas
|
||||||
$schema.each | $s | {
|
$schema.each | $s | {
|
||||||
|
$ensure = present
|
||||||
file { "$schema_path/$s.schema":
|
file { "$schema_path/$s.schema":
|
||||||
ensure => file,
|
ensure => file,
|
||||||
content => file ("wmdeit_ldap/schema/$s.schema"),
|
content => file ("wmdeit_ldap/schema/$s.schema"),
|
||||||
|
|
||||||
}->
|
}->
|
||||||
openldap::server::schema { "$s":
|
openldap::server::schema { "$s":
|
||||||
ensure => present,
|
ensure => $ensure,
|
||||||
path => "$schema_path/$s.schema",
|
path => "$schema_path/$s.schema",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
openldap::server::module { 'memberof':
|
|
||||||
ensure => present,
|
|
||||||
}
|
|
||||||
openldap::server::module { 'syncprov':
|
|
||||||
ensure => present,
|
|
||||||
}
|
|
||||||
|
|
||||||
package { "heimdal-kdc":
|
|
||||||
ensure => installed,
|
|
||||||
}->
|
|
||||||
package {"slapd-smbk5pwd":
|
|
||||||
ensure => installed,
|
|
||||||
} ->
|
|
||||||
openldap::server::module { 'smbk5pwd':
|
|
||||||
ensure => present,
|
|
||||||
}
|
|
||||||
|
|
||||||
openldap::server::globalconf { 'ServerID':
|
openldap::server::globalconf { 'ServerID':
|
||||||
ensure => present,
|
ensure => present,
|
||||||
value => { "ServerID"=>"$serverid" }
|
value => { "ServerID"=>"$serverid" }
|
||||||
}
|
}
|
||||||
|
|
||||||
openldap::server::globalconf { 'TLSVerifyClient':
|
|
||||||
ensure => present,
|
|
||||||
value => { "TLSVerifyClient"=>"never" }
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
# ensure config database is present and dn and pw are set
|
# ensure config database is present and dn and pw are set
|
||||||
openldap::server::database { 'cn=config':
|
openldap::server::database { 'cn=config':
|
||||||
ensure => present,
|
ensure => present,
|
||||||
|
@ -215,36 +232,66 @@ class wmdeit_ldap (
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
# Build list of syncrepl-entries, store it in $syncrepl
|
apt::source { 'lsc':
|
||||||
if !empty ($syncrepl_providers) {
|
location => 'http://lsc-project.org/debian',
|
||||||
$mirrormode=true
|
repos => 'main',
|
||||||
$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
|
release => 'lsc',
|
||||||
$i = $index+1
|
key => {
|
||||||
"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
|
id => "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5",
|
||||||
|
source => "https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project",
|
||||||
}
|
}
|
||||||
|
} ->
|
||||||
|
package {"lsc":
|
||||||
|
ensure => installed
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# openldap::server::globalconf { 'TLSVerifyClient':
|
||||||
|
# ensure => present,
|
||||||
|
# value => { "TLSVerifyClient"=>"never" }
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Build list of syncrepl-entries, store it in $syncrepl
|
||||||
|
# if !empty ($syncrepl_providers) {
|
||||||
|
# $mirrormode=true
|
||||||
|
# $syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
|
||||||
|
# $i = $index+1
|
||||||
|
# "rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
# create the main database
|
# create the main database
|
||||||
openldap::server::database { "$database":
|
openldap::server::database { "$database":
|
||||||
|
backend => mdb,
|
||||||
ensure => present,
|
ensure => present,
|
||||||
rootdn => $rootdn,
|
rootdn => $rootdn,
|
||||||
rootpw => $rootpw,
|
rootpw => $rootpw,
|
||||||
syncrepl => $syncrepl,
|
# syncrepl => $syncrepl,
|
||||||
mirrormode => $mirrormode,
|
mirrormode => $mirrormode,
|
||||||
} ->
|
} #->
|
||||||
openldap::server::overlay { "memberof on $database":
|
# openldap::server::overlay { "memberof on $database":
|
||||||
ensure => present,
|
# ensure => present,
|
||||||
} ->
|
# } ->
|
||||||
openldap::server::overlay { "syncprov on $database":
|
# openldap::server::overlay { "syncprov on $database":
|
||||||
ensure => present,
|
# ensure => present,
|
||||||
} ->
|
# } ->
|
||||||
openldap::server::overlay { "smbk5pwd on $database":
|
# openldap::server::overlay { "smbk5pwd on $database":
|
||||||
ensure => present,
|
# ensure => present,
|
||||||
}
|
# }
|
||||||
|
|
||||||
|
# $acls.each |Integer $i, String $acl | {
|
||||||
|
# openldap::server::access { "{$i}$acl":
|
||||||
|
# suffix => "$database",
|
||||||
|
# ensure => present,
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
|
||||||
|
#'''''##################################################################################################
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
|
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
|
||||||
# suffix => "$database",
|
# suffix => "$database",
|
||||||
|
@ -276,17 +323,6 @@ class wmdeit_ldap (
|
||||||
# ensure => present,
|
# ensure => present,
|
||||||
# }
|
# }
|
||||||
#
|
#
|
||||||
$acls.each |Integer $i, String $acl | {
|
|
||||||
|
|
||||||
# notify {"$i -> $acl":}
|
|
||||||
|
|
||||||
openldap::server::access { "{$i}$acl":
|
|
||||||
suffix => "$database",
|
|
||||||
ensure => present,
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
# openldap::server::dbindex { 'uid pres,eq':
|
# openldap::server::dbindex { 'uid pres,eq':
|
||||||
# ensure => present,
|
# ensure => present,
|
||||||
# suffix => "$database",
|
# suffix => "$database",
|
||||||
|
|
Loading…
Reference in New Issue