Deletes all pre-installed schmeas, installs lsc

This commit is contained in:
Tobias Herre 2020-08-21 11:51:37 +02:00
parent 444829a97c
commit e6b6b959a7
1 changed files with 134 additions and 98 deletions

View File

@ -16,42 +16,51 @@ class wmdeit_ldap (
$simple_bind_tls = "128", $simple_bind_tls = "128",
$schema_path = '/etc/ldap/schema', $schema_path = '/etc/ldap/schema',
$schema = [ $schema = [
"core",
"cosine",
"inetorgperson",
# "nis",
"rfc2307bis",
"krb5-kdc",
"samba", "samba",
# "samba",
# "nis", # "nis",
# "rfc2307bis", # "rfc2307bis",
# "solaris", # "solaris",
"dnszone", # "dnszone",
"univention", # "univention",
"univention-objecttype", # "univention-objecttype",
"krb5-kdc", # "krb5-kdc",
"directory", # "directory",
"policy", # "policy",
"msgpo", # "msgpo",
"dhcp", # "dhcp",
"univention-dhcp", # "univention-dhcp",
"mail", # "mail",
# "automount", # "automount",
"user", # "user",
"self-service-passwordreset", # "self-service-passwordreset",
"univention-saml", # "univention-saml",
"univention-virtual-machine-manager", # "univention-virtual-machine-manager",
"nagios", # "nagios",
"share", # "share",
"network", # "network",
"portal", # "portal",
"univention-default", # "univention-default",
"univention-app", # "univention-app",
"univention-object-metadata", # "univention-object-metadata",
"univention-ldap-extension", # "univention-ldap-extension",
"license", # "license",
"ppolicy", # "ppolicy",
"template", # "template",
"lock", # "lock",
"udm-extension", # "udm-extension",
"custom-attribute", # "custom-attribute",
"univention-syntax", # "univention-syntax",
"openssh", # "openssh",
# "nextcloud", # "nextcloud",
# "openproject", # "openproject",
# "networkaccess", # "networkaccess",
@ -86,6 +95,30 @@ class wmdeit_ldap (
$privkey = "$ssldir/priv.pem" $privkey = "$ssldir/priv.pem"
$cacert = "$ssldir/ca.pem" $cacert = "$ssldir/ca.pem"
# required modules
openldap::server::module { 'back_mdb':
ensure => present
} ->
openldap::server::module { 'memberof':
ensure => present,
} ->
openldap::server::module { 'syncprov':
ensure => present,
}
package { "heimdal-kdc":
ensure => installed,
}->
package {"slapd-smbk5pwd":
ensure => installed,
} ->
openldap::server::module { 'smbk5pwd':
ensure => present,
}
class { 'openldap::server': class { 'openldap::server':
ssl_ca => "$cacert", ssl_ca => "$cacert",
ssl_cert => "$pubcert", ssl_cert => "$pubcert",
@ -93,9 +126,24 @@ class wmdeit_ldap (
ldaps_ifs => ['/'], ldaps_ifs => ['/'],
} }
file { "/etc/ldap": # delete all schema and databases created by default during installation
ensure => directory # This is some kind of a dirty hack because we use
} -> # in before => and irequire => some internal classes of module openldap
exec { 'wmdemanaged':
before => Class['::openldap::server::config'],
require => Class['::openldap::server::install'],
creates => "/etc/ldap/wmde.managed",
command => @(CMD/L),
/sbin/service slapd stop &&
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
/sbin/service slapd start &&
touch /etc/ldap/wmde.managed
| CMD
}
# SSL stuff ... copy CA cert and keys used by puppet agent to # SSL stuff ... copy CA cert and keys used by puppet agent to
# a separate directory and make them accesible by openldap # a separate directory and make them accesible by openldap
@ -128,7 +176,6 @@ class wmdeit_ldap (
} }
# openldap::server::globalconf { 'TLSCACertificateFile': # openldap::server::globalconf { 'TLSCACertificateFile':
# ensure => present, # ensure => present,
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" } # value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
@ -157,55 +204,25 @@ class wmdeit_ldap (
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] }, value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
} }
# openldap::server::schema{"nis":
# ensure => absent
# }
# add schemas # add schemas
$schema.each | $s | { $schema.each | $s | {
$ensure = present
file { "$schema_path/$s.schema": file { "$schema_path/$s.schema":
ensure => file, ensure => file,
content => file ("wmdeit_ldap/schema/$s.schema"), content => file ("wmdeit_ldap/schema/$s.schema"),
}-> }->
openldap::server::schema { "$s": openldap::server::schema { "$s":
ensure => present, ensure => $ensure,
path => "$schema_path/$s.schema", path => "$schema_path/$s.schema",
} }
} }
openldap::server::module { 'memberof':
ensure => present,
}
openldap::server::module { 'syncprov':
ensure => present,
}
package { "heimdal-kdc":
ensure => installed,
}->
package {"slapd-smbk5pwd":
ensure => installed,
} ->
openldap::server::module { 'smbk5pwd':
ensure => present,
}
openldap::server::globalconf { 'ServerID': openldap::server::globalconf { 'ServerID':
ensure => present, ensure => present,
value => { "ServerID"=>"$serverid" } value => { "ServerID"=>"$serverid" }
} }
openldap::server::globalconf { 'TLSVerifyClient':
ensure => present,
value => { "TLSVerifyClient"=>"never" }
}
# ensure config database is present and dn and pw are set # ensure config database is present and dn and pw are set
openldap::server::database { 'cn=config': openldap::server::database { 'cn=config':
ensure => present, ensure => present,
@ -215,36 +232,66 @@ class wmdeit_ldap (
} }
# Build list of syncrepl-entries, store it in $syncrepl apt::source { 'lsc':
if !empty ($syncrepl_providers) { location => 'http://lsc-project.org/debian',
$mirrormode=true repos => 'main',
$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| { release => 'lsc',
$i = $index+1 key => {
"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1" id => "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5",
source => "https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project",
} }
} ->
package {"lsc":
ensure => installed
} }
# openldap::server::globalconf { 'TLSVerifyClient':
# ensure => present,
# value => { "TLSVerifyClient"=>"never" }
# }
# Build list of syncrepl-entries, store it in $syncrepl
# if !empty ($syncrepl_providers) {
# $mirrormode=true
# $syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
# $i = $index+1
# "rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
# }
# }
# create the main database # create the main database
openldap::server::database { "$database": openldap::server::database { "$database":
backend => mdb,
ensure => present, ensure => present,
rootdn => $rootdn, rootdn => $rootdn,
rootpw => $rootpw, rootpw => $rootpw,
syncrepl => $syncrepl, # syncrepl => $syncrepl,
mirrormode => $mirrormode, mirrormode => $mirrormode,
} -> } #->
openldap::server::overlay { "memberof on $database": # openldap::server::overlay { "memberof on $database":
ensure => present, # ensure => present,
} -> # } ->
openldap::server::overlay { "syncprov on $database": # openldap::server::overlay { "syncprov on $database":
ensure => present, # ensure => present,
} -> # } ->
openldap::server::overlay { "smbk5pwd on $database": # openldap::server::overlay { "smbk5pwd on $database":
ensure => present, # ensure => present,
} # }
# $acls.each |Integer $i, String $acl | {
# openldap::server::access { "{$i}$acl":
# suffix => "$database",
# ensure => present,
# }
# }
#'''''##################################################################################################
#
#
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break': ## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database", # suffix => "$database",
@ -276,17 +323,6 @@ class wmdeit_ldap (
# ensure => present, # ensure => present,
# } # }
# #
$acls.each |Integer $i, String $acl | {
# notify {"$i -> $acl":}
openldap::server::access { "{$i}$acl":
suffix => "$database",
ensure => present,
}
}
# openldap::server::dbindex { 'uid pres,eq': # openldap::server::dbindex { 'uid pres,eq':
# ensure => present, # ensure => present,
# suffix => "$database", # suffix => "$database",