WMDE
/
puppet-wmdeit_ldap
2
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Initla commit

This commit is contained in:
Tobias Herre 2020-08-18 09:25:32 +02:00
parent df3d8f770e
commit f7b5f9b7b2
1 changed files with 302 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

302
manifests/init.pp Normal file
View File

@ -0,0 +1,302 @@
#x
class wmdelit_ldap (
$log_level = 0,
$configdn = 'cn=admin,cn=config',
$configpw = '123',
$syncrepl_providers = [
],
$database = "dc=wikimedia,dc=de",
$rootdn = "cn=admin,dc=wikimedia,dc=de",
$rootpw = "123",
$serverid,
$simple_bind_tls = "128",
$schema_path = '/etc/ldap/schema',
$schema = [
"samba",
# "nis",
# "rfc2307bis",
# "solaris",
"dnszone",
"univention",
"univention-objecttype",
"krb5-kdc",
"directory",
"policy",
"msgpo",
"dhcp",
"univention-dhcp",
"mail",
# "automount",
"user",
"self-service-passwordreset",
"univention-saml",
"univention-virtual-machine-manager",
"nagios",
"share",
"network",
"portal",
"univention-default",
"univention-app",
"univention-object-metadata",
"univention-ldap-extension",
"license",
"ppolicy",
"template",
"lock",
"udm-extension",
"custom-attribute",
"univention-syntax",
"nextcloud",
"openproject",
"networkaccess",
],
$ssldir = "/etc/ldap/ssl",
$acls = [
# grant accces to domain admins
'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
# super acces to local root user
'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
# let users modify their passwords
'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
'to attrs=entry,children,objectClass,uid by anonymous read by * break',
'to * by anonymous none by * break',
'to dn.base="" by * read',
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
]
){
$clientcert = $facts[clientcert]
$pubcert = "$ssldir/cert.pem"
$privkey = "$ssldir/priv.pem"
$cacert = "$ssldir/ca.pem"
file { "/etc/ldap":
ensure => directory
} ->
# SSL stuff ... copy CA cert and keys used by puppet agent to
# a separate directory and make them accesible by openldap
file { "$ssldir":
ensure => directory,
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$cacert": # copy CA cert
ensure => file,
source => "/var/lib/puppet/ssl/certs/ca.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$pubcert": # copy public key
ensure => file,
source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$privkey": # copy private key
ensure => file,
source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
class { 'openldap::server':
ssl_ca => "$cacert",
ssl_cert => "$pubcert",
ssl_key => "$privkey",
ldaps_ifs => ['/'],
}
# openldap::server::globalconf { 'TLSCACertificateFile':
# ensure => present,
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
# }
# openldap::server::globalconf { 'TLSCertificateKeyFile':
# ensure => present,
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
# }
# openldap::server::globalconf { 'TLSCertificateFile':
# ensure => present,
# value => "$ssldir/pubkey.pem"
# }
openldap::server::globalconf { 'LogLevel':
ensure => present,
value => { "LogLevel"=>"$log_level" }
}
openldap::server::globalconf { 'Security':
ensure => present,
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
}
# openldap::server::schema{"nis":
# ensure => absent
# }
# add schemas
$schema.each | $s | {
file { "$schema_path/$s.schema":
ensure => file,
source => "puppet:///downloads/schema/$s.schema",
}->
openldap::server::schema { "$s":
ensure => present,
path => "$schema_path/$s.schema",
}
}
openldap::server::module { 'memberof':
ensure => present,
}
openldap::server::module { 'syncprov':
ensure => present,
}
package { "heimdal-kdc":
ensure => installed,
}->
package {"slapd-smbk5pwd":
ensure => installed,
} ->
openldap::server::module { 'smbk5pwd':
ensure => present,
}
openldap::server::globalconf { 'ServerID':
ensure => present,
value => { "ServerID"=>"$serverid" }
}
openldap::server::globalconf { 'TLSVerifyClient':
ensure => present,
value => { "TLSVerifyClient"=>"never" }
}
# ensure config database is present and dn and pw are set
openldap::server::database { 'cn=config':
ensure => present,
backend => config,
rootdn => $configdn,
rootpw => $configpw
}
# Build list of syncrepl-entries, store it in $syncrepl
if !empty ($syncrepl_providers) {
$mirrormode=true
$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
$i = $index+1
"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
}
}
# create the main database
openldap::server::database { "$database":
ensure => present,
rootdn => $rootdn,
rootpw => $rootpw,
syncrepl => $syncrepl,
mirrormode => $mirrormode,
} ->
openldap::server::overlay { "memberof on $database":
ensure => present,
} ->
openldap::server::overlay { "syncprov on $database":
ensure => present,
} ->
openldap::server::overlay { "smbk5pwd on $database":
ensure => present,
}
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database",
# ensure => present,
# }
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database",
# ensure => present,
# }
#
# openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
# suffix => "$database",
# ensure => present,
## }
# openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
# suffix => "$database",
## ensure => present,
# }
# openldap::server::access { '{4}to dn.base="" by * read':
# suffix => "$database",
# ensure => present,
# }
#
# openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
# suffix => "$database",
# ensure => present,
# }
#
$acls.each |Integer $i, String $acl | {
# notify {"$i -> $acl":}
openldap::server::access { "{$i}$acl":
suffix => "$database",
ensure => present,
}
}
# openldap::server::dbindex { 'uid pres,eq':
# ensure => present,
# suffix => "$database",
# }
# openldap::server::dbindex { 'sn eq,approx,sub':
# ensure => present,
# suffix => "$database",
# }
}