Configurable login method, list of admins or search

README.md

@@ -27,9 +27,16 @@ Examples:
         configs => {
             wmde => {
                 password => "1234",
-                password_salt => "5678"
+                password_salt => "5678",
+                tree_suffix => "dc=wikimedia,dc=de",
+                admins => [
+                    "cn=admin,dc=wikimedia,dc=de",
+                ],
+                login_search_dn=>"cn=admin,dc=wikimedia,dc=de",
+                login_search_suffix=>"dc=wikimedia,dc=de",
+                login_search_password=>"123",
+		login_method=>"search" # or "listi or search allowed"
             }
-
         }
     }
 

manifests/lam.pp

@@ -100,27 +100,80 @@ class wmdeit_ldap::lam(
 		 generate("/bin/sh","-c", "echo -n $password_salt | openssl base64")
 		,  '\n', "\n "))
 
+		$base64pw = base64( 'encode',"LAM_OBFUSCATE:${conf['login_search_password']}")
+		$spw = strip (regsubst(
+			generate("/bin/sh","-c", "echo -n '$base64pw' | /usr/bin/rot13")
+		, '\n', "\n "))
 
+		wmdeit_ldap::lam::config {$name:
+			encoded_password => $encoded_password,
+			encoded_password_salt => $encoded_password_salt,
+			suffix_user => $conf['suffix_user'],
+			suffix_group => $conf['suffix_group'],
+			tree_suffix => $conf['tree_suffix'],
+			admins => $conf['admins'],
+			login_method => $conf['login_method'] ? {undef => "list", default => $conf['login_method']},
+			login_search_suffix => $conf['login_search_suffix'],
+			login_search_dn => $conf['login_search_dn'],
+			login_search_filter => $conf['login_search_filter'] ? {
+							undef => "uid=%USER%",
+							default => $conf['login_search_filter']
+						},
 
+			login_search_password => $conf['login_search_password'] ? {
+							undef => "",
+							default => $spw
+						},
 
-		file {"$docroot/config/$name.conf":
-			ensure => file,
-			content => template("wmdeit_ldap/wmde.conf.erb"),
-			owner => "www-data",
-			require => File["$docroot/config/pdf"],
-		} ->
-		file {"$docroot/config/profiles/$name":
-			ensure=>directory
-		}->
-		file{"$docroot/config/profiles/$name/default.user":
-			ensure=>file,
-			content => template("wmdeit_ldap/default.user.erb")
-		} ->
-		file{"$docroot/config/profiles/$name/default.group":
-			ensure=>file,
-			content => template("wmdeit_ldap/default.group.erb")
-		}
+				
+					
+		} 
 	}
 
 }
 
+
+define wmdeit_ldap::lam::config
+(
+	$encoded_password,
+	$encoded_password_salt,	
+	$tree_suffix,
+	$suffix_user = "ou=People,$tree_suffix",
+	$suffix_group = "ou=Groups,$tree_suffix",
+	$docroot = $::wmdeit_ldap::lam::docroot,
+	$admins = [],
+	$login_method = "search",
+	$login_search_suffix = "",
+	$login_search_dn = "",
+	$login_search_filter = "",
+	$login_search_password = "",
+	
+){
+	if (!$suffix_user) or (!$suffix_group) {
+		fail("no suffix_user or suffix_group given")
+	}
+
+	file {"$docroot/config/$title.conf":
+		ensure => file,
+		content => template("wmdeit_ldap/wmde.conf.erb"),
+		owner => "www-data",
+		require => File["$docroot/config/pdf"],
+	} ->
+	file {"$docroot/config/profiles/$title":
+		ensure=>directory
+	}->
+	file{"$docroot/config/profiles/$title/default.user":
+		ensure=>file,
+		content => template("wmdeit_ldap/default.user.erb")
+	} ->
+	file{"$docroot/config/profiles/$title/default.group":
+		ensure=>file,
+		content => template("wmdeit_ldap/default.group.erb")
+	}
+	
+}
+
+
+
+
+

templates/wmde.conf.erb

@@ -10,7 +10,13 @@ ServerURL: ldap://localhost:389
 # list of users who are allowed to use LDAP Account Manager
 # names have to be seperated by semicolons
 # e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
-Admins: cn=admin,dc=wikimedia,dc=de
+Admins: <%- s='' -%>
+<%- @admins.each do | admin | -%>
+  <%= s %><%= admin -%>
+  <%- s=';' -%>
+  <%- end -%>
+  
+#=admin,dc=wikimedia,dc=de
 
 # password to change these preferences via webfrontend (default: lam)
 #Passwd: {SSHA}T7uRmkbOgzr9k0BVJi1GvqqwJJQ= iaZAeQ==
@@ -18,7 +24,7 @@ Passwd: {SSHA}<%= @encoded_password %> <%= @encoded_password_salt %>
 
 # suffix of tree view
 # e.g. dc=yourdomain,dc=org
-treesuffix: dc=wikimedia,dc=de
+treesuffix: <%= @tree_suffix %>
 
 # default language (a line from config/language)
 defaultLanguage: en_GB.utf8
@@ -50,11 +56,11 @@ modules: posixAccount_pwdHash: SSHA
 activeTypes: user,group
 
 
-types: suffix_user: ou=People,dc=wikimedia,dc=de
+types: suffix_user: <%= @suffix_user %>
 types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
 types: modules_user: inetOrgPerson,posixAccount,shadowAccount
 
-types: suffix_group: ou=group,dc=wikimedia,dc=de
+types: suffix_group: <%= @suffix_group %>
 types: attr_group: #cn;#gidNumber;#memberUID;#description
 types: modules_group: wmdeGroup
 
@@ -98,23 +104,23 @@ accessLevel: 100
 
 
 # Login method.
-loginMethod: list
+loginMethod: <%= @login_method %>
 
 
 # Search suffix for LAM login.
-loginSearchSuffix: dc=yourdomain,dc=org
+loginSearchSuffix: <%= @login_search_suffix %>
 
 
 # Search filter for LAM login.
-loginSearchFilter: uid=%USER%
+loginSearchFilter: <%= @login_search_filter %>
 
 
 # Bind DN for login search.
-loginSearchDN: 
+loginSearchDN: <%= @login_search_dn %>
 
 
 # Bind password for login search.
-loginSearchPassword: 
+loginSearchPassword: <%= @login_search_password %>
 
 
 # HTTP authentication for LAM login.