Compare commits

...

2 Commits

3 changed files with 94 additions and 28 deletions

View File

@ -27,9 +27,16 @@ Examples:
configs => { configs => {
wmde => { wmde => {
password => "1234", password => "1234",
password_salt => "5678" password_salt => "5678",
tree_suffix => "dc=wikimedia,dc=de",
admins => [
"cn=admin,dc=wikimedia,dc=de",
],
login_search_dn=>"cn=admin,dc=wikimedia,dc=de",
login_search_suffix=>"dc=wikimedia,dc=de",
login_search_password=>"123",
login_method=>"search" # or "listi or search allowed"
} }
} }
} }

View File

@ -100,27 +100,80 @@ class wmdeit_ldap::lam(
generate("/bin/sh","-c", "echo -n $password_salt | openssl base64") generate("/bin/sh","-c", "echo -n $password_salt | openssl base64")
, '\n', "\n ")) , '\n', "\n "))
$base64pw = base64( 'encode',"LAM_OBFUSCATE:${conf['login_search_password']}")
$spw = strip (regsubst(
generate("/bin/sh","-c", "echo -n '$base64pw' | /usr/bin/rot13")
, '\n', "\n "))
wmdeit_ldap::lam::config {$name:
encoded_password => $encoded_password,
encoded_password_salt => $encoded_password_salt,
suffix_user => $conf['suffix_user'],
suffix_group => $conf['suffix_group'],
tree_suffix => $conf['tree_suffix'],
admins => $conf['admins'],
login_method => $conf['login_method'] ? {undef => "list", default => $conf['login_method']},
login_search_suffix => $conf['login_search_suffix'],
login_search_dn => $conf['login_search_dn'],
login_search_filter => $conf['login_search_filter'] ? {
undef => "uid=%USER%",
default => $conf['login_search_filter']
},
login_search_password => $conf['login_search_password'] ? {
undef => "",
default => $spw
},
file {"$docroot/config/$name.conf": }
}
}
define wmdeit_ldap::lam::config
(
$encoded_password,
$encoded_password_salt,
$tree_suffix,
$suffix_user = "ou=People,$tree_suffix",
$suffix_group = "ou=Groups,$tree_suffix",
$docroot = $::wmdeit_ldap::lam::docroot,
$admins = [],
$login_method = "search",
$login_search_suffix = "",
$login_search_dn = "",
$login_search_filter = "",
$login_search_password = "",
){
if (!$suffix_user) or (!$suffix_group) {
fail("no suffix_user or suffix_group given")
}
file {"$docroot/config/$title.conf":
ensure => file, ensure => file,
content => template("wmdeit_ldap/wmde.conf.erb"), content => template("wmdeit_ldap/wmde.conf.erb"),
owner => "www-data", owner => "www-data",
require => File["$docroot/config/pdf"], require => File["$docroot/config/pdf"],
} -> } ->
file {"$docroot/config/profiles/$name": file {"$docroot/config/profiles/$title":
ensure=>directory ensure=>directory
}-> }->
file{"$docroot/config/profiles/$name/default.user": file{"$docroot/config/profiles/$title/default.user":
ensure=>file, ensure=>file,
content => template("wmdeit_ldap/default.user.erb") content => template("wmdeit_ldap/default.user.erb")
} -> } ->
file{"$docroot/config/profiles/$name/default.group": file{"$docroot/config/profiles/$title/default.group":
ensure=>file, ensure=>file,
content => template("wmdeit_ldap/default.group.erb") content => template("wmdeit_ldap/default.group.erb")
} }
}
} }

View File

@ -10,7 +10,13 @@ ServerURL: ldap://localhost:389
# list of users who are allowed to use LDAP Account Manager # list of users who are allowed to use LDAP Account Manager
# names have to be seperated by semicolons # names have to be seperated by semicolons
# e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org # e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
Admins: cn=admin,dc=wikimedia,dc=de Admins: <%- s='' -%>
<%- @admins.each do | admin | -%>
<%= s %><%= admin -%>
<%- s=';' -%>
<%- end -%>
#=admin,dc=wikimedia,dc=de
# password to change these preferences via webfrontend (default: lam) # password to change these preferences via webfrontend (default: lam)
#Passwd: {SSHA}T7uRmkbOgzr9k0BVJi1GvqqwJJQ= iaZAeQ== #Passwd: {SSHA}T7uRmkbOgzr9k0BVJi1GvqqwJJQ= iaZAeQ==
@ -18,7 +24,7 @@ Passwd: {SSHA}<%= @encoded_password %> <%= @encoded_password_salt %>
# suffix of tree view # suffix of tree view
# e.g. dc=yourdomain,dc=org # e.g. dc=yourdomain,dc=org
treesuffix: dc=wikimedia,dc=de treesuffix: <%= @tree_suffix %>
# default language (a line from config/language) # default language (a line from config/language)
defaultLanguage: en_GB.utf8 defaultLanguage: en_GB.utf8
@ -50,11 +56,11 @@ modules: posixAccount_pwdHash: SSHA
activeTypes: user,group activeTypes: user,group
types: suffix_user: ou=People,dc=wikimedia,dc=de types: suffix_user: <%= @suffix_user %>
types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber types: attr_user: #uid;#givenName;#sn;#uidNumber;#gidNumber
types: modules_user: inetOrgPerson,posixAccount,shadowAccount types: modules_user: inetOrgPerson,posixAccount,shadowAccount
types: suffix_group: ou=group,dc=wikimedia,dc=de types: suffix_group: <%= @suffix_group %>
types: attr_group: #cn;#gidNumber;#memberUID;#description types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: wmdeGroup types: modules_group: wmdeGroup
@ -98,23 +104,23 @@ accessLevel: 100
# Login method. # Login method.
loginMethod: list loginMethod: <%= @login_method %>
# Search suffix for LAM login. # Search suffix for LAM login.
loginSearchSuffix: dc=yourdomain,dc=org loginSearchSuffix: <%= @login_search_suffix %>
# Search filter for LAM login. # Search filter for LAM login.
loginSearchFilter: uid=%USER% loginSearchFilter: <%= @login_search_filter %>
# Bind DN for login search. # Bind DN for login search.
loginSearchDN: loginSearchDN: <%= @login_search_dn %>
# Bind password for login search. # Bind password for login search.
loginSearchPassword: loginSearchPassword: <%= @login_search_password %>
# HTTP authentication for LAM login. # HTTP authentication for LAM login.