WMDE
/
puppet-wmdeit_ldap
2
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Compare commits

base: WMDE:a143e8639a084b45e63edfd3c09ea1a7e064b862
Branches Tags
WMDE:master
WMDE:v-0.0.1
..
compare: WMDE:aeda32f6778d7b1054021502e9789e2e9684c951
Branches Tags
WMDE:master
WMDE:v-0.0.1

No commits in common. "a143e8639a084b45e63edfd3c09ea1a7e064b862" and "aeda32f6778d7b1054021502e9789e2e9684c951" have entirely different histories.
a143e8639a ... aeda32f677

2 changed files with 27 additions and 77 deletions
Show Stats Expand all files Collapse all files

98
manifests/init.pp
View File

@ -68,60 +68,25 @@ class wmdeit_ldap (
], ],
$ssldir = "/etc/ldap/ssl", $ssldir = "/etc/ldap/ssl",
$acl = { $acls = [
# Super access to local root user # grant accces to domain admins
'0 to *' => [ 'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage', 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
'by * break',
],
# Admin rights for members of Admin group
'1 to *' => [
"by set=\"user & [cn=Admins,ou=Groups,$database]/member\" write",
'by * break'
],
# let users modify their passwords, and disable read acess to all others
'2 to attrs=userPassword,sambaNTPassword' => [
"by self write",
"by anonymous auth",
"by * none",
],
# let users read all
'3 to *' => [
"by anonymous break",
"by * read",
],
"4 to dn.subtree=\"$database\" attrs=entry,objectClass" => [
"by anonymous read",
"by * break",
],
'5 to *' => [
"by * none",
]
},
# 'by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break'
# super acces to local root user # super acces to local root user
# 'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break', 'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
# grant accces to domain admins
# 'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
# 'to * by set="user & [cn=Admins,ou=Groups,dc=wikimedia,dc=de]/member" write by * break',
# 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
# let users modify their passwords # let users modify their passwords
# 'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none', 'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
# 'to attrs=entry,children,objectClass,uid by anonymous read by * break',
# 'to * by anonymous none by * break', 'to attrs=entry,children,objectClass,uid by anonymous read by * break',
# 'to dn.base="" by * read', 'to * by anonymous none by * break',
# 'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
'to dn.base="" by * read',
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
]
){ ){
$clientcert = $facts[clientcert] $clientcert = $facts[clientcert]
@ -298,48 +263,33 @@ class wmdeit_ldap (
rootpw => $rootpw, rootpw => $rootpw,
# syncrepl => $syncrepl, # syncrepl => $syncrepl,
mirrormode => $mirrormode, mirrormode => $mirrormode,
} } #->
-> # openldap::server::overlay { "memberof on $database":
openldap::server::overlay { "memberof on $database": # ensure => present,
ensure => present, # } ->
}
# ->
# openldap::server::overlay { "syncprov on $database": # openldap::server::overlay { "syncprov on $database":
# ensure => present, # ensure => present,
# } # } ->
-> # openldap::server::overlay { "smbk5pwd on $database":
openldap::server::overlay { "smbk5pwd on $database": # ensure => present,
ensure => present, # }
}
# $acls.each |Integer $i, $acl | { # $acls.each |Integer $i, String $acl | {
# notify{"Set ACL $i $acl":}
# openldap::server::access { "{$i}$acl": # openldap::server::access { "{$i}$acl":
# openldap::server::access { "$i on $database":
# suffix => "$database", # suffix => "$database",
# ensure => present, # ensure => present,
# access => $acl['access'],
# what => $acl['to'],
# } # }
# } # }
#
openldap::server::access_wrapper { $database :
acl => $acl,
}
#'''''################################################################################################## #'''''##################################################################################################
# #
# #
# openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database': ## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database", # suffix => "$database",
# access => '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
# ensure => present, # ensure => present,
# } # }
#
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break': # openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database", # suffix => "$database",
# ensure => present, # ensure => present,

6
manifests/lam.pp
View File

@ -33,7 +33,7 @@ class wmdeit_ldap::lam(
} }
class { 'apache::mod::php': class { 'apache::mod::php':
# php_version => '7.3' php_version => '7.3'
} }
class { '::php': class { '::php':
@ -126,8 +126,8 @@ class wmdeit_ldap::lam(
}, },
server_url => $conf['server_url'] ? { server_url => $conf['server_url'] ? {
undef => 'ldap://localhost:389', undef => "",
default => $conf['server_url'], default => 'ldap://localhost:389'
}, },
} }
} }