Compare commits
3 Commits
Author | SHA1 | Date |
---|---|---|
Tobias Herre | 12369da5ab | |
Tobias Herre | c396989424 | |
Tobias Herre | 726a33a0bf |
|
@ -11,6 +11,7 @@ class wmdeit_ldap (
|
||||||
$database,
|
$database,
|
||||||
$rootdn,
|
$rootdn,
|
||||||
$rootpw,
|
$rootpw,
|
||||||
|
$starttls = "no",
|
||||||
|
|
||||||
$serverid,
|
$serverid,
|
||||||
$simple_bind_tls = "128",
|
$simple_bind_tls = "128",
|
||||||
|
@ -25,6 +26,7 @@ class wmdeit_ldap (
|
||||||
"rfc2307bis",
|
"rfc2307bis",
|
||||||
"krb5-kdc",
|
"krb5-kdc",
|
||||||
"samba",
|
"samba",
|
||||||
|
"ppolicy",
|
||||||
|
|
||||||
# "samba",
|
# "samba",
|
||||||
# "nis",
|
# "nis",
|
||||||
|
@ -79,26 +81,39 @@ class wmdeit_ldap (
|
||||||
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
|
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
|
||||||
'by * break'
|
'by * break'
|
||||||
],
|
],
|
||||||
|
# System rights for members of Adm group
|
||||||
|
'2 to *' => [
|
||||||
|
"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
|
||||||
|
'by * break'
|
||||||
|
],
|
||||||
|
# System rights for members of Adm group
|
||||||
|
'3 to *' => [
|
||||||
|
"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
|
||||||
|
'by * break'
|
||||||
|
],
|
||||||
|
|
||||||
# let users modify their passwords, and disable read acess to all others
|
# let users modify their passwords, and disable read acess to all others
|
||||||
'2 to attrs=userPassword' => [
|
'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
|
||||||
|
# '4 to attrs=userPassword' => [
|
||||||
"by self write",
|
"by self write",
|
||||||
"by anonymous auth",
|
"by anonymous auth",
|
||||||
"by * none",
|
"by * none",
|
||||||
],
|
],
|
||||||
# let users read all
|
# let users read all
|
||||||
'3 to attr=entry,objectClass,givenName,cn,displayName' => [
|
'5 to attr=entry,objectClass,givenName,cn,displayName' => [
|
||||||
"by anonymous break",
|
"by anonymous break",
|
||||||
"by * read",
|
"by * read",
|
||||||
],
|
],
|
||||||
"4 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
|
# let anonymous users list uids
|
||||||
|
"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
|
||||||
"by anonymous read",
|
"by anonymous read",
|
||||||
"by * break",
|
"by * break",
|
||||||
],
|
],
|
||||||
'5 to *' => [
|
# deny access to anything else
|
||||||
|
'7 to *' => [
|
||||||
"by * none",
|
"by * none",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
},
|
},
|
||||||
|
|
||||||
){
|
){
|
||||||
|
@ -118,7 +133,11 @@ class wmdeit_ldap (
|
||||||
} ->
|
} ->
|
||||||
openldap::server::module { 'syncprov':
|
openldap::server::module { 'syncprov':
|
||||||
ensure => present,
|
ensure => present,
|
||||||
}
|
}
|
||||||
|
# openldap::server::module { 'ppolicy':
|
||||||
|
# ensure => absent,
|
||||||
|
# }
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
package { "heimdal-kdc":
|
package { "heimdal-kdc":
|
||||||
|
@ -131,7 +150,6 @@ class wmdeit_ldap (
|
||||||
ensure => present,
|
ensure => present,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
class { 'openldap::server':
|
class { 'openldap::server':
|
||||||
ssl_ca => "$cacert",
|
ssl_ca => "$cacert",
|
||||||
ssl_cert => "$pubcert",
|
ssl_cert => "$pubcert",
|
||||||
|
@ -141,20 +159,20 @@ class wmdeit_ldap (
|
||||||
|
|
||||||
# delete all schema and databases created by default during installation
|
# delete all schema and databases created by default during installation
|
||||||
# This is some kind of a dirty hack because we use
|
# This is some kind of a dirty hack because we use
|
||||||
# in before => and irequire => some internal classes of module openldap
|
# in "before =>" and "require =>" some internal classes of module openldap
|
||||||
exec { 'wmdemanaged':
|
exec { 'wmdemanaged':
|
||||||
before => Class['::openldap::server::config'],
|
before => Class['::openldap::server::config'],
|
||||||
require => Class['::openldap::server::install'],
|
require => Class['::openldap::server::install'],
|
||||||
|
|
||||||
creates => "/etc/ldap/wmde.managed",
|
creates => "/etc/ldap/wmde.managed",
|
||||||
command => @(CMD/L),
|
command => @(CMD/L),
|
||||||
/usr/sbin/service slapd stop &&
|
/usr/sbin/service slapd stop &&
|
||||||
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
|
||||||
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
|
||||||
rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
|
rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
|
||||||
/usr/sbin/service slapd start &&
|
/usr/sbin/service slapd start &&
|
||||||
touch /etc/ldap/wmde.managed
|
touch /etc/ldap/wmde.managed
|
||||||
| CMD
|
| CMD
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -194,7 +212,6 @@ class wmdeit_ldap (
|
||||||
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
||||||
# }
|
# }
|
||||||
|
|
||||||
|
|
||||||
# openldap::server::globalconf { 'TLSCertificateKeyFile':
|
# openldap::server::globalconf { 'TLSCertificateKeyFile':
|
||||||
# ensure => present,
|
# ensure => present,
|
||||||
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
|
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
|
||||||
|
@ -259,14 +276,23 @@ class wmdeit_ldap (
|
||||||
|
|
||||||
|
|
||||||
# Build list of syncrepl-entries, store it in $syncrepl
|
# Build list of syncrepl-entries, store it in $syncrepl
|
||||||
# if !empty ($syncrepl_providers) {
|
if !empty ($syncrepl_providers) {
|
||||||
# $mirrormode=true
|
$mirrormode=true
|
||||||
# $syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
|
$syncrepl = $syncrepl_providers.map |Integer $index, $provider| {
|
||||||
# $i = $index+1
|
$i = $index+1
|
||||||
# "rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
|
"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=$starttls retry=\"3 60 6 300 30 +\" timeout=1"
|
||||||
# }
|
}
|
||||||
# }
|
$syncrepl_providers.each |Integer $index, $provider| {
|
||||||
|
if $provider[ip] {
|
||||||
|
host{"host_$index":
|
||||||
|
name => $provider[host],
|
||||||
|
ip => $provider[ip],
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
# create the main database
|
# create the main database
|
||||||
openldap::server::database { "$database":
|
openldap::server::database { "$database":
|
||||||
|
@ -274,21 +300,29 @@ class wmdeit_ldap (
|
||||||
ensure => present,
|
ensure => present,
|
||||||
rootdn => $rootdn,
|
rootdn => $rootdn,
|
||||||
rootpw => $rootpw,
|
rootpw => $rootpw,
|
||||||
# syncrepl => $syncrepl,
|
syncrepl => $syncrepl,
|
||||||
mirrormode => $mirrormode,
|
mirrormode => $mirrormode,
|
||||||
}
|
}
|
||||||
->
|
->
|
||||||
openldap::server::overlay { "memberof on $database":
|
openldap::server::overlay { "memberof on $database":
|
||||||
ensure => present,
|
ensure => present,
|
||||||
|
options => {
|
||||||
|
'olcMemberOfGroupOC' => 'groupOfMembers'
|
||||||
|
}
|
||||||
}
|
}
|
||||||
# ->
|
->
|
||||||
# openldap::server::overlay { "syncprov on $database":
|
openldap::server::overlay { "syncprov on $database":
|
||||||
|
ensure => present,
|
||||||
|
}
|
||||||
|
->
|
||||||
|
# openldap::server::overlay { "smbk5pwd on $database":
|
||||||
# ensure => present,
|
# ensure => present,
|
||||||
# }
|
# }
|
||||||
->
|
|
||||||
openldap::server::overlay { "smbk5pwd on $database":
|
# openldap::server::overlay { "ppolicy on $database":
|
||||||
ensure => present,
|
# ensure => absent,
|
||||||
}
|
# }
|
||||||
|
|
||||||
|
|
||||||
# $acls.each |Integer $i, $acl | {
|
# $acls.each |Integer $i, $acl | {
|
||||||
# notify{"Set ACL $i $acl":}
|
# notify{"Set ACL $i $acl":}
|
||||||
|
|
Loading…
Reference in New Issue