#x class wmdeit_ldap ( $log_level = 0, $configdn = 'cn=admin,cn=config', $configpw = '123', $syncrepl_providers = [ ], $database = "dc=wikimedia,dc=de", $rootdn = "cn=admin,dc=wikimedia,dc=de", $rootpw = "123", $serverid, $simple_bind_tls = "128", $schema_path = '/etc/ldap/schema', $schema = [ "core", "cosine", "inetorgperson", # "nis", "rfc2307bis", "krb5-kdc", "samba", # "samba", # "nis", # "rfc2307bis", # "solaris", # "dnszone", # "univention", # "univention-objecttype", # "krb5-kdc", # "directory", # "policy", # "msgpo", # "dhcp", # "univention-dhcp", # "mail", # "automount", # "user", # "self-service-passwordreset", # "univention-saml", # "univention-virtual-machine-manager", # "nagios", # "share", # "network", # "portal", # "univention-default", # "univention-app", # "univention-object-metadata", # "univention-ldap-extension", # "license", # "ppolicy", # "template", # "lock", # "udm-extension", # "custom-attribute", # "univention-syntax", # "openssh", # "nextcloud", # "openproject", # "networkaccess", ], $ssldir = "/etc/ldap/ssl", $acls = [ # grant accces to domain admins 'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break', 'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break', # super acces to local root user 'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break', # let users modify their passwords 'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none', 'to attrs=entry,children,objectClass,uid by anonymous read by * break', 'to * by anonymous none by * break', 'to dn.base="" by * read', 'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read', ] ){ $clientcert = $facts[clientcert] $pubcert = "$ssldir/cert.pem" $privkey = "$ssldir/priv.pem" $cacert = "$ssldir/ca.pem" # required modules openldap::server::module { 'back_mdb': ensure => present } -> openldap::server::module { 'memberof': ensure => present, } -> openldap::server::module { 'syncprov': ensure => present, } package { "heimdal-kdc": ensure => installed, }-> package {"slapd-smbk5pwd": ensure => installed, } -> openldap::server::module { 'smbk5pwd': ensure => present, } class { 'openldap::server': ssl_ca => "$cacert", ssl_cert => "$pubcert", ssl_key => "$privkey", ldaps_ifs => ['/'], } # delete all schema and databases created by default during installation # This is some kind of a dirty hack because we use # in before => and irequire => some internal classes of module openldap exec { 'wmdemanaged': before => Class['::openldap::server::config'], require => Class['::openldap::server::install'], creates => "/etc/ldap/wmde.managed", command => @(CMD/L), /sbin/service slapd stop && rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' && rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' && rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' && /sbin/service slapd start && touch /etc/ldap/wmde.managed | CMD } # SSL stuff ... copy CA cert and keys used by puppet agent to # a separate directory and make them accesible by openldap file { "$ssldir": ensure => directory, owner => "openldap", group => "openldap", mode => "0600", } -> file { "$cacert": # copy CA cert ensure => file, source => "/var/lib/puppet/ssl/certs/ca.pem", owner => "openldap", group => "openldap", mode => "0600", } -> file { "$pubcert": # copy public key ensure => file, source => "/var/lib/puppet/ssl/certs/$clientcert.pem", owner => "openldap", group => "openldap", mode => "0600", } -> file { "$privkey": # copy private key ensure => file, source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem", owner => "openldap", group => "openldap", mode => "0600", } # openldap::server::globalconf { 'TLSCACertificateFile': # ensure => present, # value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" } # } # openldap::server::globalconf { 'TLSCertificateKeyFile': # ensure => present, # value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" } # } # openldap::server::globalconf { 'TLSCertificateFile': # ensure => present, # value => "$ssldir/pubkey.pem" # } openldap::server::globalconf { 'LogLevel': ensure => present, value => { "LogLevel"=>"$log_level" } } openldap::server::globalconf { 'Security': ensure => present, value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] }, } # add schemas $schema.each | $s | { $ensure = present file { "$schema_path/$s.schema": ensure => file, content => file ("wmdeit_ldap/schema/$s.schema"), }-> openldap::server::schema { "$s": ensure => $ensure, path => "$schema_path/$s.schema", } } openldap::server::globalconf { 'ServerID': ensure => present, value => { "ServerID"=>"$serverid" } } # ensure config database is present and dn and pw are set openldap::server::database { 'cn=config': ensure => present, backend => config, rootdn => $configdn, rootpw => $configpw } # class { 'java': # distribution => 'jre', # version => "8" # } # $java_home = "/usr/lib/jvm/jdk8u202-b08-jre" java::adopt { 'jdk8' : ensure => 'present', version => '8', java => 'jre', } -> apt::source { 'lsc': location => 'http://lsc-project.org/debian', repos => 'main', release => 'lsc', key => { id => "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5", source => "https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project", } } -> package {"lsc": ensure => installed } -> file {"/etc/default/lsc": ensure => file, content => template("wmdeit_ldap/lsc.erb") } -> file {"/etc/lsc/lsc.xml": ensure => file, content => template("wmdeit_ldap/lsc.xml.erb") } -> service {"lsc": ensure => running, subscribe => File["/etc/lsc/lsc.xml"], } # openldap::server::globalconf { 'TLSVerifyClient': # ensure => present, # value => { "TLSVerifyClient"=>"never" } # } # Build list of syncrepl-entries, store it in $syncrepl # if !empty ($syncrepl_providers) { # $mirrormode=true # $syncrepl = $syncrepl_providers.map |Integer $index, String $provider| { # $i = $index+1 # "rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1" # } # } # create the main database openldap::server::database { "$database": backend => mdb, ensure => present, rootdn => $rootdn, rootpw => $rootpw, # syncrepl => $syncrepl, mirrormode => $mirrormode, } #-> # openldap::server::overlay { "memberof on $database": # ensure => present, # } -> # openldap::server::overlay { "syncprov on $database": # ensure => present, # } -> # openldap::server::overlay { "smbk5pwd on $database": # ensure => present, # } # $acls.each |Integer $i, String $acl | { # openldap::server::access { "{$i}$acl": # suffix => "$database", # ensure => present, # } # } #'''''################################################################################################## # # ## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break': # suffix => "$database", # ensure => present, # } # openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break': # suffix => "$database", # ensure => present, # } # # openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break': # suffix => "$database", # ensure => present, ## } # openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none': # suffix => "$database", ## ensure => present, # } # openldap::server::access { '{4}to dn.base="" by * read': # suffix => "$database", # ensure => present, # } # # openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read': # suffix => "$database", # ensure => present, # } # # openldap::server::dbindex { 'uid pres,eq': # ensure => present, # suffix => "$database", # } # openldap::server::dbindex { 'sn eq,approx,sub': # ensure => present, # suffix => "$database", # } }