A puppet module to configure our OpenLDAP servers
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

393 lines
9.0 KiB

#x
class wmdeit_ldap (
$log_level = 0,
$configdn,
$configpw,
$syncrepl_providers = [
],
$database,
$rootdn,
$rootpw,
$starttls = "no",
$serverid,
$simple_bind_tls = "128",
$schema_path = '/etc/ldap/schema',
$schema = [
"core",
"cosine",
"inetorgperson",
# "nis",
"rfc2307bis",
"krb5-kdc",
"samba",
"ppolicy",
# "samba",
# "nis",
# "rfc2307bis",
# "solaris",
# "dnszone",
# "univention",
# "univention-objecttype",
# "krb5-kdc",
# "directory",
# "policy",
# "msgpo",
# "dhcp",
# "univention-dhcp",
# "mail",
# "automount",
# "user",
# "self-service-passwordreset",
# "univention-saml",
# "univention-virtual-machine-manager",
# "nagios",
# "share",
# "network",
# "portal",
# "univention-default",
# "univention-app",
# "univention-object-metadata",
# "univention-ldap-extension",
# "license",
# "ppolicy",
# "template",
# "lock",
# "udm-extension",
# "custom-attribute",
# "univention-syntax",
# "openssh",
# "nextcloud",
# "openproject",
# "networkaccess",
],
$ssldir = "/etc/ldap/ssl",
$acl = {
# Super access to local root user
'0 to *' => [
'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
'by * break',
],
# Admin rights for members of Admin group
'1 to *' => [
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
'by * break'
],
# System rights for members of Adm group
'2 to *' => [
"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
'by * break'
],
# System rights for members of Adm group
'3 to *' => [
"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
'by * break'
],
# let users modify their passwords, and disable read acess to all others
'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
# '4 to attrs=userPassword' => [
"by self write",
"by anonymous auth",
"by * none",
],
# let users read all
'5 to attr=entry,objectClass,givenName,cn,displayName' => [
"by anonymous break",
"by * read",
],
# let anonymous users list uids
"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
"by anonymous read",
"by * break",
],
# deny access to anything else
'7 to *' => [
"by * none",
]
},
){
$clientcert = $facts[clientcert]
$pubcert = "$ssldir/cert.pem"
$privkey = "$ssldir/priv.pem"
$cacert = "$ssldir/ca.pem"
# required modules
openldap::server::module { 'back_mdb':
ensure => present
} ->
openldap::server::module { 'memberof':
ensure => present,
} ->
openldap::server::module { 'syncprov':
ensure => present,
}
# openldap::server::module { 'ppolicy':
# ensure => absent,
# }
package { "heimdal-kdc":
ensure => installed,
}->
package {"slapd-smbk5pwd":
ensure => installed,
} ->
openldap::server::module { 'smbk5pwd':
ensure => present,
}
class { 'openldap::server':
ssl_ca => "$cacert",
ssl_cert => "$pubcert",
ssl_key => "$privkey",
ldaps_ifs => ['/'],
}
# delete all schema and databases created by default during installation
# This is some kind of a dirty hack because we use
# in "before =>" and "require =>" some internal classes of module openldap
exec { 'wmdemanaged':
before => Class['::openldap::server::config'],
require => Class['::openldap::server::install'],
creates => "/etc/ldap/wmde.managed",
command => @(CMD/L),
/usr/sbin/service slapd stop &&
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
/usr/sbin/service slapd start &&
touch /etc/ldap/wmde.managed
| CMD
}
# SSL stuff ... copy CA cert and keys used by puppet agent to
# a separate directory and make them accesible by openldap
file { "$ssldir":
ensure => directory,
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$cacert": # copy CA cert
ensure => file,
source => "/var/lib/puppet/ssl/certs/ca.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$pubcert": # copy public key
ensure => file,
source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
} ->
file { "$privkey": # copy private key
ensure => file,
source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
owner => "openldap",
group => "openldap",
mode => "0600",
}
# openldap::server::globalconf { 'TLSCACertificateFile':
# ensure => present,
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
# }
# openldap::server::globalconf { 'TLSCertificateKeyFile':
# ensure => present,
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
# }
# openldap::server::globalconf { 'TLSCertificateFile':
# ensure => present,
# value => "$ssldir/pubkey.pem"
# }
openldap::server::globalconf { 'LogLevel':
ensure => present,
value => { "LogLevel"=>"$log_level" }
}
openldap::server::globalconf { 'Security':
ensure => present,
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
}
# add schemas
$schema.each | $s | {
$ensure = present
file { "$schema_path/$s.schema":
ensure => file,
content => file ("wmdeit_ldap/schema/$s.schema"),
}->
openldap::server::schema { "$s":
ensure => $ensure,
path => "$schema_path/$s.schema",
}
}
openldap::server::globalconf { 'ServerID':
ensure => present,
value => { "ServerID"=>"$serverid" }
}
# ensure config database is present and dn and pw are set
openldap::server::database { 'cn=config':
ensure => present,
backend => config,
rootdn => $configdn,
rootpw => $configpw
}
# class { 'java':
# distribution => 'jre',
# version => "8"
# }
#
# openldap::server::globalconf { 'TLSVerifyClient':
# ensure => present,
# value => { "TLSVerifyClient"=>"never" }
# }
# Build list of syncrepl-entries, store it in $syncrepl
if !empty ($syncrepl_providers) {
$mirrormode=true
$syncrepl = $syncrepl_providers.map |Integer $index, $provider| {
$i = $index+1
"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=$starttls retry=\"3 60 6 300 30 +\" timeout=1"
}
$syncrepl_providers.each |Integer $index, $provider| {
if $provider[ip] {
host{"host_$index":
name => $provider[host],
ip => $provider[ip],
ensure => present,
}
}
}
}
# create the main database
openldap::server::database { "$database":
backend => mdb,
ensure => present,
rootdn => $rootdn,
rootpw => $rootpw,
syncrepl => $syncrepl,
mirrormode => $mirrormode,
}
->
openldap::server::overlay { "memberof on $database":
ensure => present,
options => {
'olcMemberOfGroupOC' => 'groupOfMembers'
}
}
->
openldap::server::overlay { "syncprov on $database":
ensure => present,
}
->
# openldap::server::overlay { "smbk5pwd on $database":
# ensure => present,
# }
# openldap::server::overlay { "ppolicy on $database":
# ensure => absent,
# }
# $acls.each |Integer $i, $acl | {
# notify{"Set ACL $i $acl":}
# openldap::server::access { "{$i}$acl":
# openldap::server::access { "$i on $database":
# suffix => "$database",
# ensure => present,
# access => $acl['access'],
# what => $acl['to'],
# }
# }
#
openldap::server::access_wrapper { $database :
acl => $acl,
}
#'''''##################################################################################################
#
#
# openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database':
# suffix => "$database",
# access => '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
# ensure => present,
# }
#
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
# suffix => "$database",
# ensure => present,
# }
#
# openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
# suffix => "$database",
# ensure => present,
## }
# openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
# suffix => "$database",
## ensure => present,
# }
# openldap::server::access { '{4}to dn.base="" by * read':
# suffix => "$database",
# ensure => present,
# }
#
# openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
# suffix => "$database",
# ensure => present,
# }
#
# openldap::server::dbindex { 'uid pres,eq':
# ensure => present,
# suffix => "$database",
# }
# openldap::server::dbindex { 'sn eq,approx,sub':
# ensure => present,
# suffix => "$database",
# }
}