394 lines
9.0 KiB
Puppet
394 lines
9.0 KiB
Puppet
#x
|
|
|
|
class wmdeit_ldap (
|
|
$log_level = 0,
|
|
|
|
$configdn,
|
|
$configpw,
|
|
$syncrepl_providers = [
|
|
],
|
|
|
|
$database,
|
|
$rootdn,
|
|
$rootpw,
|
|
$starttls = "no",
|
|
|
|
$serverid,
|
|
$simple_bind_tls = "128",
|
|
|
|
$schema_path = '/etc/ldap/schema',
|
|
|
|
$schema = [
|
|
"core",
|
|
"cosine",
|
|
"inetorgperson",
|
|
# "nis",
|
|
"rfc2307bis",
|
|
"krb5-kdc",
|
|
"samba",
|
|
"ppolicy",
|
|
|
|
# "samba",
|
|
# "nis",
|
|
# "rfc2307bis",
|
|
# "solaris",
|
|
# "dnszone",
|
|
# "univention",
|
|
# "univention-objecttype",
|
|
# "krb5-kdc",
|
|
# "directory",
|
|
# "policy",
|
|
# "msgpo",
|
|
# "dhcp",
|
|
# "univention-dhcp",
|
|
# "mail",
|
|
# "automount",
|
|
# "user",
|
|
# "self-service-passwordreset",
|
|
# "univention-saml",
|
|
# "univention-virtual-machine-manager",
|
|
# "nagios",
|
|
# "share",
|
|
# "network",
|
|
# "portal",
|
|
# "univention-default",
|
|
# "univention-app",
|
|
# "univention-object-metadata",
|
|
# "univention-ldap-extension",
|
|
# "license",
|
|
# "ppolicy",
|
|
# "template",
|
|
# "lock",
|
|
# "udm-extension",
|
|
# "custom-attribute",
|
|
# "univention-syntax",
|
|
# "openssh",
|
|
# "nextcloud",
|
|
# "openproject",
|
|
# "networkaccess",
|
|
|
|
],
|
|
$ssldir = "/etc/ldap/ssl",
|
|
|
|
$acl = {
|
|
# Super access to local root user
|
|
'0 to *' => [
|
|
'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
|
|
'by * break',
|
|
],
|
|
# Admin rights for members of Admin group
|
|
'1 to *' => [
|
|
"by set=\"user & [cn=Administrators,ou=Groups,$database]/member\" write",
|
|
'by * break'
|
|
],
|
|
# System rights for members of Adm group
|
|
'2 to *' => [
|
|
"by set=\"user & [cn=Adm,ou=Groups,ou=System,$database]/member\" write",
|
|
'by * break'
|
|
],
|
|
# System rights for members of Adm group
|
|
'3 to *' => [
|
|
"by set=\"user & [cn=ReadOnlyAdm,ou=Groups,ou=System,$database]/member\" read",
|
|
'by * break'
|
|
],
|
|
|
|
# let users modify their passwords, and disable read acess to all others
|
|
'4 to attrs=userPassword filter=(!(memberof=cn=NOLOGIN,ou=Groups,dc=wikimedia,dc=de))' => [
|
|
# '4 to attrs=userPassword' => [
|
|
"by self write",
|
|
"by anonymous auth",
|
|
"by * none",
|
|
],
|
|
# let users read all
|
|
'5 to attr=entry,objectClass,givenName,cn,displayName' => [
|
|
"by anonymous break",
|
|
"by * read",
|
|
],
|
|
# let anonymous users list uids
|
|
"6 to dn.subtree=\"$database\" attrs=entry,objectClass,uid" => [
|
|
"by anonymous read",
|
|
"by * break",
|
|
],
|
|
# deny access to anything else
|
|
'7 to *' => [
|
|
"by * none",
|
|
]
|
|
|
|
},
|
|
|
|
){
|
|
$clientcert = $facts[clientcert]
|
|
|
|
$pubcert = "$ssldir/cert.pem"
|
|
$privkey = "$ssldir/priv.pem"
|
|
$cacert = "$ssldir/ca.pem"
|
|
|
|
|
|
# required modules
|
|
openldap::server::module { 'back_mdb':
|
|
ensure => present
|
|
} ->
|
|
openldap::server::module { 'memberof':
|
|
ensure => present,
|
|
} ->
|
|
openldap::server::module { 'syncprov':
|
|
ensure => present,
|
|
}
|
|
# openldap::server::module { 'ppolicy':
|
|
# ensure => absent,
|
|
# }
|
|
|
|
|
|
|
|
package { "heimdal-kdc":
|
|
ensure => installed,
|
|
}->
|
|
package {"slapd-smbk5pwd":
|
|
ensure => installed,
|
|
} ->
|
|
openldap::server::module { 'smbk5pwd':
|
|
ensure => present,
|
|
}
|
|
|
|
class { 'openldap::server':
|
|
ssl_ca => "$cacert",
|
|
ssl_cert => "$pubcert",
|
|
ssl_key => "$privkey",
|
|
ldaps_ifs => ['/'],
|
|
}
|
|
|
|
# delete all schema and databases created by default during installation
|
|
# This is some kind of a dirty hack because we use
|
|
# in "before =>" and "require =>" some internal classes of module openldap
|
|
exec { 'wmdemanaged':
|
|
before => Class['::openldap::server::config'],
|
|
require => Class['::openldap::server::install'],
|
|
|
|
creates => "/etc/ldap/wmde.managed",
|
|
command => @(CMD/L),
|
|
/usr/sbin/service slapd stop &&
|
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
|
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
|
|
rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
|
|
/usr/sbin/service slapd start &&
|
|
touch /etc/ldap/wmde.managed
|
|
| CMD
|
|
}
|
|
|
|
|
|
# SSL stuff ... copy CA cert and keys used by puppet agent to
|
|
# a separate directory and make them accesible by openldap
|
|
file { "$ssldir":
|
|
ensure => directory,
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$cacert": # copy CA cert
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/certs/ca.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$pubcert": # copy public key
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$privkey": # copy private key
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
}
|
|
|
|
|
|
# openldap::server::globalconf { 'TLSCACertificateFile':
|
|
# ensure => present,
|
|
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
|
# }
|
|
|
|
# openldap::server::globalconf { 'TLSCertificateKeyFile':
|
|
# ensure => present,
|
|
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
|
|
# }
|
|
|
|
# openldap::server::globalconf { 'TLSCertificateFile':
|
|
# ensure => present,
|
|
# value => "$ssldir/pubkey.pem"
|
|
# }
|
|
|
|
openldap::server::globalconf { 'LogLevel':
|
|
ensure => present,
|
|
value => { "LogLevel"=>"$log_level" }
|
|
}
|
|
|
|
|
|
|
|
openldap::server::globalconf { 'Security':
|
|
ensure => present,
|
|
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
|
|
}
|
|
|
|
|
|
# add schemas
|
|
$schema.each | $s | {
|
|
$ensure = present
|
|
file { "$schema_path/$s.schema":
|
|
ensure => file,
|
|
content => file ("wmdeit_ldap/schema/$s.schema"),
|
|
|
|
}->
|
|
openldap::server::schema { "$s":
|
|
ensure => $ensure,
|
|
path => "$schema_path/$s.schema",
|
|
}
|
|
}
|
|
|
|
openldap::server::globalconf { 'ServerID':
|
|
ensure => present,
|
|
value => { "ServerID"=>"$serverid" }
|
|
}
|
|
# ensure config database is present and dn and pw are set
|
|
openldap::server::database { 'cn=config':
|
|
ensure => present,
|
|
backend => config,
|
|
rootdn => $configdn,
|
|
rootpw => $configpw
|
|
}
|
|
|
|
|
|
# class { 'java':
|
|
# distribution => 'jre',
|
|
# version => "8"
|
|
# }
|
|
#
|
|
|
|
# openldap::server::globalconf { 'TLSVerifyClient':
|
|
# ensure => present,
|
|
# value => { "TLSVerifyClient"=>"never" }
|
|
# }
|
|
|
|
|
|
|
|
# Build list of syncrepl-entries, store it in $syncrepl
|
|
if !empty ($syncrepl_providers) {
|
|
$mirrormode=true
|
|
$syncrepl = $syncrepl_providers.map |Integer $index, $provider| {
|
|
$i = $index+1
|
|
"rid=00$i provider=${provider[proto]}://${provider[host]}:${provider[port]} binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" scope=sub attrs=\"*,+\" filter=\"(objectClass=*)\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=$starttls retry=\"3 60 6 300 30 +\" timeout=1"
|
|
}
|
|
$syncrepl_providers.each |Integer $index, $provider| {
|
|
if $provider[ip] {
|
|
host{"host_$index":
|
|
name => $provider[host],
|
|
ip => $provider[ip],
|
|
ensure => present,
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
# create the main database
|
|
openldap::server::database { "$database":
|
|
backend => mdb,
|
|
ensure => present,
|
|
rootdn => $rootdn,
|
|
rootpw => $rootpw,
|
|
syncrepl => $syncrepl,
|
|
mirrormode => $mirrormode,
|
|
}
|
|
->
|
|
openldap::server::overlay { "memberof on $database":
|
|
ensure => present,
|
|
options => {
|
|
'olcMemberOfGroupOC' => 'groupOfMembers'
|
|
}
|
|
}
|
|
->
|
|
openldap::server::overlay { "syncprov on $database":
|
|
ensure => present,
|
|
}
|
|
->
|
|
# openldap::server::overlay { "smbk5pwd on $database":
|
|
# ensure => present,
|
|
# }
|
|
|
|
# openldap::server::overlay { "ppolicy on $database":
|
|
# ensure => absent,
|
|
# }
|
|
|
|
|
|
# $acls.each |Integer $i, $acl | {
|
|
# notify{"Set ACL $i $acl":}
|
|
# openldap::server::access { "{$i}$acl":
|
|
# openldap::server::access { "$i on $database":
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# access => $acl['access'],
|
|
# what => $acl['to'],
|
|
# }
|
|
# }
|
|
#
|
|
|
|
openldap::server::access_wrapper { $database :
|
|
acl => $acl,
|
|
}
|
|
|
|
|
|
|
|
#'''''##################################################################################################
|
|
#
|
|
#
|
|
|
|
# openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break on $database':
|
|
# suffix => "$database",
|
|
# access => '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
## }
|
|
|
|
# openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
|
|
# suffix => "$database",
|
|
## ensure => present,
|
|
# }
|
|
|
|
# openldap::server::access { '{4}to dn.base="" by * read':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::dbindex { 'uid pres,eq':
|
|
# ensure => present,
|
|
# suffix => "$database",
|
|
# }
|
|
# openldap::server::dbindex { 'sn eq,approx,sub':
|
|
# ensure => present,
|
|
# suffix => "$database",
|
|
# }
|
|
|
|
|
|
|
|
}
|
|
|
|
|