304 lines
6.8 KiB
Puppet
304 lines
6.8 KiB
Puppet
#x
|
|
|
|
class wmdeit_ldap (
|
|
$log_level = 0,
|
|
|
|
$configdn = 'cn=admin,cn=config',
|
|
$configpw = '123',
|
|
$syncrepl_providers = [
|
|
],
|
|
|
|
$database = "dc=wikimedia,dc=de",
|
|
$rootdn = "cn=admin,dc=wikimedia,dc=de",
|
|
$rootpw = "123",
|
|
|
|
$serverid,
|
|
$simple_bind_tls = "128",
|
|
|
|
$schema_path = '/etc/ldap/schema',
|
|
$schema = [
|
|
"samba",
|
|
# "nis",
|
|
# "rfc2307bis",
|
|
# "solaris",
|
|
"dnszone",
|
|
"univention",
|
|
"univention-objecttype",
|
|
"krb5-kdc",
|
|
"directory",
|
|
"policy",
|
|
"msgpo",
|
|
"dhcp",
|
|
"univention-dhcp",
|
|
"mail",
|
|
# "automount",
|
|
"user",
|
|
"self-service-passwordreset",
|
|
"univention-saml",
|
|
"univention-virtual-machine-manager",
|
|
"nagios",
|
|
"share",
|
|
"network",
|
|
"portal",
|
|
"univention-default",
|
|
"univention-app",
|
|
"univention-object-metadata",
|
|
"univention-ldap-extension",
|
|
"license",
|
|
"ppolicy",
|
|
"template",
|
|
"lock",
|
|
"udm-extension",
|
|
"custom-attribute",
|
|
"univention-syntax",
|
|
"openssh",
|
|
# "nextcloud",
|
|
# "openproject",
|
|
# "networkaccess",
|
|
|
|
],
|
|
$ssldir = "/etc/ldap/ssl",
|
|
|
|
$acls = [
|
|
# grant accces to domain admins
|
|
'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
# super acces to local root user
|
|
'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
|
|
|
|
# let users modify their passwords
|
|
'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
|
|
|
|
|
|
'to attrs=entry,children,objectClass,uid by anonymous read by * break',
|
|
|
|
'to * by anonymous none by * break',
|
|
|
|
'to dn.base="" by * read',
|
|
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
|
|
]
|
|
|
|
){
|
|
$clientcert = $facts[clientcert]
|
|
|
|
$pubcert = "$ssldir/cert.pem"
|
|
$privkey = "$ssldir/priv.pem"
|
|
$cacert = "$ssldir/ca.pem"
|
|
|
|
class { 'openldap::server':
|
|
ssl_ca => "$cacert",
|
|
ssl_cert => "$pubcert",
|
|
ssl_key => "$privkey",
|
|
ldaps_ifs => ['/'],
|
|
}
|
|
|
|
file { "/etc/ldap":
|
|
ensure => directory
|
|
} ->
|
|
|
|
# SSL stuff ... copy CA cert and keys used by puppet agent to
|
|
# a separate directory and make them accesible by openldap
|
|
file { "$ssldir":
|
|
ensure => directory,
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$cacert": # copy CA cert
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/certs/ca.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$pubcert": # copy public key
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$privkey": # copy private key
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
}
|
|
|
|
|
|
|
|
# openldap::server::globalconf { 'TLSCACertificateFile':
|
|
# ensure => present,
|
|
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
|
# }
|
|
|
|
|
|
# openldap::server::globalconf { 'TLSCertificateKeyFile':
|
|
# ensure => present,
|
|
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
|
|
# }
|
|
|
|
# openldap::server::globalconf { 'TLSCertificateFile':
|
|
# ensure => present,
|
|
# value => "$ssldir/pubkey.pem"
|
|
# }
|
|
|
|
openldap::server::globalconf { 'LogLevel':
|
|
ensure => present,
|
|
value => { "LogLevel"=>"$log_level" }
|
|
}
|
|
|
|
|
|
|
|
openldap::server::globalconf { 'Security':
|
|
ensure => present,
|
|
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
|
|
}
|
|
|
|
# openldap::server::schema{"nis":
|
|
# ensure => absent
|
|
|
|
# }
|
|
|
|
|
|
# add schemas
|
|
$schema.each | $s | {
|
|
|
|
file { "$schema_path/$s.schema":
|
|
ensure => file,
|
|
content => file ("wmdeit_ldap/schema/$s.schema"),
|
|
|
|
}->
|
|
openldap::server::schema { "$s":
|
|
ensure => present,
|
|
path => "$schema_path/$s.schema",
|
|
}
|
|
}
|
|
|
|
|
|
openldap::server::module { 'memberof':
|
|
ensure => present,
|
|
}
|
|
openldap::server::module { 'syncprov':
|
|
ensure => present,
|
|
}
|
|
|
|
package { "heimdal-kdc":
|
|
ensure => installed,
|
|
}->
|
|
package {"slapd-smbk5pwd":
|
|
ensure => installed,
|
|
} ->
|
|
openldap::server::module { 'smbk5pwd':
|
|
ensure => present,
|
|
}
|
|
|
|
openldap::server::globalconf { 'ServerID':
|
|
ensure => present,
|
|
value => { "ServerID"=>"$serverid" }
|
|
}
|
|
|
|
openldap::server::globalconf { 'TLSVerifyClient':
|
|
ensure => present,
|
|
value => { "TLSVerifyClient"=>"never" }
|
|
}
|
|
|
|
|
|
# ensure config database is present and dn and pw are set
|
|
openldap::server::database { 'cn=config':
|
|
ensure => present,
|
|
backend => config,
|
|
rootdn => $configdn,
|
|
rootpw => $configpw
|
|
}
|
|
|
|
|
|
# Build list of syncrepl-entries, store it in $syncrepl
|
|
if !empty ($syncrepl_providers) {
|
|
$mirrormode=true
|
|
$syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
|
|
$i = $index+1
|
|
"rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# create the main database
|
|
openldap::server::database { "$database":
|
|
ensure => present,
|
|
rootdn => $rootdn,
|
|
rootpw => $rootpw,
|
|
syncrepl => $syncrepl,
|
|
mirrormode => $mirrormode,
|
|
} ->
|
|
openldap::server::overlay { "memberof on $database":
|
|
ensure => present,
|
|
} ->
|
|
openldap::server::overlay { "syncprov on $database":
|
|
ensure => present,
|
|
} ->
|
|
openldap::server::overlay { "smbk5pwd on $database":
|
|
ensure => present,
|
|
}
|
|
|
|
|
|
|
|
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
|
|
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
## }
|
|
|
|
# openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
|
|
# suffix => "$database",
|
|
## ensure => present,
|
|
# }
|
|
|
|
# openldap::server::access { '{4}to dn.base="" by * read':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
$acls.each |Integer $i, String $acl | {
|
|
|
|
# notify {"$i -> $acl":}
|
|
|
|
openldap::server::access { "{$i}$acl":
|
|
suffix => "$database",
|
|
ensure => present,
|
|
}
|
|
|
|
}
|
|
|
|
# openldap::server::dbindex { 'uid pres,eq':
|
|
# ensure => present,
|
|
# suffix => "$database",
|
|
# }
|
|
# openldap::server::dbindex { 'sn eq,approx,sub':
|
|
# ensure => present,
|
|
# suffix => "$database",
|
|
# }
|
|
|
|
|
|
|
|
}
|
|
|
|
|