365 lines
8.4 KiB
Puppet
365 lines
8.4 KiB
Puppet
#x
|
|
|
|
class wmdeit_ldap (
|
|
$log_level = 0,
|
|
|
|
$configdn = 'cn=admin,cn=config',
|
|
$configpw = '123',
|
|
$syncrepl_providers = [
|
|
],
|
|
|
|
$database = "dc=wikimedia,dc=de",
|
|
$rootdn = "cn=admin,dc=wikimedia,dc=de",
|
|
$rootpw = "123",
|
|
|
|
$serverid,
|
|
$simple_bind_tls = "128",
|
|
|
|
$schema_path = '/etc/ldap/schema',
|
|
|
|
$schema = [
|
|
"core",
|
|
"cosine",
|
|
"inetorgperson",
|
|
# "nis",
|
|
"rfc2307bis",
|
|
"krb5-kdc",
|
|
"samba",
|
|
|
|
# "samba",
|
|
# "nis",
|
|
# "rfc2307bis",
|
|
# "solaris",
|
|
# "dnszone",
|
|
# "univention",
|
|
# "univention-objecttype",
|
|
# "krb5-kdc",
|
|
# "directory",
|
|
# "policy",
|
|
# "msgpo",
|
|
# "dhcp",
|
|
# "univention-dhcp",
|
|
# "mail",
|
|
# "automount",
|
|
# "user",
|
|
# "self-service-passwordreset",
|
|
# "univention-saml",
|
|
# "univention-virtual-machine-manager",
|
|
# "nagios",
|
|
# "share",
|
|
# "network",
|
|
# "portal",
|
|
# "univention-default",
|
|
# "univention-app",
|
|
# "univention-object-metadata",
|
|
# "univention-ldap-extension",
|
|
# "license",
|
|
# "ppolicy",
|
|
# "template",
|
|
# "lock",
|
|
# "udm-extension",
|
|
# "custom-attribute",
|
|
# "univention-syntax",
|
|
# "openssh",
|
|
# "nextcloud",
|
|
# "openproject",
|
|
# "networkaccess",
|
|
|
|
],
|
|
$ssldir = "/etc/ldap/ssl",
|
|
|
|
$acls = [
|
|
# grant accces to domain admins
|
|
'to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
'to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break',
|
|
|
|
# super acces to local root user
|
|
'to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break',
|
|
|
|
# let users modify their passwords
|
|
'to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none',
|
|
|
|
|
|
'to attrs=entry,children,objectClass,uid by anonymous read by * break',
|
|
|
|
'to * by anonymous none by * break',
|
|
|
|
'to dn.base="" by * read',
|
|
'to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read',
|
|
]
|
|
|
|
){
|
|
$clientcert = $facts[clientcert]
|
|
|
|
$pubcert = "$ssldir/cert.pem"
|
|
$privkey = "$ssldir/priv.pem"
|
|
$cacert = "$ssldir/ca.pem"
|
|
|
|
|
|
# required modules
|
|
openldap::server::module { 'back_mdb':
|
|
ensure => present
|
|
} ->
|
|
openldap::server::module { 'memberof':
|
|
ensure => present,
|
|
} ->
|
|
openldap::server::module { 'syncprov':
|
|
ensure => present,
|
|
}
|
|
|
|
|
|
package { "heimdal-kdc":
|
|
ensure => installed,
|
|
}->
|
|
package {"slapd-smbk5pwd":
|
|
ensure => installed,
|
|
} ->
|
|
openldap::server::module { 'smbk5pwd':
|
|
ensure => present,
|
|
}
|
|
|
|
|
|
class { 'openldap::server':
|
|
ssl_ca => "$cacert",
|
|
ssl_cert => "$pubcert",
|
|
ssl_key => "$privkey",
|
|
ldaps_ifs => ['/'],
|
|
}
|
|
|
|
# delete all schema and databases created by default during installation
|
|
# This is some kind of a dirty hack because we use
|
|
# in before => and irequire => some internal classes of module openldap
|
|
exec { 'wmdemanaged':
|
|
before => Class['::openldap::server::config'],
|
|
require => Class['::openldap::server::install'],
|
|
|
|
creates => "/etc/ldap/wmde.managed",
|
|
command => @(CMD/L),
|
|
/sbin/service slapd stop &&
|
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema' &&
|
|
rm -rf '/etc/ldap/slapd.d/cn=config/cn=schema.ldif' &&
|
|
rm -rf '/etc/ldap/slapd.d/cn=config/olcDatabase={1}mdb.ldif' &&
|
|
/sbin/service slapd start &&
|
|
touch /etc/ldap/wmde.managed
|
|
| CMD
|
|
}
|
|
|
|
|
|
# SSL stuff ... copy CA cert and keys used by puppet agent to
|
|
# a separate directory and make them accesible by openldap
|
|
file { "$ssldir":
|
|
ensure => directory,
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$cacert": # copy CA cert
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/certs/ca.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$pubcert": # copy public key
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/certs/$clientcert.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
} ->
|
|
file { "$privkey": # copy private key
|
|
ensure => file,
|
|
source => "/var/lib/puppet/ssl/private_keys/$clientcert.pem",
|
|
owner => "openldap",
|
|
group => "openldap",
|
|
mode => "0600",
|
|
}
|
|
|
|
|
|
# openldap::server::globalconf { 'TLSCACertificateFile':
|
|
# ensure => present,
|
|
# value => { "TLSCACertificateFile"=>"$ssldir/ca.pem" }
|
|
# }
|
|
|
|
|
|
# openldap::server::globalconf { 'TLSCertificateKeyFile':
|
|
# ensure => present,
|
|
# value => { "TLSCertificateKeyFile"=>"$ssldir/privkey.pem" }
|
|
# }
|
|
|
|
# openldap::server::globalconf { 'TLSCertificateFile':
|
|
# ensure => present,
|
|
# value => "$ssldir/pubkey.pem"
|
|
# }
|
|
|
|
openldap::server::globalconf { 'LogLevel':
|
|
ensure => present,
|
|
value => { "LogLevel"=>"$log_level" }
|
|
}
|
|
|
|
|
|
|
|
openldap::server::globalconf { 'Security':
|
|
ensure => present,
|
|
value => { 'Security' => [ "simple_bind=$simple_bind_tls", 'ssf=0', "tls=0" ] },
|
|
}
|
|
|
|
|
|
# add schemas
|
|
$schema.each | $s | {
|
|
$ensure = present
|
|
file { "$schema_path/$s.schema":
|
|
ensure => file,
|
|
content => file ("wmdeit_ldap/schema/$s.schema"),
|
|
|
|
}->
|
|
openldap::server::schema { "$s":
|
|
ensure => $ensure,
|
|
path => "$schema_path/$s.schema",
|
|
}
|
|
}
|
|
|
|
openldap::server::globalconf { 'ServerID':
|
|
ensure => present,
|
|
value => { "ServerID"=>"$serverid" }
|
|
}
|
|
# ensure config database is present and dn and pw are set
|
|
openldap::server::database { 'cn=config':
|
|
ensure => present,
|
|
backend => config,
|
|
rootdn => $configdn,
|
|
rootpw => $configpw
|
|
}
|
|
|
|
|
|
# class { 'java':
|
|
# distribution => 'jre',
|
|
# version => "8"
|
|
# }
|
|
#
|
|
$java_home = "/usr/lib/jvm/jdk8u202-b08-jre"
|
|
|
|
java::adopt { 'jdk8' :
|
|
ensure => 'present',
|
|
version => '8',
|
|
java => 'jre',
|
|
} ->
|
|
apt::source { 'lsc':
|
|
location => 'http://lsc-project.org/debian',
|
|
repos => 'main',
|
|
release => 'lsc',
|
|
key => {
|
|
id => "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5",
|
|
source => "https://ltb-project.org/lib/RPM-GPG-KEY-LTB-project",
|
|
}
|
|
} ->
|
|
package {"lsc":
|
|
ensure => installed
|
|
} ->
|
|
file {"/etc/default/lsc":
|
|
ensure => file,
|
|
content => template("wmdeit_ldap/lsc.erb")
|
|
} ->
|
|
file {"/etc/lsc/lsc.xml":
|
|
ensure => file,
|
|
content => template("wmdeit_ldap/lsc.xml.erb")
|
|
} ->
|
|
service {"lsc":
|
|
ensure => running,
|
|
subscribe => File["/etc/lsc/lsc.xml"],
|
|
}
|
|
|
|
|
|
|
|
# openldap::server::globalconf { 'TLSVerifyClient':
|
|
# ensure => present,
|
|
# value => { "TLSVerifyClient"=>"never" }
|
|
# }
|
|
|
|
|
|
|
|
# Build list of syncrepl-entries, store it in $syncrepl
|
|
# if !empty ($syncrepl_providers) {
|
|
# $mirrormode=true
|
|
# $syncrepl = $syncrepl_providers.map |Integer $index, String $provider| {
|
|
# $i = $index+1
|
|
# "rid=00$i provider=$provider binddn=\"$rootdn\" bindmethod=simple credentials=$rootpw searchbase=\"$database\" type=refreshAndPersist tls_cacert=$cacert tls_key=$privkey tls_cert=$pubcert starttls=yes retry=\"3 60 6 300 30 +\"" #timeout=1"
|
|
# }
|
|
# }
|
|
|
|
|
|
# create the main database
|
|
openldap::server::database { "$database":
|
|
backend => mdb,
|
|
ensure => present,
|
|
rootdn => $rootdn,
|
|
rootpw => $rootpw,
|
|
# syncrepl => $syncrepl,
|
|
mirrormode => $mirrormode,
|
|
} #->
|
|
# openldap::server::overlay { "memberof on $database":
|
|
# ensure => present,
|
|
# } ->
|
|
# openldap::server::overlay { "syncprov on $database":
|
|
# ensure => present,
|
|
# } ->
|
|
# openldap::server::overlay { "smbk5pwd on $database":
|
|
# ensure => present,
|
|
# }
|
|
|
|
# $acls.each |Integer $i, String $acl | {
|
|
# openldap::server::access { "{$i}$acl":
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
# }
|
|
|
|
#'''''##################################################################################################
|
|
#
|
|
#
|
|
|
|
## openldap::server::access { '{0}to * by set="user/uid & [cn=Domain Admins,cn=groups,dc=wikimedia,dc=de]/memberUid" write by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
|
|
# openldap::server::access { '{1}to * by set="user/uid & [cn=Administrators,cn=Builtin,dc=wikimedia,dc=de]/memberUid" write by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::access { '{2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
## }
|
|
|
|
# openldap::server::access { '{3}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=wikimedia,dc=de" write by * none':
|
|
# suffix => "$database",
|
|
## ensure => present,
|
|
# }
|
|
|
|
# openldap::server::access { '{4}to dn.base="" by * read':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::access { '{5}to * by self write by dn="cn=admin,dc=wikimedia,dc=de" write by * read':
|
|
# suffix => "$database",
|
|
# ensure => present,
|
|
# }
|
|
#
|
|
# openldap::server::dbindex { 'uid pres,eq':
|
|
# ensure => present,
|
|
# suffix => "$database",
|
|
# }
|
|
# openldap::server::dbindex { 'sn eq,approx,sub':
|
|
# ensure => present,
|
|
# suffix => "$database",
|
|
# }
|
|
|
|
|
|
|
|
}
|
|
|
|
|