feat: manage openldap

- add modules, overlays, acccess rules, schemas
- manage syncrepl
- manage selinux

Puppetfile

@@ -18,6 +18,7 @@ mod 'puppetlabs-xinetd', '3.4.1'
 mod 'puppetlabs-haproxy', '8.0.0'
 mod 'puppetlabs-java', '10.1.2'
 mod 'puppetlabs-reboot', '5.0.0'
+mod 'puppetlabs-augeas_core', '1.5.0'
 
 # puppet
 mod 'puppet-python', '7.0.0'
@@ -38,6 +39,9 @@ mod 'puppet-extlib', '7.0.0'
 mod 'puppet-network', '2.2.0'
 mod 'puppet-kmod', '4.0.1'
 mod 'puppet-filemapper', '4.0.0'
+mod 'puppet-openldap', '8.0.0'
+mod 'puppet-augeasproviders_shellvar', '6.0.1'
+mod 'puppet-augeasproviders_core', '4.1.0'
 
 # other
 mod 'ghoneycutt-puppet', '3.3.0'

hieradata/roles/infra/auth/openldap.eyaml

@@ -0,0 +1,2 @@
+---
+profiles::openldap::params::rootpw: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAMPu8Asw6L7+k8SRXbPqw62B3ldiE5f2CaDSQbhrOc2u2ULdKvOVpWZnr5cKekl4L8un3zRCiNgY7IG008011jh7oXtTqEGJB2hD/ANHlRawoduft798rRKkDuFqET1rw+komuM7ACJsxXGPO9jB7HjycoJHr4+2yV4o3DlazR0+Ha8kPs8U4C/G/UEWQYOsrP964UZ2CgsHSdozgWj304fVJZ/fWqfOSgipKi2GjNK+TD7g9H12ouGaOjTeOsFBo33QWrikYi6MBFE42p3BLoaBX6Gk6KBzmkhYT7Hyvc/ASP65MpDbXffKp2kcqq++VIb7WhsRydaudRP9wyEJOjzBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBVYwJ47CXR2LGgbZOOrd7cgDBCgqTmI4Y5G7x8ZNxEm9WzVY1E7SiKrSnKWF3ntekOhL8ABOk8Y0uODE2HYE+jkJw=]

hieradata/roles/infra/auth/openldap.yaml

@@ -0,0 +1,22 @@
+---
+# additional altnames
+profiles::pki::vault::alt_names:
+  - ldap.main.unkin.net
+  - ldap.service.consul
+  - ldap.query.consul
+  - "ldap.service.%{facts.country}-%{facts.region}.consul"
+
+openldap::server::manage_epel: false
+profiles::openldap::params::data_path: '/data/ldap/main.unkin.net'
+profiles::openldap::params::database: 'dc=main,dc=unkin,dc=net'
+profiles::openldap::params::rootdn: "cn=admin,%{hiera('profiles::openldap::params::database')}"
+profiles::openldap::params::ldap_server:
+  - rid: 1
+    provider: ldap://ausyd1nxvm1044.main.unkin.net
+    searchbase: "%{hiera('profiles::openldap::params::database')}"
+  - rid: 2
+    provider: ldap://ausyd1nxvm1045.main.unkin.net
+    searchbase: "%{hiera('profiles::openldap::params::database')}"
+  - rid: 3
+    provider: ldap://ausyd1nxvm1046.main.unkin.net
+    searchbase: "%{hiera('profiles::openldap::params::database')}"

site/profiles/manifests/openldap/params.pp

@@ -0,0 +1,17 @@
+# profiles::openldap::params
+class profiles::openldap::params (
+  String      $rootdn,
+  String      $rootpw,
+  String      $database = 'dc=domain,dc=tld',
+  Array[Hash] $syncrepl = [],
+  Boolean     $multiprovider = true,
+  Stdlib::Absolutepath $data_path = '/opt/ldap',
+  Stdlib::Absolutepath $ssl_cert = '/etc/pki/tls/vault/certificate.crt',
+  Stdlib::Absolutepath $ssl_key  = '/etc/pki/tls/vault/private.key',
+  Stdlib::Absolutepath $ssl_ca   = '/etc/pki/ca-trust/source/anchors/vaultcaroot.pem',
+  Stdlib::Absolutepath $db_config_path = "${data_path}/DB_CONFIG",
+  String      $cache_size_gb = '1G',
+  String      $log_buffer_size_mb = '8M',
+  String      $log_max_size_mb = '100M',
+  Stdlib::Absolutepath $log_dir = '/var/lib/ldap/logs',
+){}

site/profiles/manifests/openldap/server.pp

@@ -0,0 +1,183 @@
+# profiles::openldap::init
+class profiles::openldap::server (
+  $database       = $profiles::openldap::params::database,
+  $syncrepl       = $profiles::openldap::params::syncrepl,
+  $multiprovider  = $profiles::openldap::params::multiprovider,
+  $data_path      = $profiles::openldap::params::data_path,
+  $ssl_cert       = $profiles::openldap::params::ssl_cert,
+  $ssl_key        = $profiles::openldap::params::ssl_key,
+  $ssl_ca         = $profiles::openldap::params::ssl_ca,
+  $rootdn         = $profiles::openldap::params::rootdn,
+  $rootpw         = $profiles::openldap::params::rootpw,
+  $db_config_path = $profiles::openldap::params::db_config_path,
+  $cache_size_gb  = $profiles::openldap::params::cache_size_gb,
+  $log_dir        = $profiles::openldap::params::log_dir,
+  $log_max_size_mb    = $profiles::openldap::params::log_max_size_mb,
+  $log_buffer_size_mb = $profiles::openldap::params::log_buffer_size_mb,
+) inherits profiles::openldap::params {
+
+  # ensure the path to $data_path exists
+  mkdir::p {$data_path:}
+
+  # if selinux is defined, manage it
+  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
+
+    # set slapd_db_t to all files under the data_path
+    selinux::fcontext { $data_path:
+      ensure   => 'present',
+      seltype  => 'slapd_db_t',
+      pathspec => "${data_path}(/.*)?",
+    }
+
+    exec { "restorecon_${data_path}":
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => "restorecon -Rv ${data_path}",
+      refreshonly => true,
+      subscribe   => Selinux::Fcontext[$data_path],
+    }
+
+  }
+
+  # manage the openldap server
+  class { 'openldap::server':
+    ldap_address  => $facts['networking']['ip'],
+    ldaps_address => $facts['networking']['ip'],
+    ssl_cert      => $ssl_cert,
+    ssl_key       => $ssl_key,
+    ssl_ca        => $ssl_ca,
+    subscribe     => [
+      File[$ssl_key],
+      File[$ssl_ca],
+    ],
+  }
+
+  openldap::server::database { $database:
+    ensure     => present,
+    syncrepl   => $syncrepl,
+    directory  => $data_path,
+    rootdn     => $rootdn,
+    rootpw     => $rootpw,
+    mirrormode => true,
+  }
+
+  # manage modules
+  openldap::server::module { 'memberof':
+    ensure => present,
+  }
+  openldap::server::module { 'syncprov':
+    ensure => present,
+  }
+
+  # manage overlays
+  openldap::server::overlay { "memberof on ${database}":
+    ensure => present,
+  }
+
+  # Update after 10 changes or 1 minute.
+  # Ensure there's enough room for 1000 changes in the log.
+  openldap::server::overlay { "syncprov on ${database}":
+    ensure  => present,
+    options => {
+        'olcSpCheckpoint' => '10 1',
+        'olcSpSessionlog' => '100'
+    },
+    require => [
+      Openldap::Server::Dbindex['entryCSN'],
+      Openldap::Server::Dbindex['entryUUID'],
+      Openldap::Server::Module['syncprov'],
+    ],
+  }
+
+  # add schemas
+  openldap::server::schema { 'cosine':
+    ensure => present,
+    path   => '/etc/openldap/schema/cosine.schema',
+  }
+  openldap::server::schema { 'inetorgperson':
+    ensure  => present,
+    path    => '/etc/openldap/schema/inetorgperson.schema',
+    require => Openldap::Server::Schema['cosine'],
+  }
+  openldap::server::schema { 'nis':
+    ensure  => present,
+    path    => '/etc/openldap/schema/nis.ldif',
+    require => Openldap::Server::Schema['inetorgperson'],
+  }
+
+$acls = [
+  {
+    'to attrs=userPassword,shadowLastChange' => [
+      "by dn=\"${rootdn}\" write",
+      'by self write',
+      'by anonymous auth',
+      'by * none',
+    ],
+  },
+  {
+    'to dn.base=""' => [
+      'by * read',
+    ],
+  },
+  {
+    'to *' => [
+      "by dn=\"${rootdn}\" write",
+      'by self write',
+      'by users read',
+      'by anonymous auth',
+      'by * none',
+    ],
+  },
+]
+openldap::server::access_wrapper { $database :
+  acl => $acls,
+}
+
+  # manage dbindex
+  Openldap::Server::Dbindex {
+    suffix => $database,
+  }
+  openldap::server::dbindex {
+    'cn':
+      attribute => 'cn',
+      indices   => 'eq,pres,sub';
+    'uid':
+      attribute => 'uid',
+      indices   => 'eq,pres,sub';
+    'uidNumber':
+      attribute => 'uidNumber',
+      indices   => 'eq,pres';
+    'gidNumber':
+      attribute => 'gidNumber',
+      indices   => 'eq,pres';
+    'member':
+      attribute => 'member',
+      indices   => 'eq,pres';
+    'memberUid':
+      attribute => 'memberUid',
+      indices   => 'eq,pres';
+    'entryCSN':
+      attribute => 'entryCSN',
+      indices   => 'eq,pres';
+    'entryUUID':
+      attribute => 'entryUUID',
+      indices   => 'eq,pres';
+  }
+
+  # manage DB_CONFIG
+  file { $db_config_path:
+    ensure  => file,
+    content => template('profiles/openldap/db_config.erb'),
+    owner   => 'ldap',
+    group   => 'ldap',
+    mode    => '0644',
+  }
+
+  file { $log_dir:
+    ensure  => directory,
+    owner   => 'ldap',
+    group   => 'ldap',
+    mode    => '0755',
+    require => Class['openldap::server'],
+  }
+
+}

site/profiles/templates/openldap/db_config.erb

@@ -0,0 +1,5 @@
+set_cachesize <%= scope.lookupvar('openldap::db_config::cache_size_gb').to_i * 1024 %> 0 1
+set_lg_bsize <%= scope.lookupvar('openldap::db_config::log_buffer_size_mb').to_i * 1024 %>
+set_lg_max <%= scope.lookupvar('openldap::db_config::log_max_size_mb').to_i * 1024 %>
+set_lg_dir <%= scope.lookupvar('openldap::db_config::log_dir') %>
+set_flags DB_LOG_AUTOREMOVE

site/roles/manifests/infra/auth/openldap.pp

@@ -0,0 +1,12 @@
+# a role to deploy an openldap master
+class roles::infra::auth::openldap {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+    include profiles::openldap::server
+  }
+}