Ben Vincent
2924b7ad6f
- add modules, overlays, acccess rules, schemas - manage syncrepl - manage selinux
184 lines
4.7 KiB
Puppet
184 lines
4.7 KiB
Puppet
# profiles::openldap::init
|
|
class profiles::openldap::server (
|
|
$database = $profiles::openldap::params::database,
|
|
$syncrepl = $profiles::openldap::params::syncrepl,
|
|
$multiprovider = $profiles::openldap::params::multiprovider,
|
|
$data_path = $profiles::openldap::params::data_path,
|
|
$ssl_cert = $profiles::openldap::params::ssl_cert,
|
|
$ssl_key = $profiles::openldap::params::ssl_key,
|
|
$ssl_ca = $profiles::openldap::params::ssl_ca,
|
|
$rootdn = $profiles::openldap::params::rootdn,
|
|
$rootpw = $profiles::openldap::params::rootpw,
|
|
$db_config_path = $profiles::openldap::params::db_config_path,
|
|
$cache_size_gb = $profiles::openldap::params::cache_size_gb,
|
|
$log_dir = $profiles::openldap::params::log_dir,
|
|
$log_max_size_mb = $profiles::openldap::params::log_max_size_mb,
|
|
$log_buffer_size_mb = $profiles::openldap::params::log_buffer_size_mb,
|
|
) inherits profiles::openldap::params {
|
|
|
|
# ensure the path to $data_path exists
|
|
mkdir::p {$data_path:}
|
|
|
|
# if selinux is defined, manage it
|
|
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
|
|
|
|
# set slapd_db_t to all files under the data_path
|
|
selinux::fcontext { $data_path:
|
|
ensure => 'present',
|
|
seltype => 'slapd_db_t',
|
|
pathspec => "${data_path}(/.*)?",
|
|
}
|
|
|
|
exec { "restorecon_${data_path}":
|
|
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
|
|
command => "restorecon -Rv ${data_path}",
|
|
refreshonly => true,
|
|
subscribe => Selinux::Fcontext[$data_path],
|
|
}
|
|
|
|
}
|
|
|
|
# manage the openldap server
|
|
class { 'openldap::server':
|
|
ldap_address => $facts['networking']['ip'],
|
|
ldaps_address => $facts['networking']['ip'],
|
|
ssl_cert => $ssl_cert,
|
|
ssl_key => $ssl_key,
|
|
ssl_ca => $ssl_ca,
|
|
subscribe => [
|
|
File[$ssl_key],
|
|
File[$ssl_ca],
|
|
],
|
|
}
|
|
|
|
openldap::server::database { $database:
|
|
ensure => present,
|
|
syncrepl => $syncrepl,
|
|
directory => $data_path,
|
|
rootdn => $rootdn,
|
|
rootpw => $rootpw,
|
|
mirrormode => true,
|
|
}
|
|
|
|
# manage modules
|
|
openldap::server::module { 'memberof':
|
|
ensure => present,
|
|
}
|
|
openldap::server::module { 'syncprov':
|
|
ensure => present,
|
|
}
|
|
|
|
# manage overlays
|
|
openldap::server::overlay { "memberof on ${database}":
|
|
ensure => present,
|
|
}
|
|
|
|
# Update after 10 changes or 1 minute.
|
|
# Ensure there's enough room for 1000 changes in the log.
|
|
openldap::server::overlay { "syncprov on ${database}":
|
|
ensure => present,
|
|
options => {
|
|
'olcSpCheckpoint' => '10 1',
|
|
'olcSpSessionlog' => '100'
|
|
},
|
|
require => [
|
|
Openldap::Server::Dbindex['entryCSN'],
|
|
Openldap::Server::Dbindex['entryUUID'],
|
|
Openldap::Server::Module['syncprov'],
|
|
],
|
|
}
|
|
|
|
# add schemas
|
|
openldap::server::schema { 'cosine':
|
|
ensure => present,
|
|
path => '/etc/openldap/schema/cosine.schema',
|
|
}
|
|
openldap::server::schema { 'inetorgperson':
|
|
ensure => present,
|
|
path => '/etc/openldap/schema/inetorgperson.schema',
|
|
require => Openldap::Server::Schema['cosine'],
|
|
}
|
|
openldap::server::schema { 'nis':
|
|
ensure => present,
|
|
path => '/etc/openldap/schema/nis.ldif',
|
|
require => Openldap::Server::Schema['inetorgperson'],
|
|
}
|
|
|
|
$acls = [
|
|
{
|
|
'to attrs=userPassword,shadowLastChange' => [
|
|
"by dn=\"${rootdn}\" write",
|
|
'by self write',
|
|
'by anonymous auth',
|
|
'by * none',
|
|
],
|
|
},
|
|
{
|
|
'to dn.base=""' => [
|
|
'by * read',
|
|
],
|
|
},
|
|
{
|
|
'to *' => [
|
|
"by dn=\"${rootdn}\" write",
|
|
'by self write',
|
|
'by users read',
|
|
'by anonymous auth',
|
|
'by * none',
|
|
],
|
|
},
|
|
]
|
|
openldap::server::access_wrapper { $database :
|
|
acl => $acls,
|
|
}
|
|
|
|
# manage dbindex
|
|
Openldap::Server::Dbindex {
|
|
suffix => $database,
|
|
}
|
|
openldap::server::dbindex {
|
|
'cn':
|
|
attribute => 'cn',
|
|
indices => 'eq,pres,sub';
|
|
'uid':
|
|
attribute => 'uid',
|
|
indices => 'eq,pres,sub';
|
|
'uidNumber':
|
|
attribute => 'uidNumber',
|
|
indices => 'eq,pres';
|
|
'gidNumber':
|
|
attribute => 'gidNumber',
|
|
indices => 'eq,pres';
|
|
'member':
|
|
attribute => 'member',
|
|
indices => 'eq,pres';
|
|
'memberUid':
|
|
attribute => 'memberUid',
|
|
indices => 'eq,pres';
|
|
'entryCSN':
|
|
attribute => 'entryCSN',
|
|
indices => 'eq,pres';
|
|
'entryUUID':
|
|
attribute => 'entryUUID',
|
|
indices => 'eq,pres';
|
|
}
|
|
|
|
# manage DB_CONFIG
|
|
file { $db_config_path:
|
|
ensure => file,
|
|
content => template('profiles/openldap/db_config.erb'),
|
|
owner => 'ldap',
|
|
group => 'ldap',
|
|
mode => '0644',
|
|
}
|
|
|
|
file { $log_dir:
|
|
ensure => directory,
|
|
owner => 'ldap',
|
|
group => 'ldap',
|
|
mode => '0755',
|
|
require => Class['openldap::server'],
|
|
}
|
|
|
|
}
|