diff --git a/README.md b/README.md index a35288c..48855cb 100644 --- a/README.md +++ b/README.md @@ -35,11 +35,51 @@ However, we recommend that you declare the class and override a few parameters: ``` class { 'nslcd': - ldap_uris => ['ldap://ldap.mycompany.com'], - ldap_ssl => 'on', + ldap_uris => ['ldap://ldap.mycompany.com'], + ldap_ssl => 'on', + ldap_filters => { group => '(&(objectClass=group)(gidNumber=*))', + passwd => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))', + shadow => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))', + }, + ldap_maps => { group => 'uniqueMember member', + passwd => ['homedirectory unixHomeDirectory', 'uid sAMAccountName', 'gecos displayName', ], + shadow => ['shadowLastChange pwdLastSet', 'uid sAMAccountName', ], + }, } ``` +An example in YAML using hashes/arrays: + +``` +nslcd::ldap_uris: + - 'ldap://ldap1.mycompany.com/' + - 'ldap://ldap2.mycompany.com/' +nslcd::ldap_search_base: 'dc=acme,dc=example,dc=org' +nslcd::ldap_binddn: 'binduser@acme.example.org' +nslcd::ldap_bindpw: 'password' +nslcd::ldap_filters: + - group: " (&(objectClass=group)(gidNumber=*))" + - passwd: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))" + - shadow: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))" +nslcd::ldap_maps: + group: 'uniqueMember member' + passwd: + - 'homedirectory unixHomeDirectory' + - 'uid sAMAccountName' + - 'gecos displayName' + shadow: + - 'shadowLastChange pwdLastSet' + - 'uid sAMAccountName' +nslcd::nss_initgroups_ignoreusers: + - 'root' + - 'ALLLOCAL' + +``` + + + + + ## Reference *todo* diff --git a/manifests/init.pp b/manifests/init.pp index 6aa8af6..39d890a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,27 +2,38 @@ # # This class manages the nslcd server and service. class nslcd ( - $package_ensure = $nslcd::params::package_ensure, - $package_name = $nslcd::params::package_name, - $service_ensure = $nslcd::params::service_ensure, - $service_enable = $nslcd::params::service_enable, - $service_name = $nslcd::params::service_name, - $uid = $nslcd::params::uid, - $gid = $nslcd::params::gid, - $config = $nslcd::params::config, - $config_user = $nslcd::params::config_user, - $config_group = $nslcd::params::config_group, - $config_mode = $nslcd::params::config_mode, - $ldap_uris = $nslcd::params::ldap_uris, - $ldap_version = $nslcd::params::ldap_version, - $ldap_binddn = $nslcd::params::ldap_binddn, - $ldap_bindpw = $nslcd::params::ldap_bindpw, - $ldap_search_base = $nslcd::params::ldap_search_base, - $ldap_search_scope = $nslcd::params::ldap_search_scope, - $ldap_filters = $nslcd::params::ldap_filters, - $ldap_ssl = $nslcd::params::ldap_ssl, - $ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert, - $ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile, + $package_ensure = $nslcd::params::package_ensure, + $package_name = $nslcd::params::package_name, + $service_ensure = $nslcd::params::service_ensure, + $service_enable = $nslcd::params::service_enable, + $service_name = $nslcd::params::service_name, + $uid = $nslcd::params::uid, + $gid = $nslcd::params::gid, + $config = $nslcd::params::config, + $config_user = $nslcd::params::config_user, + $config_group = $nslcd::params::config_group, + $config_mode = $nslcd::params::config_mode, + $ldap_uris = $nslcd::params::ldap_uris, + $ldap_version = $nslcd::params::ldap_version, + $ldap_binddn = $nslcd::params::ldap_binddn, + $ldap_bindpw = $nslcd::params::ldap_bindpw, + $ldap_search_base = $nslcd::params::ldap_search_base, + $ldap_search_scope = $nslcd::params::ldap_search_scope, + $ldap_filters = $nslcd::params::ldap_filters, + $ldap_maps = $nslcd::params::ldap_maps, + $ldap_ssl = $nslcd::params::ldap_ssl, + $ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert, + $ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile, + $ldap_tls_cacertdir = $nslcd::params::ldap_tls_cacertdir, + $bind_timelimit = $nslcd::params::bind_timelimit, + $timelimit = $nslcd::params::timelimit, + $idle_timelimit = $nslcd::params::idle_timelimit, + $reconnect_sleeptime = $nslcd::params::reconnect_sleeptime, + $reconnect_retrytime = $nslcd::params::reconnect_retrytime, + $pagesize = $nslcd::params::pagesize, + $referrals = $nslcd::params::referrals, + $nss_initgroups_ignoreusers = $nslcd::params::nss_initgroups_ignoreusers, + ) inherits nslcd::params { # Input validation @@ -36,6 +47,19 @@ class nslcd ( validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert) validate_re($ldap_search_scope, $valid_ldap_search_scope) + # Ensure that the timing variables are integers. + validate_integer($bind_timelimit) + validate_integer($timelimit) + validate_integer($idle_timelimit) + validate_integer($reconnect_sleeptime) + validate_integer($reconnect_retrytime) + validate_integer($pagesize) + + # do some validation + $onoff = '^(on|off)$' + + validate_re($referrals, $onoff ) + anchor { 'nslcd::begin': } -> class { 'nslcd::install': } -> class { 'nslcd::config': } ~> diff --git a/manifests/params.pp b/manifests/params.pp index e2ecce5..73a7f66 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,31 +7,47 @@ class nslcd::params { $service_ensure = running $service_enable = true - $ldap_uris = ['ldap:///'] - $ldap_version = '3' - $ldap_binddn = undef - $ldap_bindpw = undef - $ldap_search_base = '' - $ldap_search_scope = 'subtree' - $ldap_filters = {} - $ldap_ssl = 'off' - $ldap_tls_reqcert = 'allow' - $ldap_tls_cacertfile = undef - - $default_config = '/etc/nslcd.conf' - $default_package_name = 'nslcd' - $default_service_name = 'nslcd' + $ldap_uris = ['ldap:///'] + $ldap_version = '3' + $ldap_binddn = undef + $ldap_bindpw = undef + $ldap_search_base = '' + $ldap_search_scope = 'subtree' + $ldap_filters = {} + $ldap_maps = {} + $ldap_ssl = 'off' + $ldap_tls_reqcert = 'allow' + $ldap_tls_cacertfile = undef + $ldap_tls_cacertder = undef + $bind_timelimit = 10 + $timelimit = 0 + $idle_timelimit = 0 + $reconnect_sleeptime = 1 + $reconnect_retrytime = 10 + $pagesize = 0 + $referrals = 'on' + $nss_initgroups_ignoreusers = undef case $::osfamily { - Debian: { - $config = $default_config - $package_name = $default_package_name - $service_name = $default_service_name - $uid = 'nslcd' - $gid = 'nslcd' - $config_user = 'root' - $config_group = 'nslcd' - $config_mode = '0640' + 'Debian': { + $config = '/etc/nslcd.conf' + $package_name = 'nslcd' + $service_name = 'nslcd' + $uid = 'nslcd' + $gid = 'nslcd' + $config_user = 'root' + $config_group = 'nslcd' + $config_mode = '0640' + } + 'RedHat': { + $config = '/etc/nslcd.conf' + $package_name = 'nss-pam-ldapd' + $service_name = 'nslcd' + $uid = 'nslcd' + $gid = 'root' + $config_user = 'root' + $config_group = 'root' + $config_mode = '0600' } default: { fail("The ${module_name} module is not supported on an ${::osfamily} based system.") diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index bf42e92..2cf4c7b 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' describe 'nslcd' do - {'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family| + {'RedHat' => 'Debian', 'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family| context "when on system #{system}" do let :facts do { diff --git a/templates/nslcd.erb b/templates/nslcd.erb index f6fcdf1..7b44ee7 100644 --- a/templates/nslcd.erb +++ b/templates/nslcd.erb @@ -28,6 +28,9 @@ tls_reqcert <%= @ldap_tls_reqcert %> <% if @ldap_tls_cacertfile -%> tls_cacertfile <%= @ldap_tls_cacertfile %> <% end -%> +<% if @ldap_tls_cacertdir -%> +tls_cacertdir <%= @ldap_tls_cacertdir %> +<% end -%> # The search scope. scope <%= @ldap_search_scope %> @@ -38,3 +41,65 @@ scope <%= @ldap_search_scope %> filter <%= map %> <%= filter %> <% end -%> <% end -%> + +<% if @ldap_maps.length > 0 -%> +# Custom search attributes +<% @ldap_maps.each do |map, filter| -%> +<% filter.each do | attribute | -%> +map <%= map %> <%= attribute %> +<% end -%> +<% end -%> +<% end -%> + +<% if @bind_timelimit -%> +# Specifies the distinguished name with which to bind to the directory server for lookups. +# The default is to bind anonymously. +bind_timelimit <%= @bind_timelimit %> +<% end -%> + +<% if @timelimit -%> +# Specifies the time limit (in seconds) to wait for a response from the LDAP server. +# A value of zero (0), which is the default, is to wait indefinitely for searches to be completed. +timelimit <%= @timelimit %> +<% end -%> + +<% if @idle_timelimit -%> +# Specifies the period if inactivity (in seconds) after which the connection to the +# LDAP server will be closed. The default is not to time out connections. +idle_timelimit <%= @idle_timelimit %> +<% end -%> + +<% if @reconnect_sleeptime -%> +# Specifies the number of seconds to sleep when connecting to all LDAP servers fails. +# By default 1 second is waited between the first failure and the first retry. +reconnect_sleeptime <%= @reconnect_sleeptime %> +<% end -%> + +<% if @reconnect_retrytime -%> +# Specifies the time after which the LDAP server is considered to be permanently unavailable. +# Once this time is reached retries will be done only once per this time period. The default +# value is 10 seconds. +reconnect_retrytime <%= @reconnect_retrytime %> +<% end -%> + +<% if @pagesize -%> +# Set this to a number greater than 0 to request paged results from the LDAP server +# in accordance with RFC2696. The default (0) is to not request paged results. +pagesize <%= @pagesize %> +<% end -%> + +<% if @referrals -%> +# Specifies whether automatic referral chasing should be enabled. The default behaviour +# is to chase referrals. +referrals <%= @referrals %> +<% end -%> + +<% if @nss_initgroups_ignoreusers -%> +# This option prevents group membership lookups through LDAP for the specified users. +# This can be useful in case of unavailability of the LDAP server. +<% @nss_initgroups_ignoreusers.each do | user | -%> +nss_initgroups_ignoreusers <%= user %> +<% end -%> +<% end -%> + +