From d60a4a2d8a584eda11c5346b311319d24ef6d639 Mon Sep 17 00:00:00 2001 From: Brian Schonecker Date: Fri, 20 Nov 2015 11:36:19 -0500 Subject: [PATCH 1/6] Added a lot more parameters. --- manifests/init.pp | 66 ++++++++++++++++++++++++++++++--------------- manifests/params.pp | 64 ++++++++++++++++++++++++++++--------------- templates/nslcd.erb | 65 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 152 insertions(+), 43 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 6aa8af6..39d890a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,27 +2,38 @@ # # This class manages the nslcd server and service. class nslcd ( - $package_ensure = $nslcd::params::package_ensure, - $package_name = $nslcd::params::package_name, - $service_ensure = $nslcd::params::service_ensure, - $service_enable = $nslcd::params::service_enable, - $service_name = $nslcd::params::service_name, - $uid = $nslcd::params::uid, - $gid = $nslcd::params::gid, - $config = $nslcd::params::config, - $config_user = $nslcd::params::config_user, - $config_group = $nslcd::params::config_group, - $config_mode = $nslcd::params::config_mode, - $ldap_uris = $nslcd::params::ldap_uris, - $ldap_version = $nslcd::params::ldap_version, - $ldap_binddn = $nslcd::params::ldap_binddn, - $ldap_bindpw = $nslcd::params::ldap_bindpw, - $ldap_search_base = $nslcd::params::ldap_search_base, - $ldap_search_scope = $nslcd::params::ldap_search_scope, - $ldap_filters = $nslcd::params::ldap_filters, - $ldap_ssl = $nslcd::params::ldap_ssl, - $ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert, - $ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile, + $package_ensure = $nslcd::params::package_ensure, + $package_name = $nslcd::params::package_name, + $service_ensure = $nslcd::params::service_ensure, + $service_enable = $nslcd::params::service_enable, + $service_name = $nslcd::params::service_name, + $uid = $nslcd::params::uid, + $gid = $nslcd::params::gid, + $config = $nslcd::params::config, + $config_user = $nslcd::params::config_user, + $config_group = $nslcd::params::config_group, + $config_mode = $nslcd::params::config_mode, + $ldap_uris = $nslcd::params::ldap_uris, + $ldap_version = $nslcd::params::ldap_version, + $ldap_binddn = $nslcd::params::ldap_binddn, + $ldap_bindpw = $nslcd::params::ldap_bindpw, + $ldap_search_base = $nslcd::params::ldap_search_base, + $ldap_search_scope = $nslcd::params::ldap_search_scope, + $ldap_filters = $nslcd::params::ldap_filters, + $ldap_maps = $nslcd::params::ldap_maps, + $ldap_ssl = $nslcd::params::ldap_ssl, + $ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert, + $ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile, + $ldap_tls_cacertdir = $nslcd::params::ldap_tls_cacertdir, + $bind_timelimit = $nslcd::params::bind_timelimit, + $timelimit = $nslcd::params::timelimit, + $idle_timelimit = $nslcd::params::idle_timelimit, + $reconnect_sleeptime = $nslcd::params::reconnect_sleeptime, + $reconnect_retrytime = $nslcd::params::reconnect_retrytime, + $pagesize = $nslcd::params::pagesize, + $referrals = $nslcd::params::referrals, + $nss_initgroups_ignoreusers = $nslcd::params::nss_initgroups_ignoreusers, + ) inherits nslcd::params { # Input validation @@ -36,6 +47,19 @@ class nslcd ( validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert) validate_re($ldap_search_scope, $valid_ldap_search_scope) + # Ensure that the timing variables are integers. + validate_integer($bind_timelimit) + validate_integer($timelimit) + validate_integer($idle_timelimit) + validate_integer($reconnect_sleeptime) + validate_integer($reconnect_retrytime) + validate_integer($pagesize) + + # do some validation + $onoff = '^(on|off)$' + + validate_re($referrals, $onoff ) + anchor { 'nslcd::begin': } -> class { 'nslcd::install': } -> class { 'nslcd::config': } ~> diff --git a/manifests/params.pp b/manifests/params.pp index e2ecce5..3b7b657 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,36 +7,56 @@ class nslcd::params { $service_ensure = running $service_enable = true - $ldap_uris = ['ldap:///'] - $ldap_version = '3' - $ldap_binddn = undef - $ldap_bindpw = undef - $ldap_search_base = '' - $ldap_search_scope = 'subtree' - $ldap_filters = {} - $ldap_ssl = 'off' - $ldap_tls_reqcert = 'allow' - $ldap_tls_cacertfile = undef - - $default_config = '/etc/nslcd.conf' - $default_package_name = 'nslcd' - $default_service_name = 'nslcd' + $ldap_uris = ['ldap:///'] + $ldap_version = '3' + $ldap_binddn = undef + $ldap_bindpw = undef + $ldap_search_base = '' + $ldap_search_scope = 'subtree' + $ldap_filters = {} + $ldap_maps = {} + $ldap_ssl = 'off' + $ldap_tls_reqcert = 'allow' + $ldap_tls_cacertfile = undef + $ldap_tls_cacertder = undef + $default_config = '/etc/nslcd.conf' + $bind_timelimit = 10 + $timelimit = 0 + $idle_timelimit = 0 + $reconnect_sleeptime = 1 + $reconnect_retrytime = 10 + $pagesize = 0 + $referrals = 'on' + $nss_initgroups_ignoreusers = undef case $::osfamily { Debian: { - $config = $default_config - $package_name = $default_package_name - $service_name = $default_service_name - $uid = 'nslcd' - $gid = 'nslcd' - $config_user = 'root' - $config_group = 'nslcd' - $config_mode = '0640' + $default_package_name = 'nslcd' + $config = $default_config + $package_name = $default_package_name + $service_name = $default_service_name + $uid = 'nslcd' + $gid = 'nslcd' + $config_user = 'root' + $config_group = 'nslcd' + $config_mode = '0640' + } + RedHat: { + $default_package_name = 'nss-pam-ldapd' + $config = $default_config + $package_name = $default_package_name + $service_name = $default_service_name + $uid = 'nslcd' + $gid = 'root' + $config_user = 'root' + $config_group = 'root' + $config_mode = '0600' } default: { fail("The ${module_name} module is not supported on an ${::osfamily} based system.") } } + $default_service_name = 'nslcd' } diff --git a/templates/nslcd.erb b/templates/nslcd.erb index f6fcdf1..7b44ee7 100644 --- a/templates/nslcd.erb +++ b/templates/nslcd.erb @@ -28,6 +28,9 @@ tls_reqcert <%= @ldap_tls_reqcert %> <% if @ldap_tls_cacertfile -%> tls_cacertfile <%= @ldap_tls_cacertfile %> <% end -%> +<% if @ldap_tls_cacertdir -%> +tls_cacertdir <%= @ldap_tls_cacertdir %> +<% end -%> # The search scope. scope <%= @ldap_search_scope %> @@ -38,3 +41,65 @@ scope <%= @ldap_search_scope %> filter <%= map %> <%= filter %> <% end -%> <% end -%> + +<% if @ldap_maps.length > 0 -%> +# Custom search attributes +<% @ldap_maps.each do |map, filter| -%> +<% filter.each do | attribute | -%> +map <%= map %> <%= attribute %> +<% end -%> +<% end -%> +<% end -%> + +<% if @bind_timelimit -%> +# Specifies the distinguished name with which to bind to the directory server for lookups. +# The default is to bind anonymously. +bind_timelimit <%= @bind_timelimit %> +<% end -%> + +<% if @timelimit -%> +# Specifies the time limit (in seconds) to wait for a response from the LDAP server. +# A value of zero (0), which is the default, is to wait indefinitely for searches to be completed. +timelimit <%= @timelimit %> +<% end -%> + +<% if @idle_timelimit -%> +# Specifies the period if inactivity (in seconds) after which the connection to the +# LDAP server will be closed. The default is not to time out connections. +idle_timelimit <%= @idle_timelimit %> +<% end -%> + +<% if @reconnect_sleeptime -%> +# Specifies the number of seconds to sleep when connecting to all LDAP servers fails. +# By default 1 second is waited between the first failure and the first retry. +reconnect_sleeptime <%= @reconnect_sleeptime %> +<% end -%> + +<% if @reconnect_retrytime -%> +# Specifies the time after which the LDAP server is considered to be permanently unavailable. +# Once this time is reached retries will be done only once per this time period. The default +# value is 10 seconds. +reconnect_retrytime <%= @reconnect_retrytime %> +<% end -%> + +<% if @pagesize -%> +# Set this to a number greater than 0 to request paged results from the LDAP server +# in accordance with RFC2696. The default (0) is to not request paged results. +pagesize <%= @pagesize %> +<% end -%> + +<% if @referrals -%> +# Specifies whether automatic referral chasing should be enabled. The default behaviour +# is to chase referrals. +referrals <%= @referrals %> +<% end -%> + +<% if @nss_initgroups_ignoreusers -%> +# This option prevents group membership lookups through LDAP for the specified users. +# This can be useful in case of unavailability of the LDAP server. +<% @nss_initgroups_ignoreusers.each do | user | -%> +nss_initgroups_ignoreusers <%= user %> +<% end -%> +<% end -%> + + From c15931024c5031609485c8c5c58a496cc4c77448 Mon Sep 17 00:00:00 2001 From: "Schonecker, Brian" Date: Fri, 20 Nov 2015 11:51:03 -0500 Subject: [PATCH 2/6] Added examples of hashed values for ldap_filters and ldap_maps. --- README.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a35288c..fdec388 100644 --- a/README.md +++ b/README.md @@ -35,11 +35,24 @@ However, we recommend that you declare the class and override a few parameters: ``` class { 'nslcd': - ldap_uris => ['ldap://ldap.mycompany.com'], - ldap_ssl => 'on', + ldap_uris => ['ldap://ldap.mycompany.com'], + ldap_ssl => 'on', + ldap_filters => { group => '(&(objectClass=group)(gidNumber=*))', + passwd => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))', + shadow => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))', + }, + ldap_maps => { group => 'uniqueMember member', + passwd => ['homedirectory unixHomeDirectory', 'uid sAMAccountName', 'gecos displayName', ], + shadow => ['shadowLastChange pwdLastSet', 'uid sAMAccountName', ], + }, } ``` + + + + + ## Reference *todo* From c73fbc11e7cf86e80018d571d9a0e9c2284e606e Mon Sep 17 00:00:00 2001 From: "Schonecker, Brian" Date: Fri, 20 Nov 2015 11:54:30 -0500 Subject: [PATCH 3/6] Removed whitespace. --- manifests/params.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 3b7b657..6a179e5 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -22,15 +22,15 @@ class nslcd::params { $default_config = '/etc/nslcd.conf' $bind_timelimit = 10 $timelimit = 0 - $idle_timelimit = 0 + $idle_timelimit = 0 $reconnect_sleeptime = 1 $reconnect_retrytime = 10 $pagesize = 0 - $referrals = 'on' + $referrals = 'on' $nss_initgroups_ignoreusers = undef case $::osfamily { - Debian: { + 'Debian': { $default_package_name = 'nslcd' $config = $default_config $package_name = $default_package_name @@ -41,7 +41,7 @@ class nslcd::params { $config_group = 'nslcd' $config_mode = '0640' } - RedHat: { + 'RedHat': { $default_package_name = 'nss-pam-ldapd' $config = $default_config $package_name = $default_package_name From ac68d2fbbd15f26acace0f013972bf337b985e6c Mon Sep 17 00:00:00 2001 From: "Schonecker, Brian" Date: Fri, 20 Nov 2015 12:25:08 -0500 Subject: [PATCH 4/6] Removed \'default\' variables in favor of a more readable case statement. --- manifests/params.pp | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 6a179e5..73a7f66 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -19,7 +19,6 @@ class nslcd::params { $ldap_tls_reqcert = 'allow' $ldap_tls_cacertfile = undef $ldap_tls_cacertder = undef - $default_config = '/etc/nslcd.conf' $bind_timelimit = 10 $timelimit = 0 $idle_timelimit = 0 @@ -31,10 +30,9 @@ class nslcd::params { case $::osfamily { 'Debian': { - $default_package_name = 'nslcd' - $config = $default_config - $package_name = $default_package_name - $service_name = $default_service_name + $config = '/etc/nslcd.conf' + $package_name = 'nslcd' + $service_name = 'nslcd' $uid = 'nslcd' $gid = 'nslcd' $config_user = 'root' @@ -42,10 +40,9 @@ class nslcd::params { $config_mode = '0640' } 'RedHat': { - $default_package_name = 'nss-pam-ldapd' - $config = $default_config - $package_name = $default_package_name - $service_name = $default_service_name + $config = '/etc/nslcd.conf' + $package_name = 'nss-pam-ldapd' + $service_name = 'nslcd' $uid = 'nslcd' $gid = 'root' $config_user = 'root' @@ -56,7 +53,6 @@ class nslcd::params { fail("The ${module_name} module is not supported on an ${::osfamily} based system.") } } - $default_service_name = 'nslcd' } From df7e899efde6283b889e867a05d5c48d9d0d6a00 Mon Sep 17 00:00:00 2001 From: "Schonecker, Brian" Date: Fri, 20 Nov 2015 13:35:49 -0500 Subject: [PATCH 5/6] Added RedHat to spec testing. --- spec/classes/init_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb index bf42e92..2cf4c7b 100644 --- a/spec/classes/init_spec.rb +++ b/spec/classes/init_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' describe 'nslcd' do - {'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family| + {'RedHat' => 'Debian', 'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family| context "when on system #{system}" do let :facts do { From d31bfb6f7f3b888ab7bbb32f4a1fe655a07e1475 Mon Sep 17 00:00:00 2001 From: "Schonecker, Brian" Date: Fri, 20 Nov 2015 14:43:58 -0500 Subject: [PATCH 6/6] Added YAML example. --- README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/README.md b/README.md index fdec388..48855cb 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,33 @@ class { 'nslcd': } ``` +An example in YAML using hashes/arrays: + +``` +nslcd::ldap_uris: + - 'ldap://ldap1.mycompany.com/' + - 'ldap://ldap2.mycompany.com/' +nslcd::ldap_search_base: 'dc=acme,dc=example,dc=org' +nslcd::ldap_binddn: 'binduser@acme.example.org' +nslcd::ldap_bindpw: 'password' +nslcd::ldap_filters: + - group: " (&(objectClass=group)(gidNumber=*))" + - passwd: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))" + - shadow: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))" +nslcd::ldap_maps: + group: 'uniqueMember member' + passwd: + - 'homedirectory unixHomeDirectory' + - 'uid sAMAccountName' + - 'gecos displayName' + shadow: + - 'shadowLastChange pwdLastSet' + - 'uid sAMAccountName' +nslcd::nss_initgroups_ignoreusers: + - 'root' + - 'ALLLOCAL' + +```