Merge pull request #1 from bschonec/dev

Added a lot more parameters.
This commit is contained in:
Brian Schonecker 2015-11-20 14:52:51 -05:00
commit 0518201b3f
5 changed files with 192 additions and 47 deletions

View File

@ -37,9 +37,49 @@ However, we recommend that you declare the class and override a few parameters:
class { 'nslcd': class { 'nslcd':
ldap_uris => ['ldap://ldap.mycompany.com'], ldap_uris => ['ldap://ldap.mycompany.com'],
ldap_ssl => 'on', ldap_ssl => 'on',
ldap_filters => { group => '(&(objectClass=group)(gidNumber=*))',
passwd => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
shadow => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
},
ldap_maps => { group => 'uniqueMember member',
passwd => ['homedirectory unixHomeDirectory', 'uid sAMAccountName', 'gecos displayName', ],
shadow => ['shadowLastChange pwdLastSet', 'uid sAMAccountName', ],
},
} }
``` ```
An example in YAML using hashes/arrays:
```
nslcd::ldap_uris:
- 'ldap://ldap1.mycompany.com/'
- 'ldap://ldap2.mycompany.com/'
nslcd::ldap_search_base: 'dc=acme,dc=example,dc=org'
nslcd::ldap_binddn: 'binduser@acme.example.org'
nslcd::ldap_bindpw: 'password'
nslcd::ldap_filters:
- group: " (&(objectClass=group)(gidNumber=*))"
- passwd: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
- shadow: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
nslcd::ldap_maps:
group: 'uniqueMember member'
passwd:
- 'homedirectory unixHomeDirectory'
- 'uid sAMAccountName'
- 'gecos displayName'
shadow:
- 'shadowLastChange pwdLastSet'
- 'uid sAMAccountName'
nslcd::nss_initgroups_ignoreusers:
- 'root'
- 'ALLLOCAL'
```
## Reference ## Reference
*todo* *todo*

View File

@ -20,9 +20,20 @@ class nslcd (
$ldap_search_base = $nslcd::params::ldap_search_base, $ldap_search_base = $nslcd::params::ldap_search_base,
$ldap_search_scope = $nslcd::params::ldap_search_scope, $ldap_search_scope = $nslcd::params::ldap_search_scope,
$ldap_filters = $nslcd::params::ldap_filters, $ldap_filters = $nslcd::params::ldap_filters,
$ldap_maps = $nslcd::params::ldap_maps,
$ldap_ssl = $nslcd::params::ldap_ssl, $ldap_ssl = $nslcd::params::ldap_ssl,
$ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert, $ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert,
$ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile, $ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile,
$ldap_tls_cacertdir = $nslcd::params::ldap_tls_cacertdir,
$bind_timelimit = $nslcd::params::bind_timelimit,
$timelimit = $nslcd::params::timelimit,
$idle_timelimit = $nslcd::params::idle_timelimit,
$reconnect_sleeptime = $nslcd::params::reconnect_sleeptime,
$reconnect_retrytime = $nslcd::params::reconnect_retrytime,
$pagesize = $nslcd::params::pagesize,
$referrals = $nslcd::params::referrals,
$nss_initgroups_ignoreusers = $nslcd::params::nss_initgroups_ignoreusers,
) inherits nslcd::params { ) inherits nslcd::params {
# Input validation # Input validation
@ -36,6 +47,19 @@ class nslcd (
validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert) validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert)
validate_re($ldap_search_scope, $valid_ldap_search_scope) validate_re($ldap_search_scope, $valid_ldap_search_scope)
# Ensure that the timing variables are integers.
validate_integer($bind_timelimit)
validate_integer($timelimit)
validate_integer($idle_timelimit)
validate_integer($reconnect_sleeptime)
validate_integer($reconnect_retrytime)
validate_integer($pagesize)
# do some validation
$onoff = '^(on|off)$'
validate_re($referrals, $onoff )
anchor { 'nslcd::begin': } -> anchor { 'nslcd::begin': } ->
class { 'nslcd::install': } -> class { 'nslcd::install': } ->
class { 'nslcd::config': } ~> class { 'nslcd::config': } ~>

View File

@ -14,25 +14,41 @@ class nslcd::params {
$ldap_search_base = '' $ldap_search_base = ''
$ldap_search_scope = 'subtree' $ldap_search_scope = 'subtree'
$ldap_filters = {} $ldap_filters = {}
$ldap_maps = {}
$ldap_ssl = 'off' $ldap_ssl = 'off'
$ldap_tls_reqcert = 'allow' $ldap_tls_reqcert = 'allow'
$ldap_tls_cacertfile = undef $ldap_tls_cacertfile = undef
$ldap_tls_cacertder = undef
$default_config = '/etc/nslcd.conf' $bind_timelimit = 10
$default_package_name = 'nslcd' $timelimit = 0
$default_service_name = 'nslcd' $idle_timelimit = 0
$reconnect_sleeptime = 1
$reconnect_retrytime = 10
$pagesize = 0
$referrals = 'on'
$nss_initgroups_ignoreusers = undef
case $::osfamily { case $::osfamily {
Debian: { 'Debian': {
$config = $default_config $config = '/etc/nslcd.conf'
$package_name = $default_package_name $package_name = 'nslcd'
$service_name = $default_service_name $service_name = 'nslcd'
$uid = 'nslcd' $uid = 'nslcd'
$gid = 'nslcd' $gid = 'nslcd'
$config_user = 'root' $config_user = 'root'
$config_group = 'nslcd' $config_group = 'nslcd'
$config_mode = '0640' $config_mode = '0640'
} }
'RedHat': {
$config = '/etc/nslcd.conf'
$package_name = 'nss-pam-ldapd'
$service_name = 'nslcd'
$uid = 'nslcd'
$gid = 'root'
$config_user = 'root'
$config_group = 'root'
$config_mode = '0600'
}
default: { default: {
fail("The ${module_name} module is not supported on an ${::osfamily} based system.") fail("The ${module_name} module is not supported on an ${::osfamily} based system.")
} }

View File

@ -2,7 +2,7 @@ require 'spec_helper'
describe 'nslcd' do describe 'nslcd' do
{'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family| {'RedHat' => 'Debian', 'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family|
context "when on system #{system}" do context "when on system #{system}" do
let :facts do let :facts do
{ {

View File

@ -28,6 +28,9 @@ tls_reqcert <%= @ldap_tls_reqcert %>
<% if @ldap_tls_cacertfile -%> <% if @ldap_tls_cacertfile -%>
tls_cacertfile <%= @ldap_tls_cacertfile %> tls_cacertfile <%= @ldap_tls_cacertfile %>
<% end -%> <% end -%>
<% if @ldap_tls_cacertdir -%>
tls_cacertdir <%= @ldap_tls_cacertdir %>
<% end -%>
# The search scope. # The search scope.
scope <%= @ldap_search_scope %> scope <%= @ldap_search_scope %>
@ -38,3 +41,65 @@ scope <%= @ldap_search_scope %>
filter <%= map %> <%= filter %> filter <%= map %> <%= filter %>
<% end -%> <% end -%>
<% end -%> <% end -%>
<% if @ldap_maps.length > 0 -%>
# Custom search attributes
<% @ldap_maps.each do |map, filter| -%>
<% filter.each do | attribute | -%>
map <%= map %> <%= attribute %>
<% end -%>
<% end -%>
<% end -%>
<% if @bind_timelimit -%>
# Specifies the distinguished name with which to bind to the directory server for lookups.
# The default is to bind anonymously.
bind_timelimit <%= @bind_timelimit %>
<% end -%>
<% if @timelimit -%>
# Specifies the time limit (in seconds) to wait for a response from the LDAP server.
# A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.
timelimit <%= @timelimit %>
<% end -%>
<% if @idle_timelimit -%>
# Specifies the period if inactivity (in seconds) after which the connection to the
# LDAP server will be closed. The default is not to time out connections.
idle_timelimit <%= @idle_timelimit %>
<% end -%>
<% if @reconnect_sleeptime -%>
# Specifies the number of seconds to sleep when connecting to all LDAP servers fails.
# By default 1 second is waited between the first failure and the first retry.
reconnect_sleeptime <%= @reconnect_sleeptime %>
<% end -%>
<% if @reconnect_retrytime -%>
# Specifies the time after which the LDAP server is considered to be permanently unavailable.
# Once this time is reached retries will be done only once per this time period. The default
# value is 10 seconds.
reconnect_retrytime <%= @reconnect_retrytime %>
<% end -%>
<% if @pagesize -%>
# Set this to a number greater than 0 to request paged results from the LDAP server
# in accordance with RFC2696. The default (0) is to not request paged results.
pagesize <%= @pagesize %>
<% end -%>
<% if @referrals -%>
# Specifies whether automatic referral chasing should be enabled. The default behaviour
# is to chase referrals.
referrals <%= @referrals %>
<% end -%>
<% if @nss_initgroups_ignoreusers -%>
# This option prevents group membership lookups through LDAP for the specified users.
# This can be useful in case of unavailability of the LDAP server.
<% @nss_initgroups_ignoreusers.each do | user | -%>
nss_initgroups_ignoreusers <%= user %>
<% end -%>
<% end -%>