commit
0518201b3f
44
README.md
44
README.md
@ -35,11 +35,51 @@ However, we recommend that you declare the class and override a few parameters:
|
|||||||
|
|
||||||
```
|
```
|
||||||
class { 'nslcd':
|
class { 'nslcd':
|
||||||
ldap_uris => ['ldap://ldap.mycompany.com'],
|
ldap_uris => ['ldap://ldap.mycompany.com'],
|
||||||
ldap_ssl => 'on',
|
ldap_ssl => 'on',
|
||||||
|
ldap_filters => { group => '(&(objectClass=group)(gidNumber=*))',
|
||||||
|
passwd => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
|
||||||
|
shadow => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
|
||||||
|
},
|
||||||
|
ldap_maps => { group => 'uniqueMember member',
|
||||||
|
passwd => ['homedirectory unixHomeDirectory', 'uid sAMAccountName', 'gecos displayName', ],
|
||||||
|
shadow => ['shadowLastChange pwdLastSet', 'uid sAMAccountName', ],
|
||||||
|
},
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
An example in YAML using hashes/arrays:
|
||||||
|
|
||||||
|
```
|
||||||
|
nslcd::ldap_uris:
|
||||||
|
- 'ldap://ldap1.mycompany.com/'
|
||||||
|
- 'ldap://ldap2.mycompany.com/'
|
||||||
|
nslcd::ldap_search_base: 'dc=acme,dc=example,dc=org'
|
||||||
|
nslcd::ldap_binddn: 'binduser@acme.example.org'
|
||||||
|
nslcd::ldap_bindpw: 'password'
|
||||||
|
nslcd::ldap_filters:
|
||||||
|
- group: " (&(objectClass=group)(gidNumber=*))"
|
||||||
|
- passwd: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
|
||||||
|
- shadow: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
|
||||||
|
nslcd::ldap_maps:
|
||||||
|
group: 'uniqueMember member'
|
||||||
|
passwd:
|
||||||
|
- 'homedirectory unixHomeDirectory'
|
||||||
|
- 'uid sAMAccountName'
|
||||||
|
- 'gecos displayName'
|
||||||
|
shadow:
|
||||||
|
- 'shadowLastChange pwdLastSet'
|
||||||
|
- 'uid sAMAccountName'
|
||||||
|
nslcd::nss_initgroups_ignoreusers:
|
||||||
|
- 'root'
|
||||||
|
- 'ALLLOCAL'
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Reference
|
## Reference
|
||||||
|
|
||||||
*todo*
|
*todo*
|
||||||
|
@ -2,27 +2,38 @@
|
|||||||
#
|
#
|
||||||
# This class manages the nslcd server and service.
|
# This class manages the nslcd server and service.
|
||||||
class nslcd (
|
class nslcd (
|
||||||
$package_ensure = $nslcd::params::package_ensure,
|
$package_ensure = $nslcd::params::package_ensure,
|
||||||
$package_name = $nslcd::params::package_name,
|
$package_name = $nslcd::params::package_name,
|
||||||
$service_ensure = $nslcd::params::service_ensure,
|
$service_ensure = $nslcd::params::service_ensure,
|
||||||
$service_enable = $nslcd::params::service_enable,
|
$service_enable = $nslcd::params::service_enable,
|
||||||
$service_name = $nslcd::params::service_name,
|
$service_name = $nslcd::params::service_name,
|
||||||
$uid = $nslcd::params::uid,
|
$uid = $nslcd::params::uid,
|
||||||
$gid = $nslcd::params::gid,
|
$gid = $nslcd::params::gid,
|
||||||
$config = $nslcd::params::config,
|
$config = $nslcd::params::config,
|
||||||
$config_user = $nslcd::params::config_user,
|
$config_user = $nslcd::params::config_user,
|
||||||
$config_group = $nslcd::params::config_group,
|
$config_group = $nslcd::params::config_group,
|
||||||
$config_mode = $nslcd::params::config_mode,
|
$config_mode = $nslcd::params::config_mode,
|
||||||
$ldap_uris = $nslcd::params::ldap_uris,
|
$ldap_uris = $nslcd::params::ldap_uris,
|
||||||
$ldap_version = $nslcd::params::ldap_version,
|
$ldap_version = $nslcd::params::ldap_version,
|
||||||
$ldap_binddn = $nslcd::params::ldap_binddn,
|
$ldap_binddn = $nslcd::params::ldap_binddn,
|
||||||
$ldap_bindpw = $nslcd::params::ldap_bindpw,
|
$ldap_bindpw = $nslcd::params::ldap_bindpw,
|
||||||
$ldap_search_base = $nslcd::params::ldap_search_base,
|
$ldap_search_base = $nslcd::params::ldap_search_base,
|
||||||
$ldap_search_scope = $nslcd::params::ldap_search_scope,
|
$ldap_search_scope = $nslcd::params::ldap_search_scope,
|
||||||
$ldap_filters = $nslcd::params::ldap_filters,
|
$ldap_filters = $nslcd::params::ldap_filters,
|
||||||
$ldap_ssl = $nslcd::params::ldap_ssl,
|
$ldap_maps = $nslcd::params::ldap_maps,
|
||||||
$ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert,
|
$ldap_ssl = $nslcd::params::ldap_ssl,
|
||||||
$ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile,
|
$ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert,
|
||||||
|
$ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile,
|
||||||
|
$ldap_tls_cacertdir = $nslcd::params::ldap_tls_cacertdir,
|
||||||
|
$bind_timelimit = $nslcd::params::bind_timelimit,
|
||||||
|
$timelimit = $nslcd::params::timelimit,
|
||||||
|
$idle_timelimit = $nslcd::params::idle_timelimit,
|
||||||
|
$reconnect_sleeptime = $nslcd::params::reconnect_sleeptime,
|
||||||
|
$reconnect_retrytime = $nslcd::params::reconnect_retrytime,
|
||||||
|
$pagesize = $nslcd::params::pagesize,
|
||||||
|
$referrals = $nslcd::params::referrals,
|
||||||
|
$nss_initgroups_ignoreusers = $nslcd::params::nss_initgroups_ignoreusers,
|
||||||
|
|
||||||
) inherits nslcd::params {
|
) inherits nslcd::params {
|
||||||
|
|
||||||
# Input validation
|
# Input validation
|
||||||
@ -36,6 +47,19 @@ class nslcd (
|
|||||||
validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert)
|
validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert)
|
||||||
validate_re($ldap_search_scope, $valid_ldap_search_scope)
|
validate_re($ldap_search_scope, $valid_ldap_search_scope)
|
||||||
|
|
||||||
|
# Ensure that the timing variables are integers.
|
||||||
|
validate_integer($bind_timelimit)
|
||||||
|
validate_integer($timelimit)
|
||||||
|
validate_integer($idle_timelimit)
|
||||||
|
validate_integer($reconnect_sleeptime)
|
||||||
|
validate_integer($reconnect_retrytime)
|
||||||
|
validate_integer($pagesize)
|
||||||
|
|
||||||
|
# do some validation
|
||||||
|
$onoff = '^(on|off)$'
|
||||||
|
|
||||||
|
validate_re($referrals, $onoff )
|
||||||
|
|
||||||
anchor { 'nslcd::begin': } ->
|
anchor { 'nslcd::begin': } ->
|
||||||
class { 'nslcd::install': } ->
|
class { 'nslcd::install': } ->
|
||||||
class { 'nslcd::config': } ~>
|
class { 'nslcd::config': } ~>
|
||||||
|
@ -7,31 +7,47 @@ class nslcd::params {
|
|||||||
$service_ensure = running
|
$service_ensure = running
|
||||||
$service_enable = true
|
$service_enable = true
|
||||||
|
|
||||||
$ldap_uris = ['ldap:///']
|
$ldap_uris = ['ldap:///']
|
||||||
$ldap_version = '3'
|
$ldap_version = '3'
|
||||||
$ldap_binddn = undef
|
$ldap_binddn = undef
|
||||||
$ldap_bindpw = undef
|
$ldap_bindpw = undef
|
||||||
$ldap_search_base = ''
|
$ldap_search_base = ''
|
||||||
$ldap_search_scope = 'subtree'
|
$ldap_search_scope = 'subtree'
|
||||||
$ldap_filters = {}
|
$ldap_filters = {}
|
||||||
$ldap_ssl = 'off'
|
$ldap_maps = {}
|
||||||
$ldap_tls_reqcert = 'allow'
|
$ldap_ssl = 'off'
|
||||||
$ldap_tls_cacertfile = undef
|
$ldap_tls_reqcert = 'allow'
|
||||||
|
$ldap_tls_cacertfile = undef
|
||||||
$default_config = '/etc/nslcd.conf'
|
$ldap_tls_cacertder = undef
|
||||||
$default_package_name = 'nslcd'
|
$bind_timelimit = 10
|
||||||
$default_service_name = 'nslcd'
|
$timelimit = 0
|
||||||
|
$idle_timelimit = 0
|
||||||
|
$reconnect_sleeptime = 1
|
||||||
|
$reconnect_retrytime = 10
|
||||||
|
$pagesize = 0
|
||||||
|
$referrals = 'on'
|
||||||
|
$nss_initgroups_ignoreusers = undef
|
||||||
|
|
||||||
case $::osfamily {
|
case $::osfamily {
|
||||||
Debian: {
|
'Debian': {
|
||||||
$config = $default_config
|
$config = '/etc/nslcd.conf'
|
||||||
$package_name = $default_package_name
|
$package_name = 'nslcd'
|
||||||
$service_name = $default_service_name
|
$service_name = 'nslcd'
|
||||||
$uid = 'nslcd'
|
$uid = 'nslcd'
|
||||||
$gid = 'nslcd'
|
$gid = 'nslcd'
|
||||||
$config_user = 'root'
|
$config_user = 'root'
|
||||||
$config_group = 'nslcd'
|
$config_group = 'nslcd'
|
||||||
$config_mode = '0640'
|
$config_mode = '0640'
|
||||||
|
}
|
||||||
|
'RedHat': {
|
||||||
|
$config = '/etc/nslcd.conf'
|
||||||
|
$package_name = 'nss-pam-ldapd'
|
||||||
|
$service_name = 'nslcd'
|
||||||
|
$uid = 'nslcd'
|
||||||
|
$gid = 'root'
|
||||||
|
$config_user = 'root'
|
||||||
|
$config_group = 'root'
|
||||||
|
$config_mode = '0600'
|
||||||
}
|
}
|
||||||
default: {
|
default: {
|
||||||
fail("The ${module_name} module is not supported on an ${::osfamily} based system.")
|
fail("The ${module_name} module is not supported on an ${::osfamily} based system.")
|
||||||
|
@ -2,7 +2,7 @@ require 'spec_helper'
|
|||||||
|
|
||||||
describe 'nslcd' do
|
describe 'nslcd' do
|
||||||
|
|
||||||
{'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family|
|
{'RedHat' => 'Debian', 'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family|
|
||||||
context "when on system #{system}" do
|
context "when on system #{system}" do
|
||||||
let :facts do
|
let :facts do
|
||||||
{
|
{
|
||||||
|
@ -28,6 +28,9 @@ tls_reqcert <%= @ldap_tls_reqcert %>
|
|||||||
<% if @ldap_tls_cacertfile -%>
|
<% if @ldap_tls_cacertfile -%>
|
||||||
tls_cacertfile <%= @ldap_tls_cacertfile %>
|
tls_cacertfile <%= @ldap_tls_cacertfile %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
|
<% if @ldap_tls_cacertdir -%>
|
||||||
|
tls_cacertdir <%= @ldap_tls_cacertdir %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
# The search scope.
|
# The search scope.
|
||||||
scope <%= @ldap_search_scope %>
|
scope <%= @ldap_search_scope %>
|
||||||
@ -38,3 +41,65 @@ scope <%= @ldap_search_scope %>
|
|||||||
filter <%= map %> <%= filter %>
|
filter <%= map %> <%= filter %>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
<% end -%>
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @ldap_maps.length > 0 -%>
|
||||||
|
# Custom search attributes
|
||||||
|
<% @ldap_maps.each do |map, filter| -%>
|
||||||
|
<% filter.each do | attribute | -%>
|
||||||
|
map <%= map %> <%= attribute %>
|
||||||
|
<% end -%>
|
||||||
|
<% end -%>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @bind_timelimit -%>
|
||||||
|
# Specifies the distinguished name with which to bind to the directory server for lookups.
|
||||||
|
# The default is to bind anonymously.
|
||||||
|
bind_timelimit <%= @bind_timelimit %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @timelimit -%>
|
||||||
|
# Specifies the time limit (in seconds) to wait for a response from the LDAP server.
|
||||||
|
# A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.
|
||||||
|
timelimit <%= @timelimit %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @idle_timelimit -%>
|
||||||
|
# Specifies the period if inactivity (in seconds) after which the connection to the
|
||||||
|
# LDAP server will be closed. The default is not to time out connections.
|
||||||
|
idle_timelimit <%= @idle_timelimit %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @reconnect_sleeptime -%>
|
||||||
|
# Specifies the number of seconds to sleep when connecting to all LDAP servers fails.
|
||||||
|
# By default 1 second is waited between the first failure and the first retry.
|
||||||
|
reconnect_sleeptime <%= @reconnect_sleeptime %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @reconnect_retrytime -%>
|
||||||
|
# Specifies the time after which the LDAP server is considered to be permanently unavailable.
|
||||||
|
# Once this time is reached retries will be done only once per this time period. The default
|
||||||
|
# value is 10 seconds.
|
||||||
|
reconnect_retrytime <%= @reconnect_retrytime %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @pagesize -%>
|
||||||
|
# Set this to a number greater than 0 to request paged results from the LDAP server
|
||||||
|
# in accordance with RFC2696. The default (0) is to not request paged results.
|
||||||
|
pagesize <%= @pagesize %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @referrals -%>
|
||||||
|
# Specifies whether automatic referral chasing should be enabled. The default behaviour
|
||||||
|
# is to chase referrals.
|
||||||
|
referrals <%= @referrals %>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
<% if @nss_initgroups_ignoreusers -%>
|
||||||
|
# This option prevents group membership lookups through LDAP for the specified users.
|
||||||
|
# This can be useful in case of unavailability of the LDAP server.
|
||||||
|
<% @nss_initgroups_ignoreusers.each do | user | -%>
|
||||||
|
nss_initgroups_ignoreusers <%= user %>
|
||||||
|
<% end -%>
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user