Merge pull request #1 from bschonec/dev

Added a lot more parameters.
This commit is contained in:
Brian Schonecker 2015-11-20 14:52:51 -05:00
commit 0518201b3f
5 changed files with 192 additions and 47 deletions

View File

@ -37,9 +37,49 @@ However, we recommend that you declare the class and override a few parameters:
class { 'nslcd':
ldap_uris => ['ldap://ldap.mycompany.com'],
ldap_ssl => 'on',
ldap_filters => { group => '(&(objectClass=group)(gidNumber=*))',
passwd => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
shadow => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
},
ldap_maps => { group => 'uniqueMember member',
passwd => ['homedirectory unixHomeDirectory', 'uid sAMAccountName', 'gecos displayName', ],
shadow => ['shadowLastChange pwdLastSet', 'uid sAMAccountName', ],
},
}
```
An example in YAML using hashes/arrays:
```
nslcd::ldap_uris:
- 'ldap://ldap1.mycompany.com/'
- 'ldap://ldap2.mycompany.com/'
nslcd::ldap_search_base: 'dc=acme,dc=example,dc=org'
nslcd::ldap_binddn: 'binduser@acme.example.org'
nslcd::ldap_bindpw: 'password'
nslcd::ldap_filters:
- group: " (&(objectClass=group)(gidNumber=*))"
- passwd: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
- shadow: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
nslcd::ldap_maps:
group: 'uniqueMember member'
passwd:
- 'homedirectory unixHomeDirectory'
- 'uid sAMAccountName'
- 'gecos displayName'
shadow:
- 'shadowLastChange pwdLastSet'
- 'uid sAMAccountName'
nslcd::nss_initgroups_ignoreusers:
- 'root'
- 'ALLLOCAL'
```
## Reference
*todo*

View File

@ -20,9 +20,20 @@ class nslcd (
$ldap_search_base = $nslcd::params::ldap_search_base,
$ldap_search_scope = $nslcd::params::ldap_search_scope,
$ldap_filters = $nslcd::params::ldap_filters,
$ldap_maps = $nslcd::params::ldap_maps,
$ldap_ssl = $nslcd::params::ldap_ssl,
$ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert,
$ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile,
$ldap_tls_cacertdir = $nslcd::params::ldap_tls_cacertdir,
$bind_timelimit = $nslcd::params::bind_timelimit,
$timelimit = $nslcd::params::timelimit,
$idle_timelimit = $nslcd::params::idle_timelimit,
$reconnect_sleeptime = $nslcd::params::reconnect_sleeptime,
$reconnect_retrytime = $nslcd::params::reconnect_retrytime,
$pagesize = $nslcd::params::pagesize,
$referrals = $nslcd::params::referrals,
$nss_initgroups_ignoreusers = $nslcd::params::nss_initgroups_ignoreusers,
) inherits nslcd::params {
# Input validation
@ -36,6 +47,19 @@ class nslcd (
validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert)
validate_re($ldap_search_scope, $valid_ldap_search_scope)
# Ensure that the timing variables are integers.
validate_integer($bind_timelimit)
validate_integer($timelimit)
validate_integer($idle_timelimit)
validate_integer($reconnect_sleeptime)
validate_integer($reconnect_retrytime)
validate_integer($pagesize)
# do some validation
$onoff = '^(on|off)$'
validate_re($referrals, $onoff )
anchor { 'nslcd::begin': } ->
class { 'nslcd::install': } ->
class { 'nslcd::config': } ~>

View File

@ -14,25 +14,41 @@ class nslcd::params {
$ldap_search_base = ''
$ldap_search_scope = 'subtree'
$ldap_filters = {}
$ldap_maps = {}
$ldap_ssl = 'off'
$ldap_tls_reqcert = 'allow'
$ldap_tls_cacertfile = undef
$default_config = '/etc/nslcd.conf'
$default_package_name = 'nslcd'
$default_service_name = 'nslcd'
$ldap_tls_cacertder = undef
$bind_timelimit = 10
$timelimit = 0
$idle_timelimit = 0
$reconnect_sleeptime = 1
$reconnect_retrytime = 10
$pagesize = 0
$referrals = 'on'
$nss_initgroups_ignoreusers = undef
case $::osfamily {
Debian: {
$config = $default_config
$package_name = $default_package_name
$service_name = $default_service_name
'Debian': {
$config = '/etc/nslcd.conf'
$package_name = 'nslcd'
$service_name = 'nslcd'
$uid = 'nslcd'
$gid = 'nslcd'
$config_user = 'root'
$config_group = 'nslcd'
$config_mode = '0640'
}
'RedHat': {
$config = '/etc/nslcd.conf'
$package_name = 'nss-pam-ldapd'
$service_name = 'nslcd'
$uid = 'nslcd'
$gid = 'root'
$config_user = 'root'
$config_group = 'root'
$config_mode = '0600'
}
default: {
fail("The ${module_name} module is not supported on an ${::osfamily} based system.")
}

View File

@ -2,7 +2,7 @@ require 'spec_helper'
describe 'nslcd' do
{'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family|
{'RedHat' => 'Debian', 'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family|
context "when on system #{system}" do
let :facts do
{

View File

@ -28,6 +28,9 @@ tls_reqcert <%= @ldap_tls_reqcert %>
<% if @ldap_tls_cacertfile -%>
tls_cacertfile <%= @ldap_tls_cacertfile %>
<% end -%>
<% if @ldap_tls_cacertdir -%>
tls_cacertdir <%= @ldap_tls_cacertdir %>
<% end -%>
# The search scope.
scope <%= @ldap_search_scope %>
@ -38,3 +41,65 @@ scope <%= @ldap_search_scope %>
filter <%= map %> <%= filter %>
<% end -%>
<% end -%>
<% if @ldap_maps.length > 0 -%>
# Custom search attributes
<% @ldap_maps.each do |map, filter| -%>
<% filter.each do | attribute | -%>
map <%= map %> <%= attribute %>
<% end -%>
<% end -%>
<% end -%>
<% if @bind_timelimit -%>
# Specifies the distinguished name with which to bind to the directory server for lookups.
# The default is to bind anonymously.
bind_timelimit <%= @bind_timelimit %>
<% end -%>
<% if @timelimit -%>
# Specifies the time limit (in seconds) to wait for a response from the LDAP server.
# A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.
timelimit <%= @timelimit %>
<% end -%>
<% if @idle_timelimit -%>
# Specifies the period if inactivity (in seconds) after which the connection to the
# LDAP server will be closed. The default is not to time out connections.
idle_timelimit <%= @idle_timelimit %>
<% end -%>
<% if @reconnect_sleeptime -%>
# Specifies the number of seconds to sleep when connecting to all LDAP servers fails.
# By default 1 second is waited between the first failure and the first retry.
reconnect_sleeptime <%= @reconnect_sleeptime %>
<% end -%>
<% if @reconnect_retrytime -%>
# Specifies the time after which the LDAP server is considered to be permanently unavailable.
# Once this time is reached retries will be done only once per this time period. The default
# value is 10 seconds.
reconnect_retrytime <%= @reconnect_retrytime %>
<% end -%>
<% if @pagesize -%>
# Set this to a number greater than 0 to request paged results from the LDAP server
# in accordance with RFC2696. The default (0) is to not request paged results.
pagesize <%= @pagesize %>
<% end -%>
<% if @referrals -%>
# Specifies whether automatic referral chasing should be enabled. The default behaviour
# is to chase referrals.
referrals <%= @referrals %>
<% end -%>
<% if @nss_initgroups_ignoreusers -%>
# This option prevents group membership lookups through LDAP for the specified users.
# This can be useful in case of unavailability of the LDAP server.
<% @nss_initgroups_ignoreusers.each do | user | -%>
nss_initgroups_ignoreusers <%= user %>
<% end -%>
<% end -%>