commit
0518201b3f
40
README.md
40
README.md
@ -37,9 +37,49 @@ However, we recommend that you declare the class and override a few parameters:
|
||||
class { 'nslcd':
|
||||
ldap_uris => ['ldap://ldap.mycompany.com'],
|
||||
ldap_ssl => 'on',
|
||||
ldap_filters => { group => '(&(objectClass=group)(gidNumber=*))',
|
||||
passwd => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
|
||||
shadow => '(&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))',
|
||||
},
|
||||
ldap_maps => { group => 'uniqueMember member',
|
||||
passwd => ['homedirectory unixHomeDirectory', 'uid sAMAccountName', 'gecos displayName', ],
|
||||
shadow => ['shadowLastChange pwdLastSet', 'uid sAMAccountName', ],
|
||||
},
|
||||
}
|
||||
```
|
||||
|
||||
An example in YAML using hashes/arrays:
|
||||
|
||||
```
|
||||
nslcd::ldap_uris:
|
||||
- 'ldap://ldap1.mycompany.com/'
|
||||
- 'ldap://ldap2.mycompany.com/'
|
||||
nslcd::ldap_search_base: 'dc=acme,dc=example,dc=org'
|
||||
nslcd::ldap_binddn: 'binduser@acme.example.org'
|
||||
nslcd::ldap_bindpw: 'password'
|
||||
nslcd::ldap_filters:
|
||||
- group: " (&(objectClass=group)(gidNumber=*))"
|
||||
- passwd: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
|
||||
- shadow: " (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))"
|
||||
nslcd::ldap_maps:
|
||||
group: 'uniqueMember member'
|
||||
passwd:
|
||||
- 'homedirectory unixHomeDirectory'
|
||||
- 'uid sAMAccountName'
|
||||
- 'gecos displayName'
|
||||
shadow:
|
||||
- 'shadowLastChange pwdLastSet'
|
||||
- 'uid sAMAccountName'
|
||||
nslcd::nss_initgroups_ignoreusers:
|
||||
- 'root'
|
||||
- 'ALLLOCAL'
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Reference
|
||||
|
||||
*todo*
|
||||
|
@ -20,9 +20,20 @@ class nslcd (
|
||||
$ldap_search_base = $nslcd::params::ldap_search_base,
|
||||
$ldap_search_scope = $nslcd::params::ldap_search_scope,
|
||||
$ldap_filters = $nslcd::params::ldap_filters,
|
||||
$ldap_maps = $nslcd::params::ldap_maps,
|
||||
$ldap_ssl = $nslcd::params::ldap_ssl,
|
||||
$ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert,
|
||||
$ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile,
|
||||
$ldap_tls_cacertdir = $nslcd::params::ldap_tls_cacertdir,
|
||||
$bind_timelimit = $nslcd::params::bind_timelimit,
|
||||
$timelimit = $nslcd::params::timelimit,
|
||||
$idle_timelimit = $nslcd::params::idle_timelimit,
|
||||
$reconnect_sleeptime = $nslcd::params::reconnect_sleeptime,
|
||||
$reconnect_retrytime = $nslcd::params::reconnect_retrytime,
|
||||
$pagesize = $nslcd::params::pagesize,
|
||||
$referrals = $nslcd::params::referrals,
|
||||
$nss_initgroups_ignoreusers = $nslcd::params::nss_initgroups_ignoreusers,
|
||||
|
||||
) inherits nslcd::params {
|
||||
|
||||
# Input validation
|
||||
@ -36,6 +47,19 @@ class nslcd (
|
||||
validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert)
|
||||
validate_re($ldap_search_scope, $valid_ldap_search_scope)
|
||||
|
||||
# Ensure that the timing variables are integers.
|
||||
validate_integer($bind_timelimit)
|
||||
validate_integer($timelimit)
|
||||
validate_integer($idle_timelimit)
|
||||
validate_integer($reconnect_sleeptime)
|
||||
validate_integer($reconnect_retrytime)
|
||||
validate_integer($pagesize)
|
||||
|
||||
# do some validation
|
||||
$onoff = '^(on|off)$'
|
||||
|
||||
validate_re($referrals, $onoff )
|
||||
|
||||
anchor { 'nslcd::begin': } ->
|
||||
class { 'nslcd::install': } ->
|
||||
class { 'nslcd::config': } ~>
|
||||
|
@ -14,25 +14,41 @@ class nslcd::params {
|
||||
$ldap_search_base = ''
|
||||
$ldap_search_scope = 'subtree'
|
||||
$ldap_filters = {}
|
||||
$ldap_maps = {}
|
||||
$ldap_ssl = 'off'
|
||||
$ldap_tls_reqcert = 'allow'
|
||||
$ldap_tls_cacertfile = undef
|
||||
|
||||
$default_config = '/etc/nslcd.conf'
|
||||
$default_package_name = 'nslcd'
|
||||
$default_service_name = 'nslcd'
|
||||
$ldap_tls_cacertder = undef
|
||||
$bind_timelimit = 10
|
||||
$timelimit = 0
|
||||
$idle_timelimit = 0
|
||||
$reconnect_sleeptime = 1
|
||||
$reconnect_retrytime = 10
|
||||
$pagesize = 0
|
||||
$referrals = 'on'
|
||||
$nss_initgroups_ignoreusers = undef
|
||||
|
||||
case $::osfamily {
|
||||
Debian: {
|
||||
$config = $default_config
|
||||
$package_name = $default_package_name
|
||||
$service_name = $default_service_name
|
||||
'Debian': {
|
||||
$config = '/etc/nslcd.conf'
|
||||
$package_name = 'nslcd'
|
||||
$service_name = 'nslcd'
|
||||
$uid = 'nslcd'
|
||||
$gid = 'nslcd'
|
||||
$config_user = 'root'
|
||||
$config_group = 'nslcd'
|
||||
$config_mode = '0640'
|
||||
}
|
||||
'RedHat': {
|
||||
$config = '/etc/nslcd.conf'
|
||||
$package_name = 'nss-pam-ldapd'
|
||||
$service_name = 'nslcd'
|
||||
$uid = 'nslcd'
|
||||
$gid = 'root'
|
||||
$config_user = 'root'
|
||||
$config_group = 'root'
|
||||
$config_mode = '0600'
|
||||
}
|
||||
default: {
|
||||
fail("The ${module_name} module is not supported on an ${::osfamily} based system.")
|
||||
}
|
||||
|
@ -2,7 +2,7 @@ require 'spec_helper'
|
||||
|
||||
describe 'nslcd' do
|
||||
|
||||
{'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family|
|
||||
{'RedHat' => 'Debian', 'Ubuntu' => 'Debian', 'Debian' => 'Debian'}.each do |system, family|
|
||||
context "when on system #{system}" do
|
||||
let :facts do
|
||||
{
|
||||
|
@ -28,6 +28,9 @@ tls_reqcert <%= @ldap_tls_reqcert %>
|
||||
<% if @ldap_tls_cacertfile -%>
|
||||
tls_cacertfile <%= @ldap_tls_cacertfile %>
|
||||
<% end -%>
|
||||
<% if @ldap_tls_cacertdir -%>
|
||||
tls_cacertdir <%= @ldap_tls_cacertdir %>
|
||||
<% end -%>
|
||||
|
||||
# The search scope.
|
||||
scope <%= @ldap_search_scope %>
|
||||
@ -38,3 +41,65 @@ scope <%= @ldap_search_scope %>
|
||||
filter <%= map %> <%= filter %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% if @ldap_maps.length > 0 -%>
|
||||
# Custom search attributes
|
||||
<% @ldap_maps.each do |map, filter| -%>
|
||||
<% filter.each do | attribute | -%>
|
||||
map <%= map %> <%= attribute %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% if @bind_timelimit -%>
|
||||
# Specifies the distinguished name with which to bind to the directory server for lookups.
|
||||
# The default is to bind anonymously.
|
||||
bind_timelimit <%= @bind_timelimit %>
|
||||
<% end -%>
|
||||
|
||||
<% if @timelimit -%>
|
||||
# Specifies the time limit (in seconds) to wait for a response from the LDAP server.
|
||||
# A value of zero (0), which is the default, is to wait indefinitely for searches to be completed.
|
||||
timelimit <%= @timelimit %>
|
||||
<% end -%>
|
||||
|
||||
<% if @idle_timelimit -%>
|
||||
# Specifies the period if inactivity (in seconds) after which the connection to the
|
||||
# LDAP server will be closed. The default is not to time out connections.
|
||||
idle_timelimit <%= @idle_timelimit %>
|
||||
<% end -%>
|
||||
|
||||
<% if @reconnect_sleeptime -%>
|
||||
# Specifies the number of seconds to sleep when connecting to all LDAP servers fails.
|
||||
# By default 1 second is waited between the first failure and the first retry.
|
||||
reconnect_sleeptime <%= @reconnect_sleeptime %>
|
||||
<% end -%>
|
||||
|
||||
<% if @reconnect_retrytime -%>
|
||||
# Specifies the time after which the LDAP server is considered to be permanently unavailable.
|
||||
# Once this time is reached retries will be done only once per this time period. The default
|
||||
# value is 10 seconds.
|
||||
reconnect_retrytime <%= @reconnect_retrytime %>
|
||||
<% end -%>
|
||||
|
||||
<% if @pagesize -%>
|
||||
# Set this to a number greater than 0 to request paged results from the LDAP server
|
||||
# in accordance with RFC2696. The default (0) is to not request paged results.
|
||||
pagesize <%= @pagesize %>
|
||||
<% end -%>
|
||||
|
||||
<% if @referrals -%>
|
||||
# Specifies whether automatic referral chasing should be enabled. The default behaviour
|
||||
# is to chase referrals.
|
||||
referrals <%= @referrals %>
|
||||
<% end -%>
|
||||
|
||||
<% if @nss_initgroups_ignoreusers -%>
|
||||
# This option prevents group membership lookups through LDAP for the specified users.
|
||||
# This can be useful in case of unavailability of the LDAP server.
|
||||
<% @nss_initgroups_ignoreusers.each do | user | -%>
|
||||
nss_initgroups_ignoreusers <%= user %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user