diff --git a/manifests/init.pp b/manifests/init.pp index 6aa8af6..39d890a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -2,27 +2,38 @@ # # This class manages the nslcd server and service. class nslcd ( - $package_ensure = $nslcd::params::package_ensure, - $package_name = $nslcd::params::package_name, - $service_ensure = $nslcd::params::service_ensure, - $service_enable = $nslcd::params::service_enable, - $service_name = $nslcd::params::service_name, - $uid = $nslcd::params::uid, - $gid = $nslcd::params::gid, - $config = $nslcd::params::config, - $config_user = $nslcd::params::config_user, - $config_group = $nslcd::params::config_group, - $config_mode = $nslcd::params::config_mode, - $ldap_uris = $nslcd::params::ldap_uris, - $ldap_version = $nslcd::params::ldap_version, - $ldap_binddn = $nslcd::params::ldap_binddn, - $ldap_bindpw = $nslcd::params::ldap_bindpw, - $ldap_search_base = $nslcd::params::ldap_search_base, - $ldap_search_scope = $nslcd::params::ldap_search_scope, - $ldap_filters = $nslcd::params::ldap_filters, - $ldap_ssl = $nslcd::params::ldap_ssl, - $ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert, - $ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile, + $package_ensure = $nslcd::params::package_ensure, + $package_name = $nslcd::params::package_name, + $service_ensure = $nslcd::params::service_ensure, + $service_enable = $nslcd::params::service_enable, + $service_name = $nslcd::params::service_name, + $uid = $nslcd::params::uid, + $gid = $nslcd::params::gid, + $config = $nslcd::params::config, + $config_user = $nslcd::params::config_user, + $config_group = $nslcd::params::config_group, + $config_mode = $nslcd::params::config_mode, + $ldap_uris = $nslcd::params::ldap_uris, + $ldap_version = $nslcd::params::ldap_version, + $ldap_binddn = $nslcd::params::ldap_binddn, + $ldap_bindpw = $nslcd::params::ldap_bindpw, + $ldap_search_base = $nslcd::params::ldap_search_base, + $ldap_search_scope = $nslcd::params::ldap_search_scope, + $ldap_filters = $nslcd::params::ldap_filters, + $ldap_maps = $nslcd::params::ldap_maps, + $ldap_ssl = $nslcd::params::ldap_ssl, + $ldap_tls_reqcert = $nslcd::params::ldap_tls_reqcert, + $ldap_tls_cacertfile = $nslcd::params::ldap_tls_cacertfile, + $ldap_tls_cacertdir = $nslcd::params::ldap_tls_cacertdir, + $bind_timelimit = $nslcd::params::bind_timelimit, + $timelimit = $nslcd::params::timelimit, + $idle_timelimit = $nslcd::params::idle_timelimit, + $reconnect_sleeptime = $nslcd::params::reconnect_sleeptime, + $reconnect_retrytime = $nslcd::params::reconnect_retrytime, + $pagesize = $nslcd::params::pagesize, + $referrals = $nslcd::params::referrals, + $nss_initgroups_ignoreusers = $nslcd::params::nss_initgroups_ignoreusers, + ) inherits nslcd::params { # Input validation @@ -36,6 +47,19 @@ class nslcd ( validate_re($ldap_tls_reqcert, $valid_ldap_tls_reqcert) validate_re($ldap_search_scope, $valid_ldap_search_scope) + # Ensure that the timing variables are integers. + validate_integer($bind_timelimit) + validate_integer($timelimit) + validate_integer($idle_timelimit) + validate_integer($reconnect_sleeptime) + validate_integer($reconnect_retrytime) + validate_integer($pagesize) + + # do some validation + $onoff = '^(on|off)$' + + validate_re($referrals, $onoff ) + anchor { 'nslcd::begin': } -> class { 'nslcd::install': } -> class { 'nslcd::config': } ~> diff --git a/manifests/params.pp b/manifests/params.pp index e2ecce5..3b7b657 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -7,36 +7,56 @@ class nslcd::params { $service_ensure = running $service_enable = true - $ldap_uris = ['ldap:///'] - $ldap_version = '3' - $ldap_binddn = undef - $ldap_bindpw = undef - $ldap_search_base = '' - $ldap_search_scope = 'subtree' - $ldap_filters = {} - $ldap_ssl = 'off' - $ldap_tls_reqcert = 'allow' - $ldap_tls_cacertfile = undef - - $default_config = '/etc/nslcd.conf' - $default_package_name = 'nslcd' - $default_service_name = 'nslcd' + $ldap_uris = ['ldap:///'] + $ldap_version = '3' + $ldap_binddn = undef + $ldap_bindpw = undef + $ldap_search_base = '' + $ldap_search_scope = 'subtree' + $ldap_filters = {} + $ldap_maps = {} + $ldap_ssl = 'off' + $ldap_tls_reqcert = 'allow' + $ldap_tls_cacertfile = undef + $ldap_tls_cacertder = undef + $default_config = '/etc/nslcd.conf' + $bind_timelimit = 10 + $timelimit = 0 + $idle_timelimit = 0 + $reconnect_sleeptime = 1 + $reconnect_retrytime = 10 + $pagesize = 0 + $referrals = 'on' + $nss_initgroups_ignoreusers = undef case $::osfamily { Debian: { - $config = $default_config - $package_name = $default_package_name - $service_name = $default_service_name - $uid = 'nslcd' - $gid = 'nslcd' - $config_user = 'root' - $config_group = 'nslcd' - $config_mode = '0640' + $default_package_name = 'nslcd' + $config = $default_config + $package_name = $default_package_name + $service_name = $default_service_name + $uid = 'nslcd' + $gid = 'nslcd' + $config_user = 'root' + $config_group = 'nslcd' + $config_mode = '0640' + } + RedHat: { + $default_package_name = 'nss-pam-ldapd' + $config = $default_config + $package_name = $default_package_name + $service_name = $default_service_name + $uid = 'nslcd' + $gid = 'root' + $config_user = 'root' + $config_group = 'root' + $config_mode = '0600' } default: { fail("The ${module_name} module is not supported on an ${::osfamily} based system.") } } + $default_service_name = 'nslcd' } diff --git a/templates/nslcd.erb b/templates/nslcd.erb index f6fcdf1..7b44ee7 100644 --- a/templates/nslcd.erb +++ b/templates/nslcd.erb @@ -28,6 +28,9 @@ tls_reqcert <%= @ldap_tls_reqcert %> <% if @ldap_tls_cacertfile -%> tls_cacertfile <%= @ldap_tls_cacertfile %> <% end -%> +<% if @ldap_tls_cacertdir -%> +tls_cacertdir <%= @ldap_tls_cacertdir %> +<% end -%> # The search scope. scope <%= @ldap_search_scope %> @@ -38,3 +41,65 @@ scope <%= @ldap_search_scope %> filter <%= map %> <%= filter %> <% end -%> <% end -%> + +<% if @ldap_maps.length > 0 -%> +# Custom search attributes +<% @ldap_maps.each do |map, filter| -%> +<% filter.each do | attribute | -%> +map <%= map %> <%= attribute %> +<% end -%> +<% end -%> +<% end -%> + +<% if @bind_timelimit -%> +# Specifies the distinguished name with which to bind to the directory server for lookups. +# The default is to bind anonymously. +bind_timelimit <%= @bind_timelimit %> +<% end -%> + +<% if @timelimit -%> +# Specifies the time limit (in seconds) to wait for a response from the LDAP server. +# A value of zero (0), which is the default, is to wait indefinitely for searches to be completed. +timelimit <%= @timelimit %> +<% end -%> + +<% if @idle_timelimit -%> +# Specifies the period if inactivity (in seconds) after which the connection to the +# LDAP server will be closed. The default is not to time out connections. +idle_timelimit <%= @idle_timelimit %> +<% end -%> + +<% if @reconnect_sleeptime -%> +# Specifies the number of seconds to sleep when connecting to all LDAP servers fails. +# By default 1 second is waited between the first failure and the first retry. +reconnect_sleeptime <%= @reconnect_sleeptime %> +<% end -%> + +<% if @reconnect_retrytime -%> +# Specifies the time after which the LDAP server is considered to be permanently unavailable. +# Once this time is reached retries will be done only once per this time period. The default +# value is 10 seconds. +reconnect_retrytime <%= @reconnect_retrytime %> +<% end -%> + +<% if @pagesize -%> +# Set this to a number greater than 0 to request paged results from the LDAP server +# in accordance with RFC2696. The default (0) is to not request paged results. +pagesize <%= @pagesize %> +<% end -%> + +<% if @referrals -%> +# Specifies whether automatic referral chasing should be enabled. The default behaviour +# is to chase referrals. +referrals <%= @referrals %> +<% end -%> + +<% if @nss_initgroups_ignoreusers -%> +# This option prevents group membership lookups through LDAP for the specified users. +# This can be useful in case of unavailability of the LDAP server. +<% @nss_initgroups_ignoreusers.each do | user | -%> +nss_initgroups_ignoreusers <%= user %> +<% end -%> +<% end -%> + +