Repository containing Puppet code to configure Cubieserver machines
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

106 lines
2.8 KiB

class profile::openldap (
String $admin_password,
String $ssl_key_path,
String $ssl_cert_path,
String $server_name = 'example',
String $tld = 'com',
) {
$domain = "dc=${server_name},dc=${tld}"
# allow openldap to access ssl-certificates
user { 'openldap':
groups => ['ssl-cert'],
require => [ Package['ssl-cert'], Package['slapd'] ],
notify => Service['slapd'],
}
class { '::openldap::client':
base => $domain,
}
class { '::openldap::server':
provider => 'olc',
ssl_key => $ssl_key_path,
ssl_cert => $ssl_cert_path,
ldap_ifs => ['/'], # listen on port 389
ldaps_ifs => ['/'], # listen on port 636
ldapi_ifs => ['/'], # listen on unix socket /var/run/slapd/ldapi
}
openldap::server::database { $domain:
ensure => present,
rootdn => "cn=admin,${domain}",
rootpw => $admin_password,
}
# load and install additional modules
openldap::server::module { 'memberof':
ensure => present,
}
openldap::server::overlay { "memberof on ${domain}":
ensure => present,
}
# load additional schemas
openldap::server::schema { 'inetorgperson':
ensure => present,
}
firewall { '101 allow secure ldap traffic':
dport => '636',
proto => tcp,
action => accept,
}
firewall { '101 allow secure ldap traffic (v6)':
dport => '636',
proto => tcp,
action => accept,
provider => 'ip6tables',
}
# Access Control
# only admin can write userPassword and shadowLastChange, everyone else (including bind) cannot read or write
openldap::server::access { "{0}to attrs=userPassword,shadowLastChange by dn=\"cn=admin,${domain}\" write by anonymous auth by * none on ${domain}" : }
# user (self) can read all attributes, admin can write all attributes, bind can read all attributes, everyone else can do anything
openldap::server::access { "{1}to * by self read by dn=\"cn=admin,${domain}\" write by dn=\"cn=bind,${domain}\" read by * none on ${domain}" : }
# template for backup job also uses $domain
file { '/usr/local/sbin/openldap-backup.sh':
ensure => present,
mode => '0751',
content => template('profile/openldap-backup.sh.erb'),
}
# setup backup job
cron { 'backup openldap database':
command => '/usr/local/sbin/openldap-backup.sh',
hour => 22,
minute => 22,
require => File['/usr/local/sbin/openldap-backup.sh'],
}
# TODO: schemas required?
#openldap::server::schema { 'samba':
# ensure => present,
# require => Openldap::Server::Schema['inetorgperson'],
#}
#openldap::server::schema { 'nis':
# ensure => present,
# require => Openldap::Server::Schema['inetorgperson'],
#}
# TODO: password policy module ppolicy required?
# install additional database utilities
package { 'db-util':
ensure => present,
}
}