Initial version based on documentation from Neil McBennett. All errors are mine though :-)

erwbgy · erwbgy · commit f7eeb7d41992 · 2012-11-30T17:44:22.000Z
diff --git a/.fixtures.yml b/.fixtures.yml
@@ -0,0 +1,3 @@
+fixtures:
+  symlinks:
+    jboss: "#{source_dir}"
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+pkg/
+metadata.json
+*.swp
diff --git a/Modulefile b/Modulefile
@@ -0,0 +1,8 @@
+name    'erwbgy-pamldap'
+version '0.1.0'
+source 'https://github.com/erwbgy/puppet-pamldap.git'
+author 'erwbgy'
+license 'Apache License, Version 2.0'
+summary 'Use LDAP for user login/authentication/authorisation/name resolution'
+description 'Use LDAP for user login/authentication/authorisation/name resolution'
+project_page 'git.com:erwbgy/puppet-pamldap.git'
diff --git a/README.md b/README.md
@@ -1,8 +1,9 @@
 # puppet-pamldap
 
-Puppet module to use LDAP for user login/authentication/authorisation and related name resolution
+Puppet module to use LDAP for user login/authentication/authorisation and
+related name resolution
 
 ## Credits
 
-This is based on detailed documentation and setup by my colleague Neil McBennett.  
-He did all the hard work, I just puppetised it.
+This is based on detailed documentation and setup by my colleague Neil
+McBennett.  He did all the hard work, I just puppetised it.
diff --git a/Rakefile b/Rakefile
@@ -0,0 +1,2 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/rake_tasks'
diff --git a/example.yaml b/example.yaml
@@ -0,0 +1,4 @@
+pamldap:
+  base_dn: 'dc=sportingbet,dc=com'
+  uris: [ 'ldap://10.7.96.13', 'ldap://10.7.96.14' ]
+
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -0,0 +1,40 @@
+class pamldap::config (
+  $base_dn,
+  $uris,
+) {
+  $uris_space = join($uris, ' ')
+  $uris_comma = join($uris, ',')
+  # defaults
+  File {
+    owner => 'root',
+    group => 'root',
+  }
+  file { '/etc/pam.d/system-auth':
+    ensure  => present,
+    mode    => '0444',
+    content => template('pamldap/system-auth.erb'),
+    require => Class['pamldap::install'],
+    notify  => Class['pamldap::service'],
+  }
+  file { '/etc/nsswitch.conf':
+    ensure  => present,
+    mode    => '0444',
+    content => template('pamldap/nsswitch.conf.erb'),
+    require => Class['pamldap::install'],
+    notify  => Class['pamldap::service'],
+  }
+  file { [ '/etc/ldap.conf', '/etc/openldap/ldap.conf' ]:
+    ensure  => present,
+    mode    => '0444',
+    content => template('pamldap/ldap.conf.erb'),
+    require => Class['pamldap::install'],
+    notify  => Class['pamldap::service'],
+  }
+  file { '/etc/sssd/sssd.conf':
+    ensure  => present,
+    mode    => '0444',
+    content => template('pamldap/sssd.conf.erb'),
+    require => Class['pamldap::install'],
+    notify  => Class['pamldap::service'],
+  }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -0,0 +1,11 @@
+class pamldap (
+  $base_dn,
+  $uris,
+) {
+  class { 'pamldap::config':
+    base_dn => $base_dn,
+    uris    => $uris,
+  }
+  include pamldap::install
+  include pamldap::service
+}
diff --git a/manifests/install.pp b/manifests/install.pp
@@ -0,0 +1,11 @@
+class pamldap::install {
+  if ! defined(Package['sssd']) {
+    package { 'sssd':  ensure => installed }
+  }
+  if ! defined(Package['sssd-client']) {
+    package { 'sssd-client':  ensure => installed }
+  }
+  if ! defined(Package['openldap-clients']) {
+    package { 'openldap-clients':  ensure => installed }
+  }
+}
diff --git a/manifests/service.pp b/manifests/service.pp
@@ -0,0 +1,9 @@
+class pamldap::service {
+  service { 'sssd':
+    ensure     => running,
+    hasstatus  => true,
+    hasrestart => true,
+    enable     => true,
+    require    => Class['pamldap::config'],
+  }
+}
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -0,0 +1,2 @@
+require 'rubygems'
+require 'puppetlabs_spec_helper/module_spec_helper'
diff --git a/templates/ldap.conf.erb b/templates/ldap.conf.erb
@@ -0,0 +1,5 @@
+# This file is managed by Puppet
+URI <%= @uris_space %>
+BASE <%= @base_dn %>
+TLS_REQCERT allow
+TLS_CACERTDIR /etc/openldap/cacerts
diff --git a/templates/nsswitch.conf.erb b/templates/nsswitch.conf.erb
@@ -0,0 +1,23 @@
+# This file is managed by Puppet.
+passwd:     files sss
+shadow:     files sss
+group:      files sss
+
+hosts:      files dns
+
+bootparams: files
+
+ethers:     files
+netmasks:   files
+networks:   files
+protocols:  files
+rpc:        files
+services:   files
+
+netgroup:   files
+
+publickey:
+
+automount:  files ldap
+aliases:    files
+
diff --git a/templates/sssd.conf.erb b/templates/sssd.conf.erb
@@ -0,0 +1,19 @@
+# This file is managed by Puppet
+[sssd]
+config_file_version = 2
+services = nss, pam
+domains = LDAP
+
+[domain/LDAP]
+id_provider = ldap
+auth_provider = ldap
+ldap_tls_reqcert = never
+ldap_id_use_start_tls = False
+chpass_provider = ldap
+cache_credentials = True
+ldap_uri = <%= @uris_comma %>
+ldap_search_base = dc=<%= @base_dn %>
+ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))
+id_provider = ldap
+ldap_schema = rfc2307
+
diff --git a/templates/system-auth.erb b/templates/system-auth.erb
@@ -0,0 +1,29 @@
+#%PAM-1.0
+# This file managed by Puppet. DO NOT run authconfig.
+auth        required      pam_env.so
+auth        sufficient    pam_unix.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_sss.so use_first_pass
+auth        sufficient    pam_ldap.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_sss.so
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_sss.so use_authtok
+password    sufficient    pam_ldap.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_sss.so
+session     optional      pam_ldap.so
+
diff --git a/tests/init.pp b/tests/init.pp
@@ -0,0 +1,11 @@
+# The baseline for module testing used by Puppet Labs is that each manifest
+# should have a corresponding test manifest that declares that class or defined
+# type.
+#
+# Tests are then run by using puppet apply --noop (to check for compilation errors
+# and view a log of events) or by fully applying the test in a virtual environment
+# (to compare the resulting system state to the desired state).
+#
+# Learn more about module testing here: http://docs.puppetlabs.com/guides/tests_smoke.html
+#
+include pamldap

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+fixtures:`
	`2`	`+ symlinks:`
	`3`	`+ jboss: "#{source_dir}"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+require 'rubygems'`
	`2`	`+require 'puppetlabs_spec_helper/rake_tasks'`