diff --git a/Rakefile b/Rakefile new file mode 100644 index 0000000..4c80c5a --- /dev/null +++ b/Rakefile @@ -0,0 +1,8 @@ + +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = 'spec/*/*_spec.rb' + t.rspec_opts = File.read("spec/spec.opts").chomp || "" +end diff --git a/manifests/config.pp b/manifests/config.pp deleted file mode 100644 index d853fa1..0000000 --- a/manifests/config.pp +++ /dev/null @@ -1,75 +0,0 @@ -# = Class: ldap::config -# -# This class sets the configuration based on params.pp -# and instantiation of ldap class -# -# == Parameters: -# -# == Actions: -# Creates contents of /etc//ldap.conf -# If ldap class is called with $nsswitch = true -# nss_ldap attributes are set -# If ldap class is called with $pam = true -# pam_ldap attributes are set -# -# == Requires: -# - Class nsswitch -# - Class pam -# -# == Sample Usage: -# -# This class is called by its parent class, ldap. -# - -class ldap::config { - - File { - ensure => $ensure, - mode => 0644, - owner => $ldap::params::owner, - group => $ldap::params::group, - } - - file { $ldap::params::config: - content => template("${ldap::params::mod_prefix}${ldap::params::config}.erb"), - } - - case $operatingsystem { - - debian: {} - # RHEL and the likes have /etc/ldap.conf - default: { - file { '/etc/ldap.conf': - ensure => $ensure ? { - 'present' => symlink, - default => absent - }, - target => $ldap::params::config, - require => File[$ldap::params::config], - } - } - } - - # require module nsswitch - if($nsswitch == true) { - class { 'nsswitch': - uri => $uri, - base => $base, - module_type => $ensure ? { - 'present' => 'ldap', - default => 'none' - }, - } - } - - # require module pam - if($pam == true) { - class { 'pam': - module_type => $ensure ? { - 'present' => 'ldap', - default => 'none' - }, - } - } -} - diff --git a/manifests/init.pp b/manifests/init.pp index 0d1d737..8c972a0 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -67,26 +67,79 @@ # class ldap($uri, $base, - $version = '3', - $ensure = 'present', - $ssl = false, - $ssl_cert = false, + $version = '3', + $timelimit = 30, + $bind_timelimit = 30, + $idle_timelimit = 60, + $ssl = false, + $ssl_cert = false, - # nsswitch options (requires nsswitch module) - disabled by default $nsswitch = false, $nss_passwd = false, $nss_group = false, $nss_shadow = false, - # pam options (requires pam module) - disabled by default $pam = false, $pam_att_login = 'uid', $pam_att_member = 'member', $pam_passwd = 'md5', - $pam_filter = 'objectClass=posixAccount') { + $pam_filter = 'objectClass=posixAccount', + + $ensure = present) { include ldap::params - include ldap::install - include ldap::config + + package { $ldap::params::package: + ensure => $ensure, + } + + File { + ensure => $ensure, + mode => 0644, + owner => $ldap::params::owner, + group => $ldap::params::group, + } + + file { "${ldap::params::prefix}/${ldap::params::config}": + content => template("ldap/${ldap::params::config}.erb"), + } + + case $operatingsystem { + + Debian: {} + # RHEL and the likes have /etc/ldap.conf + /Redhat|OEL/: { + file { '/etc/ldap.conf': + ensure => $ensure ? { + 'present' => symlink, + default => absent + }, + target => $ldap::params::config, + require => File[$ldap::params::config], + } + } + } + + # require module nsswitch + if($nsswitch == true) { + class { 'nsswitch': + uri => $uri, + base => $base, + module_type => $ensure ? { + 'present' => 'ldap', + default => 'none' + }, + } + } + + # require module pam + if($pam == true) { + class { 'pam': + module_type => $ensure ? { + 'present' => 'ldap', + default => 'none' + }, + } + } } diff --git a/manifests/install.pp b/manifests/install.pp deleted file mode 100644 index 9857a19..0000000 --- a/manifests/install.pp +++ /dev/null @@ -1,8 +0,0 @@ - -class ldap::install { - - package { $ldap::params::package: - ensure => present, - } - -} diff --git a/manifests/params.pp b/manifests/params.pp index 129c9e4..32c6199 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -3,45 +3,77 @@ case $operatingsystem { - debian: { - - $mod_prefix = 'ldap/debian' + Debian: { $package = [ 'ldap-utils' ] $prefix = '/etc/ldap' $owner = 'root' $group = 'root' - $config = "${prefix}/ldap.conf" + $config = 'ldap.conf' - $server_config = "${prefix}/slapd.conf" $service = 'slapd' $server_script = 'slapd' $server_pattern = 'slapd' + $server_package = 'slapd' + $server_config = 'slapd.conf' + $server_owner = 'openldap' + $server_group = 'openldap' + $db_prefix = '/var/lib/ldap' + $ssl_prefix = '/etc/openssl/ssl' + $server_run = '/var/run/openldap' + + case $architecture { + amd64: { + $module_prefix = '/usr/lib64/ldap' + } + + /^i?[346]86/: { + $module_prefix = '/usr/lib32/ldap' + } + + default: { + fail("Architecture not supported by this module") + } + } + + $modules_base = [ 'back_bdb' ] + + $schema_prefix = "${prefix}/schema" + $schema_base = [ 'core', 'cosine', 'nis', 'inetorgperson', ] + $index_base = [ + 'index objectclass eq', + 'index entryCSN eq', + 'index entryUUID eq', + 'index uidNumber eq', + 'index gidNumber eq', + 'index cn pres,sub,eq', + 'index sn pres,sub,eq', + 'index uid pres,sub,eq', + 'index displayName pres,sub,eq', + ] + } # For redhat ovs oel - default: { + Redhat: { - $mod_prefix = 'ldap/redhat' - $package = [ 'openldap', 'openldap-clients' ] - - + $prefix = '/etc/openldap' $owner = 'root' $group = 'root' - $config = "${prefix}/ldap.conf" + $config = 'ldap.conf' $server_package = [ 'openldap-servers' ] - $server_config = "${prefix}/slapd.conf" + $server_config = 'slapd.conf' $service = 'slapd' $server_script = 'slapd' $server_pattern = 'slapd' $server_owner = 'ldap' $server_group = 'ldap' - $schema_prefix = "${prefix}/schema" + $schema_prefix = "${prefix}/schema" $db_prefix = '/var/lib/ldap' if($architecture =~ /^x86_64/) { $module_prefix = '/usr/lib64/openldap' @@ -64,5 +96,9 @@ 'index displayName pres,sub,eq', ] } + + default: { + fail("Operating system not supported") + } } } diff --git a/manifests/server/master.pp b/manifests/server/master.pp index 67768c5..c2be2b1 100644 --- a/manifests/server/master.pp +++ b/manifests/server/master.pp @@ -1,11 +1,12 @@ class ldap::server::master($suffix, $rootpw, + $bind_anon = true, $schema_inc = [], $modules_inc = [], $index_inc = [], $log_level = '0', - $bind_anon = true, $ssl = false, + $ssl_url = false, $ssl_ca = 'ca.pem', $ssl_cert = 'cert.pem', $ssl_key = 'cert.key', @@ -13,7 +14,7 @@ $syncprov_checkpoint = '100 10', $syncprov_sessionlog = '100', $sync_binddn = false, - $ensure = 'present') { + $ensure = present) { include ldap::params @@ -21,23 +22,41 @@ ensure => $ensure } - $mod_prefix = $ldap::params::mod_prefix - $db_prefix = $ldap::params::db_prefix - $module_prefix = $ldap::params::module_prefix - $schema_prefix = $ldap::params::schema_prefix - $ssl_prefix = $ldap::params::ssl_prefix - $server_run = $ldap::params::server_run - $modules_base = $ldap::params::modules_base - $schema_base = $ldap::params::schema_base - $index_base = $ldap::params::index_base + service { $ldap::params::service: + ensure => $ensure ? { + present => running, + absent => stopped, + }, + enable => $ensure ? { + present => true, + absent => false, + }, + name => $ldap::params::server_script, + pattern => $ldap::params::server_pattern, + hasstatus => true, + hasrestart => true, + require => Package[$ldap::params::server_package], + } + + file { $ldap::params::prefix: + ensure => $ensure ? { + present => directory, + default => absent + }, + owner => 'root', + group => 'root', + mode => 0755, + require => Package[$ldap::params::server_package], + } - file { $ldap::params::server_config: + file { "${ldap::params::prefix}/${ldap::params::server_config}": ensure => $ensure, mode => 0640, owner => $ldap::params::server_owner, group => $ldap::params::server_group, - content => template("${mod_prefix}/${ldap::params::server_config}.erb"), - require => Package[$ldap::params::server_package] + content => template("ldap/${ldap::params::server_config}.erb"), + notify => Service[$ldap::params::service], + require => File[$ldap::params::prefix], } if($ssl == true) { @@ -49,22 +68,5 @@ source => "puppet://${mod_prefix}" } } - service { $ldap::params::service: - ensure => $ensure ? { - 'present' => running, - 'absent' => stopped, - }, - enable => $ensure ? { - 'present' => true, - 'absent' => false, - }, - name => $ldap::params::server_script, - pattern => $ldap::params::server_pattern, - hasstatus => true, - hasrestart => true, - subscribe => File[$ldap::params::server_config], - require => Package[$ldap::params::server_package], - } - } diff --git a/spec/classes/ldap_server_master_spec.rb b/spec/classes/ldap_server_master_spec.rb new file mode 100644 index 0000000..0b3cd5b --- /dev/null +++ b/spec/classes/ldap_server_master_spec.rb @@ -0,0 +1,54 @@ + +require 'spec_helper' + +describe 'ldap::server::master' do + + opts = { + 'Debian' => { + :package => 'slapd', + :prefix => '/etc/ldap', + :cfg => '/etc/ldap/slapd.conf', + :service => 'slapd', + :server_owner => 'openldap', + :server_group => 'openldap', + }, + + 'Redhat' => { + :package => 'openldap-servers', + :prefix => '/etc/openldap', + :cfg => '/etc/openldap/slapd.conf', + :service => 'slapd', + :server_owner => 'openldap', + :server_group => 'openldap', + }, + } + + opts.keys.each do |os| + let(:facts) { { :operatingsystem => os } } + let(:params) { { + :suffix => 'dc=example,dc=com', + :rootpw => 'asdqw', + } } + describe "Running on #{os}" do + it { should include_class('ldap::params') } + it { should contain_package(opts[os][:package]) } + it { should contain_service(opts[os][:service]) } + it { should contain_file(opts[os][:prefix]) } + it { should contain_file(opts[os][:cfg]) } + end + end + + describe "Running on unsupported OS" do + let(:facts) { { :operatingsystem => 'solaris' } } + let(:params) { { + :suffix => 'dc=example,dc=com', + :rootpw => 'asdqw', + } } + it { + expect { + should include_class('ldap::params') + }.to raise_error(Puppet::Error, /^Operating system.*/) + } + end + +end diff --git a/spec/classes/ldap_spec.rb b/spec/classes/ldap_spec.rb new file mode 100644 index 0000000..bbc65cb --- /dev/null +++ b/spec/classes/ldap_spec.rb @@ -0,0 +1,34 @@ + +require 'spec_helper' + +describe 'ldap' do + + opts = { + 'Debian' => { + :arch => 'amd64', + :package => 'ldap-utils', + :ldapcfg => '/etc/ldap/ldap.conf', + }, + 'Redhat' => { + :arch => 'x86_64', + :package => 'openldap-clients', + :ldapcfg => '/etc/openldap/ldap.conf', + } + } + + opts.keys.each do |os| + describe "Running on #{os}" do + let(:facts) { { + :operatingsystem => os, + :architecture => opts[os][:arch], + } } + let(:params) { { + :uri => 'ldap://ldap.example.com', + :base => 'dc=suffix', + } } + it { should include_class('ldap::params') } + it { should contain_package(opts[os][:package]) } + it { should contain_file(opts[os][:ldapcfg]) } + end + end +end diff --git a/spec/fixtures/manifests/site.pp b/spec/fixtures/manifests/site.pp new file mode 100644 index 0000000..e69de29 diff --git a/spec/fixtures/modules/ldap/manifests b/spec/fixtures/modules/ldap/manifests new file mode 120000 index 0000000..373b992 --- /dev/null +++ b/spec/fixtures/modules/ldap/manifests @@ -0,0 +1 @@ +../../../../manifests \ No newline at end of file diff --git a/spec/fixtures/modules/ldap/templates b/spec/fixtures/modules/ldap/templates new file mode 120000 index 0000000..f8a06d1 --- /dev/null +++ b/spec/fixtures/modules/ldap/templates @@ -0,0 +1 @@ +../../../../templates \ No newline at end of file diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb new file mode 100644 index 0000000..d3923f8 --- /dev/null +++ b/spec/spec_helper.rb @@ -0,0 +1,8 @@ +require 'rspec-puppet' + +fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures')) + +RSpec.configure do |c| + c.module_path = File.join(fixture_path, 'modules') + c.manifest_dir = File.join(fixture_path, 'manifests') +end diff --git a/templates/debian/etc/ldap/ldap.conf.erb b/templates/debian/etc/ldap/ldap.conf.erb deleted file mode 100644 index ddd26d2..0000000 --- a/templates/debian/etc/ldap/ldap.conf.erb +++ /dev/null @@ -1,46 +0,0 @@ -############################################################################### -# << FILE MANAGED BY PUPPET >> -# Manual changes are likey to be overwritten -############################################################################### - -uri <%= uri %> -base <%= base %> - -ldap_version 3 -timelimit 30 -bind_timelimit 30 -idle_timelimit 3600 -bind_policy soft -deref never - -<% if nsswitch == true then %> -# DNs in groups -#nss_schema rfc2307bis -#nss_map_attribute uniquemember member -#nss_map_attribute memberuid member -#nss_getgrent_skipmembers yes - -nss_base_passwd <%= nss_passwd %>,<%= base %>?sub -nss_base_shadow <%= nss_shadow %>,<%= base %>?sub -nss_base_group <%= nss_group %>,<%= base %>?one -nss_initgroups_ignoreusers root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody libuuid statd sshd puppet -<% end %> - -<% if pam == true then %> -pam_login_attribute <%= pam_att_login %> -pam_member_attribute <%= pam_att_member %> -pam_password <%= pam_passwd %> -pam_filter <%= pam_filter %> -<% end %> - -<% if has_variable?("ssl") and $ssl == true -%> -ssl start_tls -ssl on -tls_cacertfile /etc/ssl/certs/ldap.pem -<% else -%> -#ssl start_tls -#ssl on -#TLS_CACERTFILE /etc/ssl/certs/ldap.pem -<% end -%> - - diff --git a/templates/redhat/etc/openldap/ldap.conf.erb b/templates/ldap.conf.erb similarity index 89% rename from templates/redhat/etc/openldap/ldap.conf.erb rename to templates/ldap.conf.erb index 9ec939a..13f1caf 100644 --- a/templates/redhat/etc/openldap/ldap.conf.erb +++ b/templates/ldap.conf.erb @@ -7,9 +7,9 @@ uri <%= uri %> base <%= base %> ldap_version <%= version %> -timelimit 30 -bind_timelimit 30 -idle_timelimit 3600 +timelimit <%= timelimit %> +bind_timelimit <%= bind_timelimit %> +idle_timelimit <%= idle_timelimit %> bind_policy soft deref never @@ -33,7 +33,7 @@ pam_password <%= pam_passwd %> pam_filter <%= pam_filter %> <% end %> -<% if has_variable?("ssl") and $ssl == true -%> +<% if ssl == true then -%> ssl start_tls ssl on tls_cacertfile /etc/ssl/certs/ldap.pem diff --git a/templates/redhat/etc/openldap/slapd.conf.erb b/templates/slapd.conf.erb similarity index 63% rename from templates/redhat/etc/openldap/slapd.conf.erb rename to templates/slapd.conf.erb index e77a364..c39e26d 100644 --- a/templates/redhat/etc/openldap/slapd.conf.erb +++ b/templates/slapd.conf.erb @@ -9,23 +9,23 @@ allow bind_anon_dn <% end -%> # Schema and objectClass definitions -<% schema_base.each do |schema| -%> -include <%= schema_prefix %>/<%= schema %>.schema +<% scope.lookupvar('ldap::params::schema_base').each do |schema| -%> +include <%= scope.lookupvar('ldap::params::schema_prefix') %>/<%= schema %>.schema <% end -%> # Additional schemas -<% schema_inc.each do |schema| -%> -include <%= schema_prefix %>/<%= schema %>.schema +<% scope.lookupvar('schema_inc').each do |schema| -%> +include <%= scope.lookupvar('ldap::params::schema_prefix') %>/<%= schema %>.schema <% end -%> -pidfile <%= server_run %>/slapd.pid -argsfile <%= server_run %>/slapd.args +pidfile <%= scope.lookupvar('ldap::params::server_run') %>/slapd.pid +argsfile <%= scope.lookupvar('ldap::params::server_run') %>/slapd.args # Read slapd.conf(5) for possible values loglevel <%= log_level %> -modulepath <%= module_prefix %> -<% modules_base.each do |mod| -%> +modulepath <%= scope.lookupvar('ldap::params::module_prefix') %> +<% scope.lookupvar('ldap::params::modules_base').each do |mod| -%> moduleload <%= mod %> <% end -%> @@ -35,9 +35,9 @@ moduleload <%= mod %> #moduleload syncprov <% if ssl == true then -%> -TLSCACertificateFile <%= ssl_prefix %>/<%= ssl_ca %> -TLSCertificateFile <%= ssl_prefix %>/<%= ssl_cert %> -TLSCertificateKeyFile <%= ssl_prefix %>/<%= ssl_key %> +TLSCACertificateFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= ssl_ca %> +TLSCertificateFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= ssl_cert %> +TLSCertificateKeyFile <%= scope.lookupvar('ldap::params::ssl_prefix') %>/<%= ssl_key %> TLSVerifyClient allow <% end -%> @@ -49,14 +49,14 @@ backend bdb # FIXME: puppet database bdb suffix "<%= suffix %>" -directory <%= db_prefix %> +directory <%= scope.lookupvar('ldap::params::db_prefix') %> rootdn "cn=admin,<%= suffix %>" rootpw "<%= rootpw %>" ####################################################################### # << Syncprov -<% if has_variable?('syncprov') and syncprov == true then -%> +<% if syncprov == true then -%> overlay syncprov syncprov-checkpoint <%= syncprov_checkpoint %> syncprov-sessionlog <%= syncprov_sessionlog %> @@ -95,7 +95,7 @@ lastmod on limits dn.exact="<%= sync_binddn%>" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited <% end -%> -<% index_base.each do |idx| -%> +<% scope.lookupvar('ldap::params::index_base').each do |idx| -%> <%= idx %> <% end -%> @@ -104,7 +104,7 @@ limits dn.exact="<%= sync_binddn%>" time.soft=unlimited time.hard=unlimited size <% end -%> # users can authenticate and change their password -access to attrs=userPassword,shadowLastChange, +access to dn.subtree="<%= suffix %>" attrs=userPassword,shadowLastChange, <% if has_variable?('syncprov') and sync_binddn != false then -%> by dn.exact="<%= sync_binddn %>" read <% end -%> @@ -112,22 +112,22 @@ access to attrs=userPassword,shadowLastChange, by anonymous auth by * none -access to attrs=sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaBadPasswordCount,sambaBadPasswordTime,sambaPwdLastSet -<% if has_variable?('syncprov') and sync_binddn != false then -%> - by dn.exact="<%= sync_binddn %>" read -<% end -%> - by self write - by anonymous auth - by * none +#access to dn.subtree="<%= suffix %>" attrs=sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaBadPasswordCount,sambaBadPasswordTime,sambaPwdLastSet +#<% if has_variable?('syncprov') and sync_binddn != false then -%> +# by dn.exact="<%= sync_binddn %>" read +#<% end -%> +# by self write +# by anonymous auth +# by * none ## some attributes need to be readable anonymously so that 'id user' can answer correctly -access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid +access to dn.subtree="<%= suffix %>" attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid <% if has_variable?('syncprov') and sync_binddn != false then -%> by dn.exact="<%= sync_binddn %>" read <% end -%> by * read -access to * +access to dn.subtree="<%= suffix %>" <% if has_variable?('syncprov') and sync_binddn != false then -%> by dn.exact="<%= sync_binddn %>" read <% end -%>