Alexandros Kosiaris has submitted this change and it was merged.
Change subject: openldap: Allow to specify cleartext hashing scheme
......................................................................
openldap: Allow to specify cleartext hashing scheme
Allow the caller to specify the cleartext password hashing scheme. Then
override it for production LDAP servers.
Change-Id: I5e28ab7cab0467bea71abdf265085cb7e202b1ff
---
M hieradata/hosts/seaborgium.yaml
M hieradata/hosts/serpens.yaml
M modules/openldap/manifests/init.pp
M modules/openldap/templates/slapd.erb
4 files changed, 9 insertions(+), 1 deletion(-)
Approvals:
Alexandros Kosiaris: Verified; Looks good to me, approved
diff --git a/hieradata/hosts/seaborgium.yaml b/hieradata/hosts/seaborgium.yaml
index ceef463..68c97c5 100644
--- a/hieradata/hosts/seaborgium.yaml
+++ b/hieradata/hosts/seaborgium.yaml
@@ -1,3 +1,4 @@
openldap::master: ldap-labs.codfw.wikimedia.org
openldap::server_id: 1
openldap::logging: sync
+openldap::hash_passwords: SSHA
diff --git a/hieradata/hosts/serpens.yaml b/hieradata/hosts/serpens.yaml
index 3ab0b3a..efc1d31 100644
--- a/hieradata/hosts/serpens.yaml
+++ b/hieradata/hosts/serpens.yaml
@@ -1,3 +1,4 @@
openldap::master: ldap-labs.eqiad.wikimedia.org
openldap::server_id: 2
openldap::logging: sync
+openldap::hash_passwords: SSHA
diff --git a/modules/openldap/manifests/init.pp
b/modules/openldap/manifests/init.pp
index a74bbef..62391dc 100644
--- a/modules/openldap/manifests/init.pp
+++ b/modules/openldap/manifests/init.pp
@@ -41,6 +41,11 @@
# $logging
# Optional. Specify the kind of logging desired. Defaults to "sync stats"
# And it is not named loglevel cause that's a puppet metaparameter
+# $hash_passwords
+# Optional. Specify what hashing scheme will be used by openldap to hash
+# cleartext passwords sent to it on account creation or password change.
+# Defauts to SHA. Valid values: SHA, SSHA, MD5, SMD5, CRYPT, SASL
+# Do not supply this if you don't know what you are doing!!!!
#
# Actions:
# Install/configure slapd
@@ -68,6 +73,7 @@
$extra_indices=undef,
$size_limit=undef,
$logging='sync stats',
+ $hash_passwords='SHA',
) {
require_package('slapd', 'ldap-utils', 'python-ldap')
diff --git a/modules/openldap/templates/slapd.erb
b/modules/openldap/templates/slapd.erb
index 5067990..204bd0b 100644
--- a/modules/openldap/templates/slapd.erb
+++ b/modules/openldap/templates/slapd.erb
@@ -87,7 +87,7 @@
overlay ppolicy
ppolicy_hash_cleartext
-password-hash {SHA}
+password-hash {<%= @hash_passwords %>}
#######################################################################
## Replication
--
To view, visit https://gerrit.wikimedia.org/r/257691
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5e28ab7cab0467bea71abdf265085cb7e202b1ff
Gerrit-PatchSet: 5
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Muehlenhoff <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
