Muehlenhoff has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/311694

Change subject: Create a new LDAP schema extension for custom user attributes
......................................................................

Create a new LDAP schema extension for custom user attributes

Create a new LDAP schema extension for custom user attributes (initially
needed for VPN access) and use it in the corp mirror. (Can be extended to
labs LDAP in a followup step)

Bug: T146102
Change-Id: I2578db766b47ff00f79d37fe72dc26f4b8f24241
---
A modules/openldap/files/wmf-user.schema
M modules/role/manifests/openldap/corp.pp
2 files changed, 22 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/94/311694/1

diff --git a/modules/openldap/files/wmf-user.schema 
b/modules/openldap/files/wmf-user.schema
new file mode 100644
index 0000000..58f4594
--- /dev/null
+++ b/modules/openldap/files/wmf-user.schema
@@ -0,0 +1,12 @@
+# Object class for WMF-specific user attributes
+# The registered IANA ID is 33298, use 1.3.6.1.4.1.33298.1.x as the namespace 
for
+# custom object classes
+
+attributetype ( 1.3.6.1.4.1.33298.1.1.2 NAME 'YubikeyVPN'
+       DESC 'Yubikey used for VPN authentication'
+       EQUALITY caseIgnoreIA5Match
+       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+objectclass ( 1.3.6.1.4.1.33298.1.1.1 NAME 'wmfCustomUserAttributes' SUP top 
AUXILIARY
+       DESC 'Object class for WMF-specific user attributes'
+       MAY YubikeyVPN )
diff --git a/modules/role/manifests/openldap/corp.pp 
b/modules/role/manifests/openldap/corp.pp
index dafd6b2..617e56c 100644
--- a/modules/role/manifests/openldap/corp.pp
+++ b/modules/role/manifests/openldap/corp.pp
@@ -19,15 +19,16 @@
     }
 
     class { '::openldap':
-        server_id   => 3, # 1 and 2 used in OIT
-        suffix      => 'dc=corp,dc=wikimedia,dc=org',
-        datadir     => '/var/lib/ldap/corp',
-        master      => $master,
-        sync_pass   => $sync_pass,
-        ca          => '/etc/ssl/certs/ca-certificates.crt',
-        certificate => 
"/etc/ssl/localcerts/ldap-corp.${::site}.wikimedia.org.crt",
-        key         => 
"/etc/ssl/private/ldap-corp.${::site}.wikimedia.org.key",
-        extra_acls  => 'openldap/corp-acls.erb',
+        server_id     => 3, # 1 and 2 used in OIT
+        suffix        => 'dc=corp,dc=wikimedia,dc=org',
+        datadir       => '/var/lib/ldap/corp',
+        master        => $master,
+        sync_pass     => $sync_pass,
+        ca            => '/etc/ssl/certs/ca-certificates.crt',
+        certificate   => 
"/etc/ssl/localcerts/ldap-corp.${::site}.wikimedia.org.crt",
+        key           => 
"/etc/ssl/private/ldap-corp.${::site}.wikimedia.org.key",
+        extra_acls    => 'openldap/corp-acls.erb',
+        extra_schemas => 'wmf-user.schema',
     }
 
     ferm::service { 'corp_ldap':

-- 
To view, visit https://gerrit.wikimedia.org/r/311694
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2578db766b47ff00f79d37fe72dc26f4b8f24241
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Muehlenhoff <mmuhlenh...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to