On May 15, 2013, at 3:45 AM, Federico Bonelli wrote:
> Hi folks,
>
> I can't find a _working_ module for setting LDAP authentication through
> nsswitch and PAM for Ubuntu.
> Does anybody know if such a module exists?
>
> I'm trying to set up at work a Puppet infrastructure to manage the whole of
> our workstations: I previously configured by hand LDAP authentication, and
> there is a lot of configuration to be done, therefore I'd really need Puppet
> to do it for me.
>
> Thank you guys,
----
Never made it into a module but here is my relatively complete solution to
Ubuntu LDAP client configuration. (note that I'm going to leave the contents of
/etc/ldap.conf, /etc/ldap/ldap.conf and all of the affected pam.d files to you
as well as the implementation of log rotation)
cat -n client_install.pp
1 # ldap::client_install class
2 #
3 # Last update 03/02/2012
4 #
5 # Craig White
6 #
7 # ensures sufficient changes to permit users to authenticate via TTI's
LDAP server
8 #
9 class ldap::client_install {
10 include ldap::configure
11 include nscd
12 case $operatingsystem {
13 centos, redhat: {
14 package { [ "openldap-clients", "openldap", "openldap-devel" ]:
15 ensure => present,
16 require => Class["nscd::install", "apt::updates"],
17 notify => Class["nscd::service"],
18 }
19 }
20 debian, ubuntu: {
21 package { [ "ldap-utils", "libnss-ldap", "auth-client-config" ]:
22 ensure => present,
23 require => Class["nscd::install", "apt::updates"],
24 notify => Class["nscd::service"],
25 }
26 }
27 }
28 }
cat -n configure.pp
1 # ldap::configure class
2 #
3 # Last update 03/02/2012
4 #
5 # Craig White
6 #
7 # ensures sufficient changes to permit users to authenticate via TTI's
LDAP server
8 #
9 class ldap::configure {
10 include ldap::client_install
11 if (tagged("ldap::server_install")) {
12 case $hostname {
13 default: {
14 $ldap_servers_nss = "ldap://ldap.example.com
ldap://ldap2.example.com";
15 $ldap_servers = "ldap://ldap.example.com
ldap://ldap2.example.com";
16 }
17 ldap3: {
18 $ldap_servers_nss = "ldap://ldap3.example.com
ldap://ldap4.example.com";
19 $ldap_servers = "ldap://ldap3.example.com
ldap://ldap4.example.com";
20 }
21 ldap4: {
22 $ldap_servers_nss = "ldap://ldap4.example.com
ldap://ldap3.example.com";
23 $ldap_servers = "ldap://ldap4.example.com
ldap://ldap3.example.com";
24 }
25 ldap2: {
26 $ldap_servers_nss = "ldap://ldap2.example.com
ldap://ldap.example.com";
27 $ldap_servers = "ldap://ldap2.example.com
ldap://ldap.example.com";
28 }
29 ldap5: {
30 $ldap_servers_nss = "ldap://ldap5.example.com
ldap://ldap6.example.com";
31 $ldap_servers = "ldapi://ldap5.example.com
ldap://ldap6.example.com";
32 }
33 ldap6: {
34 $ldap_servers_nss = "ldap://ldap6.example.com
ldap://ldap5.example.com";
35 $ldap_servers = "ldap://ldap6.example.com
ldap://ldap5.example.com";
36 }
37 }
38 } else {
39 case $datacenter {
40 default: {
41 $ldap_servers_nss = "ldap://ldap2.example.com
ldap://ldap.example.com";
42 $ldap_servers = "ldap://ldap2.example.com
ldap://ldap.example.com";
43 }
44 Pacesetter-DynamicIPAddr: {
45 $ldap_servers_nss = "ldap://ldap2.example.com
ldap://ldap.example.com";
46 $ldap_servers = "ldap://ldap2.example.com
ldap://ldap.example.com";
47 }
48 Pacesetter-FixedIPAddr: {
49 $ldap_servers_nss = "ldap://ldap2.example.com
ldap://ldap.example.com";
50 $ldap_servers = "ldap://ldap2.example.com
ldap://ldap.example.com";
51 }
52 Pacesetter-DMZ: {
53 $ldap_servers_nss = "ldap://ldap2.example.com
ldap://ldap.example.com";
54 $ldap_servers = "ldap://ldap2.example.com
ldap://ldap.example.com";
55 }
56 IO: {
57 $ldap_servers_nss = "ldap://ldap6.example.com
ldap://ldap5.example.com";
58 $ldap_servers = "ldap://ldap5.example.com
ldap://ldap6.example.com";
59 }
60 Canada: {
61 $ldap_servers_nss = "ldap://ldap2.example.com
ldap://ldap.example.com";
62 $ldap_servers = "ldap://ldap2.example.com
ldap://ldap.example.com";
63 }
64 Amsterdam: {
65 $ldap_servers_nss = "ldap://ldap4.example.com
ldap://ldap3.example.com";
66 $ldap_servers = "ldap://ldap4.example.com
ldap://ldap3.example.com";
67 }
68 }
69 }
70 case $operatingsystem {
71 default: {
72 }
73 centos, redhat: {
74 # Puppet maintained file /etc/openldap/ldap.conf (RHEL/CentOS)
75 file {"/etc/openldap/ldap.conf":
76 content => template("ldap/openldap_ldap.conf.erb"),
77 owner => root,
78 group => root,
79 mode => "0644",
80 require => Class[ "ldap::client_install" ],
81 notify => Class[ "nscd::service" ],
82 }
83 # Puppet maintained file /etc/pam.d/system-auth
84 file {"/etc/pam.d/system-auth":
85 content => template("ldap/system-auth.erb"),
86 owner => root,
87 group => root,
88 mode => "0644",
89 notify => Class[ "nscd::service" ],
90 require => Class[ "ldap::client_install" ],
91 }
92 }
93 debian, ubuntu: {
94 # Puppet maintained file /etc/ldap/ldap.conf (Debian/Ubuntu)
95 file {"/etc/ldap/ldap.conf":
96 content => template("ldap/openldap_ldap.conf.erb"),
97 owner => root,
98 group => root,
99 mode => "0644",
100 require => Class[ "ldap::client_install" ],
101 notify => Class[ "nscd::service" ],
102 }
103 # Puppet maintained file /etc/pam.d/common-session
104 file {"/etc/pam.d/common-session":
105 content => template("ldap/common-session.erb"),
106 owner => root,
107 group => root,
108 mode => "0644",
109 require => Class[ "ldap::client_install" ],
110 notify => Class[ "nscd::service" ],
111 }
112 # Puppet maintained file /etc/pam.d/common-password
113 file {"/etc/pam.d/common-password":
114 content => template("ldap/common-password.erb"),
115 owner => root,
116 group => root,
117 mode => "0644",
118 require => Class[ "ldap::client_install" ],
119 }
120 # Puppet maintained file /etc/pam.d/common-password
121 file {"/etc/pam.d/common-account":
122 content => template("ldap/common-account.erb"),
123 owner => root,
124 group => root,
125 mode => "0644",
126 require => Class[ "ldap::client_install" ],
127 }
128 }
129 }
130 # Puppet maintained directory /home/users
131 exec { "Creating /home/users directory for LDAP users":
132 path => "/usr/local/bin:/usr/local/sbin:/bin:/usr/bin",
133 environment => "HOME=/root",
134 command => "/bin/mkdir /home/users",
135 user => "root",
136 group => "root",
137 unless => "/bin/ls -l /home/users",
138 logoutput => on_failure,
139 require => Class[ "ldap::client_install" ],
140 }
141 # Puppet maintained file /etc/ldap.conf
142 file {"/etc/ldap.conf":
143 content => template("ldap/ldap.conf.erb"),
144 owner => root,
145 group => root,
146 mode => "0644",
147 require => Class[ "ldap::client_install" ],
148 }
149 # Puppet maintained file /etc/nsswitch.conf
150 file {"/etc/nsswitch.conf":
151 content => template("ldap/nsswitch.conf.erb"),
152 owner => root,
153 group => root,
154 mode => "0644",
155 require => Class[ "ldap::client_install" ],
156 notify => Class[ "nscd::service" ],
157 }
158 # Puppet maintained file /etc/ldap.secret
159 file {"/etc/ldap.secret":
160 content => template("ldap/ldap.secret.erb"),
161 owner => root,
162 group => root,
163 mode => "0600",
164 require => Class[ "ldap::client_install" ],
165 }
166 }
cat -n init.pp
1 # ldap class
2 #
3 # Last update 07/20/2011
4 #
5 # Craig White
6 #
7 # includes ldap::configure class
8 #
9 # includes ldap::client_install class
10 #
11 # includes ldap::server_install class
12 #
13 # includes ldap::service class
14 #
15 class ldap {
16 include ldap::client_install, ldap::server_install, ldap::service,
ldap::configure
17 }
cat -n server_install.pp
1 # ldap::server_install class
2 #
3 # Last update 09/25/2012
4 #
5 # Craig White
6 #
7 # ensures Open LDAP server is installed
8 #
9 class ldap::server_install {
10 case $operatingsystem {
11 centos, redhat: {
12 package { [ "openldap-server" ]:
13 ensure => present,
14 require => Class["ldap::client_install"],
15 }
16 }
17 debian, ubuntu: {
18 package { [ "slapd" ]:
19 ensure => present,
20 require => Class["ldap::client_install"],
21 }
22 # Puppet maintained file /etc/logrotate.d/slapd
23 file {"/etc/logrotate.d/slapd":
24 source => "puppet:///modules/ldap/slapd",
25 owner => root,
26 group => root,
27 mode => "0644",
28 require => Class[ "ldap::client_install" ],
29 }
30 }
31 }
32 }
# cat -n service.pp
1 # ldap::service class
2 #
3 # Last update 07/20/2011
4 #
5 # Craig White
6 #
7 # ensures LDAP (slapd) server is running
8 #
9 #
10 class ldap::service {
11 case $operatingsystem {
12 centos, redhat: {
13 service { "ldap":
14 ensure => running,
15 hasstatus => true,
16 hasrestart => true,
17 enable => true,
18 require => Class["ldap::server_install"],
19 }
20 }
21 debian, ubuntu: {
22 service { "slapd":
23 ensure => running,
24 hasstatus => true,
25 hasrestart => true,
26 enable => true,
27 require => Class["ldap::server_install"],
28 }
29 }
30 }
31 }
ls -l ../files/
total 4
-rw-r--r-- 1 puppet puppet 252 2012-10-22 10:52 slapd
ls -l ../templates/
total 40
-rw-r--r-- 1 puppet puppet 1345 2012-05-04 08:09 common-account.erb
-rw-r--r-- 1 puppet puppet 1607 2012-02-08 14:45 common-password.erb
-rw-r--r-- 1 puppet puppet 1331 2012-02-08 14:45 common-session.erb
-rw-r--r-- 1 puppet puppet 9466 2012-03-02 11:07 ldap.conf.erb
-rw-r--r-- 1 puppet puppet 11 2012-02-08 14:45 ldap.secret.erb
-rw-r--r-- 1 puppet puppet 539 2012-02-14 12:57 nsswitch.conf.erb
-rw-r--r-- 1 puppet puppet 600 2012-02-08 14:45 openldap_ldap.conf.erb
-rw-r--r-- 1 puppet puppet 1312 2012-02-08 14:45 system-auth.erb
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
