Federico Bonelli
2013-May-15 10:45 UTC
[Puppet Users] Any working module for LDAP client authentication?
Hi folks, I can''t find a _working_ module for setting LDAP authentication through nsswitch and PAM for Ubuntu. Does anybody know if such a module exists? I''m trying to set up at work a Puppet infrastructure to manage the whole of our workstations: I previously configured by hand LDAP authentication, and there is a lot of configuration to be done, therefore I''d really need Puppet to do it for me. Thank you guys, Federico -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Craig White
2013-May-15 15:48 UTC
Re: [Puppet Users] Any working module for LDAP client authentication?
On May 15, 2013, at 3:45 AM, Federico Bonelli wrote:> Hi folks, > > I can''t find a _working_ module for setting LDAP authentication through nsswitch and PAM for Ubuntu. > Does anybody know if such a module exists? > > I''m trying to set up at work a Puppet infrastructure to manage the whole of our workstations: I previously configured by hand LDAP authentication, and there is a lot of configuration to be done, therefore I''d really need Puppet to do it for me. > > Thank you guys,---- Never made it into a module but here is my relatively complete solution to Ubuntu LDAP client configuration. (note that I''m going to leave the contents of /etc/ldap.conf, /etc/ldap/ldap.conf and all of the affected pam.d files to you as well as the implementation of log rotation) cat -n client_install.pp 1 # ldap::client_install class 2 # 3 # Last update 03/02/2012 4 # 5 # Craig White 6 # 7 # ensures sufficient changes to permit users to authenticate via TTI''s LDAP server 8 # 9 class ldap::client_install { 10 include ldap::configure 11 include nscd 12 case $operatingsystem { 13 centos, redhat: { 14 package { [ "openldap-clients", "openldap", "openldap-devel" ]: 15 ensure => present, 16 require => Class["nscd::install", "apt::updates"], 17 notify => Class["nscd::service"], 18 } 19 } 20 debian, ubuntu: { 21 package { [ "ldap-utils", "libnss-ldap", "auth-client-config" ]: 22 ensure => present, 23 require => Class["nscd::install", "apt::updates"], 24 notify => Class["nscd::service"], 25 } 26 } 27 } 28 } cat -n configure.pp 1 # ldap::configure class 2 # 3 # Last update 03/02/2012 4 # 5 # Craig White 6 # 7 # ensures sufficient changes to permit users to authenticate via TTI''s LDAP server 8 # 9 class ldap::configure { 10 include ldap::client_install 11 if (tagged("ldap::server_install")) { 12 case $hostname { 13 default: { 14 $ldap_servers_nss = "ldap://ldap.example.com ldap://ldap2.example.com" 15 $ldap_servers = "ldap://ldap.example.com ldap://ldap2.example.com" 16 } 17 ldap3: { 18 $ldap_servers_nss = "ldap://ldap3.example.com ldap://ldap4.example.com" 19 $ldap_servers = "ldap://ldap3.example.com ldap://ldap4.example.com" 20 } 21 ldap4: { 22 $ldap_servers_nss = "ldap://ldap4.example.com ldap://ldap3.example.com" 23 $ldap_servers = "ldap://ldap4.example.com ldap://ldap3.example.com" 24 } 25 ldap2: { 26 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com" 27 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com" 28 } 29 ldap5: { 30 $ldap_servers_nss = "ldap://ldap5.example.com ldap://ldap6.example.com" 31 $ldap_servers = "ldapi://ldap5.example.com ldap://ldap6.example.com" 32 } 33 ldap6: { 34 $ldap_servers_nss = "ldap://ldap6.example.com ldap://ldap5.example.com" 35 $ldap_servers = "ldap://ldap6.example.com ldap://ldap5.example.com" 36 } 37 } 38 } else { 39 case $datacenter { 40 default: { 41 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com" 42 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com" 43 } 44 Pacesetter-DynamicIPAddr: { 45 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com" 46 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com" 47 } 48 Pacesetter-FixedIPAddr: { 49 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com" 50 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com" 51 } 52 Pacesetter-DMZ: { 53 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com" 54 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com" 55 } 56 IO: { 57 $ldap_servers_nss = "ldap://ldap6.example.com ldap://ldap5.example.com" 58 $ldap_servers = "ldap://ldap5.example.com ldap://ldap6.example.com" 59 } 60 Canada: { 61 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com" 62 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com" 63 } 64 Amsterdam: { 65 $ldap_servers_nss = "ldap://ldap4.example.com ldap://ldap3.example.com" 66 $ldap_servers = "ldap://ldap4.example.com ldap://ldap3.example.com" 67 } 68 } 69 } 70 case $operatingsystem { 71 default: { 72 } 73 centos, redhat: { 74 # Puppet maintained file /etc/openldap/ldap.conf (RHEL/CentOS) 75 file {"/etc/openldap/ldap.conf": 76 content => template("ldap/openldap_ldap.conf.erb"), 77 owner => root, 78 group => root, 79 mode => "0644", 80 require => Class[ "ldap::client_install" ], 81 notify => Class[ "nscd::service" ], 82 } 83 # Puppet maintained file /etc/pam.d/system-auth 84 file {"/etc/pam.d/system-auth": 85 content => template("ldap/system-auth.erb"), 86 owner => root, 87 group => root, 88 mode => "0644", 89 notify => Class[ "nscd::service" ], 90 require => Class[ "ldap::client_install" ], 91 } 92 } 93 debian, ubuntu: { 94 # Puppet maintained file /etc/ldap/ldap.conf (Debian/Ubuntu) 95 file {"/etc/ldap/ldap.conf": 96 content => template("ldap/openldap_ldap.conf.erb"), 97 owner => root, 98 group => root, 99 mode => "0644", 100 require => Class[ "ldap::client_install" ], 101 notify => Class[ "nscd::service" ], 102 } 103 # Puppet maintained file /etc/pam.d/common-session 104 file {"/etc/pam.d/common-session": 105 content => template("ldap/common-session.erb"), 106 owner => root, 107 group => root, 108 mode => "0644", 109 require => Class[ "ldap::client_install" ], 110 notify => Class[ "nscd::service" ], 111 } 112 # Puppet maintained file /etc/pam.d/common-password 113 file {"/etc/pam.d/common-password": 114 content => template("ldap/common-password.erb"), 115 owner => root, 116 group => root, 117 mode => "0644", 118 require => Class[ "ldap::client_install" ], 119 } 120 # Puppet maintained file /etc/pam.d/common-password 121 file {"/etc/pam.d/common-account": 122 content => template("ldap/common-account.erb"), 123 owner => root, 124 group => root, 125 mode => "0644", 126 require => Class[ "ldap::client_install" ], 127 } 128 } 129 } 130 # Puppet maintained directory /home/users 131 exec { "Creating /home/users directory for LDAP users": 132 path => "/usr/local/bin:/usr/local/sbin:/bin:/usr/bin", 133 environment => "HOME=/root", 134 command => "/bin/mkdir /home/users", 135 user => "root", 136 group => "root", 137 unless => "/bin/ls -l /home/users", 138 logoutput => on_failure, 139 require => Class[ "ldap::client_install" ], 140 } 141 # Puppet maintained file /etc/ldap.conf 142 file {"/etc/ldap.conf": 143 content => template("ldap/ldap.conf.erb"), 144 owner => root, 145 group => root, 146 mode => "0644", 147 require => Class[ "ldap::client_install" ], 148 } 149 # Puppet maintained file /etc/nsswitch.conf 150 file {"/etc/nsswitch.conf": 151 content => template("ldap/nsswitch.conf.erb"), 152 owner => root, 153 group => root, 154 mode => "0644", 155 require => Class[ "ldap::client_install" ], 156 notify => Class[ "nscd::service" ], 157 } 158 # Puppet maintained file /etc/ldap.secret 159 file {"/etc/ldap.secret": 160 content => template("ldap/ldap.secret.erb"), 161 owner => root, 162 group => root, 163 mode => "0600", 164 require => Class[ "ldap::client_install" ], 165 } 166 } cat -n init.pp 1 # ldap class 2 # 3 # Last update 07/20/2011 4 # 5 # Craig White 6 # 7 # includes ldap::configure class 8 # 9 # includes ldap::client_install class 10 # 11 # includes ldap::server_install class 12 # 13 # includes ldap::service class 14 # 15 class ldap { 16 include ldap::client_install, ldap::server_install, ldap::service, ldap::configure 17 } cat -n server_install.pp 1 # ldap::server_install class 2 # 3 # Last update 09/25/2012 4 # 5 # Craig White 6 # 7 # ensures Open LDAP server is installed 8 # 9 class ldap::server_install { 10 case $operatingsystem { 11 centos, redhat: { 12 package { [ "openldap-server" ]: 13 ensure => present, 14 require => Class["ldap::client_install"], 15 } 16 } 17 debian, ubuntu: { 18 package { [ "slapd" ]: 19 ensure => present, 20 require => Class["ldap::client_install"], 21 } 22 # Puppet maintained file /etc/logrotate.d/slapd 23 file {"/etc/logrotate.d/slapd": 24 source => "puppet:///modules/ldap/slapd", 25 owner => root, 26 group => root, 27 mode => "0644", 28 require => Class[ "ldap::client_install" ], 29 } 30 } 31 } 32 } # cat -n service.pp 1 # ldap::service class 2 # 3 # Last update 07/20/2011 4 # 5 # Craig White 6 # 7 # ensures LDAP (slapd) server is running 8 # 9 # 10 class ldap::service { 11 case $operatingsystem { 12 centos, redhat: { 13 service { "ldap": 14 ensure => running, 15 hasstatus => true, 16 hasrestart => true, 17 enable => true, 18 require => Class["ldap::server_install"], 19 } 20 } 21 debian, ubuntu: { 22 service { "slapd": 23 ensure => running, 24 hasstatus => true, 25 hasrestart => true, 26 enable => true, 27 require => Class["ldap::server_install"], 28 } 29 } 30 } 31 } ls -l ../files/ total 4 -rw-r--r-- 1 puppet puppet 252 2012-10-22 10:52 slapd ls -l ../templates/ total 40 -rw-r--r-- 1 puppet puppet 1345 2012-05-04 08:09 common-account.erb -rw-r--r-- 1 puppet puppet 1607 2012-02-08 14:45 common-password.erb -rw-r--r-- 1 puppet puppet 1331 2012-02-08 14:45 common-session.erb -rw-r--r-- 1 puppet puppet 9466 2012-03-02 11:07 ldap.conf.erb -rw-r--r-- 1 puppet puppet 11 2012-02-08 14:45 ldap.secret.erb -rw-r--r-- 1 puppet puppet 539 2012-02-14 12:57 nsswitch.conf.erb -rw-r--r-- 1 puppet puppet 600 2012-02-08 14:45 openldap_ldap.conf.erb -rw-r--r-- 1 puppet puppet 1312 2012-02-08 14:45 system-auth.erb -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.