aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/nodes.pp1
-rw-r--r--modules/openldap/manifests/init.pp46
-rw-r--r--modules/openldap/templates/mandriva-dit-access.conf157
-rw-r--r--modules/openldap/templates/slapd.conf95
4 files changed, 299 insertions, 0 deletions
diff --git a/manifests/nodes.pp b/manifests/nodes.pp
index c5264fae..7cff9ae7 100644
--- a/manifests/nodes.pp
+++ b/manifests/nodes.pp
@@ -16,6 +16,7 @@ node valstar {
timezone::timezone { "Europe/Paris": }
include rsyncd
include mirror
+ include openldap::master
# for puppet svn checkout
package {"subversion":
diff --git a/modules/openldap/manifests/init.pp b/modules/openldap/manifests/init.pp
new file mode 100644
index 00000000..7da5a1fd
--- /dev/null
+++ b/modules/openldap/manifests/init.pp
@@ -0,0 +1,46 @@
+class openldap {
+ class base {
+ package { 'openldap-servers':
+ ensure => installed
+ }
+
+ service { ldap:
+ ensure => running,
+ subscribe => [ Package['openldap-servers']],
+ path => "/etc/init.d/ldap"
+ }
+ }
+
+ # /etc/
+ # 11:57:48| blingme> misc: nothing special, just copy slapd.conf, mandriva-dit-access.conf across, slapcat one side, slapadd other side
+
+ file { '/etc/openldap/slapd.conf':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 644,
+ require => Package["openldap-servers"],
+ content => "",
+ notify => [Service['ldap']]
+ }
+
+ file { '/etc/openldap/mandriva-dit-access.conf':
+ ensure => present,
+ owner => root,
+ group => root,
+ mode => 644,
+ require => Package["openldap-servers"],
+ content => "",
+ notify => [Service['ldap']]
+ }
+
+ class master inherits base {
+ file { '/etc/openldap/mandriva-dit-access.conf':
+ content => template("openldap/mandriva-dit-access.conf"),
+ }
+
+ file { '/etc/openldap/slapd.conf':
+ content => template("bind/slapd.conf"),
+ }
+ }
+}
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
new file mode 100644
index 00000000..0cbeb746
--- /dev/null
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -0,0 +1,157 @@
+# mandriva-dit-access.conf
+
+limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
+ limit size=unlimited
+ limit time=unlimited
+
+limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
+ limit size=unlimited
+ limit time=unlimited
+
+limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
+ limit size=unlimited
+ limit time=unlimited
+
+# so we don't have to add these to every other acl down there
+access to dn.subtree="dc=mageia,dc=org"
+ by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
+ by * break
+
+# userPassword access
+# shadowLastChange is here because it needs to be writable by the user because
+# of pam_ldap, which will update this attr whenever the password is changed.
+# And this is done with the user's credentials
+access to dn.subtree="dc=mageia,dc=org"
+ attrs=shadowLastChange
+ by self write
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+access to dn.subtree="dc=mageia,dc=org"
+ attrs=userPassword
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by self write
+ by anonymous auth
+ by * none
+
+# kerberos key access
+# "by auth" just in case...
+access to dn.subtree="dc=mageia,dc=org"
+ attrs=krb5Key
+ by self write
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by anonymous auth
+ by * none
+
+# password policies
+access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# samba password attributes
+# by self not strictly necessary, because samba uses its own admin user to
+# change the password on the user's behalf
+# openldap also doesn't auth on these attributes, but maybe some day it will
+access to dn.subtree="dc=mageia,dc=org"
+ attrs=sambaLMPassword,sambaNTPassword
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by anonymous auth
+ by self write
+ by * none
+# password history attribute
+# pwdHistory is read-only, but ACL is simplier with it here
+access to dn.subtree="dc=mageia,dc=org"
+ attrs=sambaPasswordHistory,pwdHistory
+ by self read
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * none
+
+# pwdReset, so the admin can force an user to change a password
+access to dn.subtree="dc=mageia,dc=org"
+ attrs=pwdReset
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# group owner can add/remove/edit members to groups
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
+ attrs=member
+ by dnattr=owner write
+ by * break
+
+# let the user change some of his/her attributes
+access to dn.subtree="ou=People,dc=mageia,dc=org"
+ attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
+ by self write
+ by * break
+
+# create new accounts
+access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
+ attrs=children,entry
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * break
+# access to existing entries
+access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * break
+
+# sambaDomainName entry
+access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
+ attrs=children,entry,@sambaDomain,@sambaUnixIdPool
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# samba ID mapping
+access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
+ attrs=children,entry,@sambaIdmapEntry
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# global address book
+# XXX - which class(es) to use?
+access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
+ attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
+ by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# dhcp entries
+# XXX - open up read access to anybody?
+access to dn.sub="ou=dhcp,dc=mageia,dc=org"
+ attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
+ by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
+ by * read
+
+# sudoers
+access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
+ attrs=children,entry,@sudoRole
+ by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# dns
+access to dn="ou=dns,dc=mageia,dc=org"
+ attrs=entry,@extensibleObject
+ by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+access to dn.sub="ou=dns,dc=mageia,dc=org"
+ attrs=children,entry,@dNSZone
+ by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
+ by * none
+
+# MTA
+# XXX - what else can we add here? Virtual Domains? With which schema?
+access to dn.one="ou=People,dc=mageia,dc=org"
+ attrs=@inetLocalMailRecipient,mail
+ by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# KDE Configuration
+access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
+ by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
+ by * read
+
+# last one
+access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
+ by * read
+
diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf
new file mode 100644
index 00000000..44226cee
--- /dev/null
+++ b/modules/openldap/templates/slapd.conf
@@ -0,0 +1,95 @@
+# slapd.conf template
+include /usr/share/openldap/schema/core.schema
+include /usr/share/openldap/schema/cosine.schema
+include /usr/share/openldap/schema/corba.schema
+include /usr/share/openldap/schema/inetorgperson.schema
+include /usr/share/openldap/schema/java.schema
+include /usr/share/openldap/schema/krb5-kdc.schema
+#include /usr/share/openldap/schema/kerberosobject.schema
+include /usr/share/openldap/schema/misc.schema
+include /usr/share/openldap/schema/nis.schema
+include /usr/share/openldap/schema/openldap.schema
+include /usr/share/openldap/schema/autofs.schema
+include /usr/share/openldap/schema/samba.schema
+include /usr/share/openldap/schema/kolab.schema
+include /usr/share/openldap/schema/evolutionperson.schema
+include /usr/share/openldap/schema/calendar.schema
+include /usr/share/openldap/schema/sudo.schema
+include /usr/share/openldap/schema/dnszone.schema
+include /usr/share/openldap/schema/dhcp.schema
+include /usr/share/openldap/schema/dyngroup.schema
+include /usr/share/openldap/schema/ppolicy.schema
+
+#include /etc/openldap/schema/local.schema
+
+pidfile /var/run/ldap/slapd.pid
+argsfile /var/run/ldap/slapd.args
+
+modulepath /usr/lib/openldap
+moduleload back_monitor.la
+moduleload syncprov.la
+moduleload ppolicy.la
+#moduleload refint.la
+
+TLSCertificateFile /etc/ssl/openldap/ldap.pem
+TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
+TLSCACertificateFile /etc/ssl/openldap/ldap.pem
+
+loglevel 256
+
+database bdb
+suffix "dc=mageia,dc=org"
+directory /var/lib/ldap
+rootdn "cn=manager,dc=mageia,dc=org"
+
+checkpoint 256 5
+# 32Mbytes, can hold about 10k posixAccount entries
+dbconfig set_cachesize 0 33554432 1
+dbconfig set_lg_bsize 2097152
+cachesize 1000
+idlcachesize 3000
+
+index objectClass eq
+index uidNumber,gidNumber,memberuid,member eq
+index uid eq,subinitial
+index cn,mail,surname,givenname eq,subinitial
+index sambaSID eq,sub
+index sambaDomainName,displayName,sambaGroupType eq
+index sambaSIDList eq
+index krb5PrincipalName eq
+index uniqueMember pres,eq
+index zoneName,relativeDomainName eq
+index sudouser eq,sub
+index entryCSN,entryUUID eq
+index dhcpHWAddress,dhcpClassData eq
+
+overlay syncprov
+syncprov-checkpoint 100 10
+syncprov-sessionlog 100
+
+overlay ppolicy
+ppolicy_default "cn=default,ou=Password Policies,dc=mageia,dc=org"
+ppolicy_hash_cleartext yes
+ppolicy_use_lockout yes
+
+
+# uncomment if you want to automatically update group
+# memberships when an user is removed from the tree
+# Also uncomment the refint.la moduleload above
+#overlay refint
+#refint_attributes member
+#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com"
+
+authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
+ "uid=Account Admin,ou=System Accounts,dc=mageia,dc=org"
+authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,dc=mageia,dc=org
+
+include /etc/openldap/mandriva-dit-access.conf
+
+
+database monitor
+access to dn.subtree="cn=Monitor"
+ by group.exact="cn=LDAP Monitors,ou=System Groups,dc=mageia,dc=org" read
+ by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" read
+ by * none
+