diff options
-rw-r--r-- | manifests/nodes.pp | 1 | ||||
-rw-r--r-- | modules/openldap/manifests/init.pp | 46 | ||||
-rw-r--r-- | modules/openldap/templates/mandriva-dit-access.conf | 157 | ||||
-rw-r--r-- | modules/openldap/templates/slapd.conf | 95 |
4 files changed, 299 insertions, 0 deletions
diff --git a/manifests/nodes.pp b/manifests/nodes.pp index c5264fae..7cff9ae7 100644 --- a/manifests/nodes.pp +++ b/manifests/nodes.pp @@ -16,6 +16,7 @@ node valstar { timezone::timezone { "Europe/Paris": } include rsyncd include mirror + include openldap::master # for puppet svn checkout package {"subversion": diff --git a/modules/openldap/manifests/init.pp b/modules/openldap/manifests/init.pp new file mode 100644 index 00000000..7da5a1fd --- /dev/null +++ b/modules/openldap/manifests/init.pp @@ -0,0 +1,46 @@ +class openldap { + class base { + package { 'openldap-servers': + ensure => installed + } + + service { ldap: + ensure => running, + subscribe => [ Package['openldap-servers']], + path => "/etc/init.d/ldap" + } + } + + # /etc/ + # 11:57:48| blingme> misc: nothing special, just copy slapd.conf, mandriva-dit-access.conf across, slapcat one side, slapadd other side + + file { '/etc/openldap/slapd.conf': + ensure => present, + owner => root, + group => root, + mode => 644, + require => Package["openldap-servers"], + content => "", + notify => [Service['ldap']] + } + + file { '/etc/openldap/mandriva-dit-access.conf': + ensure => present, + owner => root, + group => root, + mode => 644, + require => Package["openldap-servers"], + content => "", + notify => [Service['ldap']] + } + + class master inherits base { + file { '/etc/openldap/mandriva-dit-access.conf': + content => template("openldap/mandriva-dit-access.conf"), + } + + file { '/etc/openldap/slapd.conf': + content => template("bind/slapd.conf"), + } + } +} diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf new file mode 100644 index 00000000..0cbeb746 --- /dev/null +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -0,0 +1,157 @@ +# mandriva-dit-access.conf + +limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" + limit size=unlimited + limit time=unlimited + +limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" + limit size=unlimited + limit time=unlimited + +limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" + limit size=unlimited + limit time=unlimited + +# so we don't have to add these to every other acl down there +access to dn.subtree="dc=mageia,dc=org" + by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read + by * break + +# userPassword access +# shadowLastChange is here because it needs to be writable by the user because +# of pam_ldap, which will update this attr whenever the password is changed. +# And this is done with the user's credentials +access to dn.subtree="dc=mageia,dc=org" + attrs=shadowLastChange + by self write + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by * read +access to dn.subtree="dc=mageia,dc=org" + attrs=userPassword + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by self write + by anonymous auth + by * none + +# kerberos key access +# "by auth" just in case... +access to dn.subtree="dc=mageia,dc=org" + attrs=krb5Key + by self write + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by anonymous auth + by * none + +# password policies +access to dn.subtree="ou=Password Policies,dc=mageia,dc=org" + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# samba password attributes +# by self not strictly necessary, because samba uses its own admin user to +# change the password on the user's behalf +# openldap also doesn't auth on these attributes, but maybe some day it will +access to dn.subtree="dc=mageia,dc=org" + attrs=sambaLMPassword,sambaNTPassword + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by anonymous auth + by self write + by * none +# password history attribute +# pwdHistory is read-only, but ACL is simplier with it here +access to dn.subtree="dc=mageia,dc=org" + attrs=sambaPasswordHistory,pwdHistory + by self read + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by * none + +# pwdReset, so the admin can force an user to change a password +access to dn.subtree="dc=mageia,dc=org" + attrs=pwdReset + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# group owner can add/remove/edit members to groups +access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" + attrs=member + by dnattr=owner write + by * break + +# let the user change some of his/her attributes +access to dn.subtree="ou=People,dc=mageia,dc=org" + attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber + by self write + by * break + +# create new accounts +access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" + attrs=children,entry + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by * break +# access to existing entries +access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$" + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by * break + +# sambaDomainName entry +access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$" + attrs=children,entry,@sambaDomain,@sambaUnixIdPool + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# samba ID mapping +access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$" + attrs=children,entry,@sambaIdmapEntry + by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# global address book +# XXX - which class(es) to use? +access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org" + attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList + by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# dhcp entries +# XXX - open up read access to anybody? +access to dn.sub="ou=dhcp,dc=mageia,dc=org" + attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog + by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read + by * read + +# sudoers +access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$" + attrs=children,entry,@sudoRole + by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# dns +access to dn="ou=dns,dc=mageia,dc=org" + attrs=entry,@extensibleObject + by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write + by * read +access to dn.sub="ou=dns,dc=mageia,dc=org" + attrs=children,entry,@dNSZone + by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read + by * none + +# MTA +# XXX - what else can we add here? Virtual Domains? With which schema? +access to dn.one="ou=People,dc=mageia,dc=org" + attrs=@inetLocalMailRecipient,mail + by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# KDE Configuration +access to dn.sub="ou=KDEConfig,dc=mageia,dc=org" + by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write + by * read + +# last one +access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn + by * read + diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf new file mode 100644 index 00000000..44226cee --- /dev/null +++ b/modules/openldap/templates/slapd.conf @@ -0,0 +1,95 @@ +# slapd.conf template +include /usr/share/openldap/schema/core.schema +include /usr/share/openldap/schema/cosine.schema +include /usr/share/openldap/schema/corba.schema +include /usr/share/openldap/schema/inetorgperson.schema +include /usr/share/openldap/schema/java.schema +include /usr/share/openldap/schema/krb5-kdc.schema +#include /usr/share/openldap/schema/kerberosobject.schema +include /usr/share/openldap/schema/misc.schema +include /usr/share/openldap/schema/nis.schema +include /usr/share/openldap/schema/openldap.schema +include /usr/share/openldap/schema/autofs.schema +include /usr/share/openldap/schema/samba.schema +include /usr/share/openldap/schema/kolab.schema +include /usr/share/openldap/schema/evolutionperson.schema +include /usr/share/openldap/schema/calendar.schema +include /usr/share/openldap/schema/sudo.schema +include /usr/share/openldap/schema/dnszone.schema +include /usr/share/openldap/schema/dhcp.schema +include /usr/share/openldap/schema/dyngroup.schema +include /usr/share/openldap/schema/ppolicy.schema + +#include /etc/openldap/schema/local.schema + +pidfile /var/run/ldap/slapd.pid +argsfile /var/run/ldap/slapd.args + +modulepath /usr/lib/openldap +moduleload back_monitor.la +moduleload syncprov.la +moduleload ppolicy.la +#moduleload refint.la + +TLSCertificateFile /etc/ssl/openldap/ldap.pem +TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem +TLSCACertificateFile /etc/ssl/openldap/ldap.pem + +loglevel 256 + +database bdb +suffix "dc=mageia,dc=org" +directory /var/lib/ldap +rootdn "cn=manager,dc=mageia,dc=org" + +checkpoint 256 5 +# 32Mbytes, can hold about 10k posixAccount entries +dbconfig set_cachesize 0 33554432 1 +dbconfig set_lg_bsize 2097152 +cachesize 1000 +idlcachesize 3000 + +index objectClass eq +index uidNumber,gidNumber,memberuid,member eq +index uid eq,subinitial +index cn,mail,surname,givenname eq,subinitial +index sambaSID eq,sub +index sambaDomainName,displayName,sambaGroupType eq +index sambaSIDList eq +index krb5PrincipalName eq +index uniqueMember pres,eq +index zoneName,relativeDomainName eq +index sudouser eq,sub +index entryCSN,entryUUID eq +index dhcpHWAddress,dhcpClassData eq + +overlay syncprov +syncprov-checkpoint 100 10 +syncprov-sessionlog 100 + +overlay ppolicy +ppolicy_default "cn=default,ou=Password Policies,dc=mageia,dc=org" +ppolicy_hash_cleartext yes +ppolicy_use_lockout yes + + +# uncomment if you want to automatically update group +# memberships when an user is removed from the tree +# Also uncomment the refint.la moduleload above +#overlay refint +#refint_attributes member +#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com" + +authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" + "uid=Account Admin,ou=System Accounts,dc=mageia,dc=org" +authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,dc=mageia,dc=org + +include /etc/openldap/mandriva-dit-access.conf + + +database monitor +access to dn.subtree="cn=Monitor" + by group.exact="cn=LDAP Monitors,ou=System Groups,dc=mageia,dc=org" read + by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" read + by * none + |