diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/attachments/20101029/0a250102')
| -rw-r--r-- | zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment-0001.html | 418 | ||||
| -rw-r--r-- | zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment.html | 419 |
2 files changed, 837 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment-0001.html b/zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment-0001.html new file mode 100644 index 000000000..713a6e7bb --- /dev/null +++ b/zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment-0001.html @@ -0,0 +1,418 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" +"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /> +<title>[53] - deploy ldap with puppet on valstar</title> +</head> +<body> + +<style type="text/css"><!-- +#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; } +#msg dl.meta dt { float: left; width: 6em; font-weight: bold; } +#msg dt:after { content:':';} +#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; } +#msg dl a { font-weight: bold} +#msg dl a:link { color:#fc3; } +#msg dl a:active { color:#ff0; } +#msg dl a:visited { color:#cc6; } +h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; } +#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; } +#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; } +#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; } +#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; } +#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; } +#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } +#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; } +#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; } +#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; } +#logmsg pre { background: #eee; padding: 1em; } +#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;} +#logmsg dl { margin: 0; } +#logmsg dt { font-weight: bold; } +#logmsg dd { margin: 0; padding: 0 0 0.5em 0; } +#logmsg dd:before { content:'\00bb';} +#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; } +#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; } +#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; } +#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; } +#logmsg table th.Corner { text-align: left; } +#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; } +#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; } +#patch { width: 100%; } +#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;} +#patch .propset h4, #patch .binary h4 {margin:0;} +#patch pre {padding:0;line-height:1.2em;margin:0;} +#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;} +#patch .propset .diff, #patch .binary .diff {padding:10px 0;} +#patch span {display:block;padding:0 10px;} +#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;} +#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;} +#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;} +#patch .lines, .info {color:#888;background:#fff;} +--></style> +<div id="msg"> +<dl class="meta"> +<dt>Revision</dt> <dd>53</dd> +<dt>Author</dt> <dd>misc</dd> +<dt>Date</dt> <dd>2010-10-29 00:55:56 +0200 (Fri, 29 Oct 2010)</dd> +</dl> + +<h3>Log Message</h3> +<pre>- deploy ldap with puppet on valstar</pre> + +<h3>Modified Paths</h3> +<ul> +<li><a href="#puppetmanifestsnodespp">puppet/manifests/nodes.pp</a></li> +</ul> + +<h3>Added Paths</h3> +<ul> +<li>puppet/modules/openldap/</li> +<li>puppet/modules/openldap/manifests/</li> +<li><a href="#puppetmodulesopenldapmanifestsinitpp">puppet/modules/openldap/manifests/init.pp</a></li> +<li>puppet/modules/openldap/templates/</li> +<li><a href="#puppetmodulesopenldaptemplatesmandrivaditaccessconf">puppet/modules/openldap/templates/mandriva-dit-access.conf</a></li> +<li><a href="#puppetmodulesopenldaptemplatesslapdconf">puppet/modules/openldap/templates/slapd.conf</a></li> +</ul> + +</div> +<div id="patch"> +<h3>Diff</h3> +<a id="puppetmanifestsnodespp"></a> +<div class="modfile"><h4>Modified: puppet/manifests/nodes.pp (52 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/manifests/nodes.pp 2010-10-28 16:47:50 UTC (rev 52) ++++ puppet/manifests/nodes.pp 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -16,6 +16,7 @@ +</span><span class="cx"> timezone::timezone { "Europe/Paris": } +</span><span class="cx"> include rsyncd +</span><span class="cx"> include mirror +</span><ins>+ include openldap::master +</ins><span class="cx"> +</span><span class="cx"> # for puppet svn checkout +</span><span class="cx"> package {"subversion": +</span></span></pre></div> +<a id="puppetmodulesopenldapmanifestsinitpp"></a> +<div class="addfile"><h4>Added: puppet/modules/openldap/manifests/init.pp (0 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/modules/openldap/manifests/init.pp (rev 0) ++++ puppet/modules/openldap/manifests/init.pp 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -0,0 +1,46 @@ +</span><ins>+class openldap { ++ class base { ++ package { 'openldap-servers': ++ ensure => installed ++ } ++ ++ service { ldap: ++ ensure => running, ++ subscribe => [ Package['openldap-servers']], ++ path => "/etc/init.d/ldap" ++ } ++ } ++ ++ # /etc/ ++ # 11:57:48| blingme> misc: nothing special, just copy slapd.conf, mandriva-dit-access.conf across, slapcat one side, slapadd other side ++ ++ file { '/etc/openldap/slapd.conf': ++ ensure => present, ++ owner => root, ++ group => root, ++ mode => 644, ++ require => Package["openldap-servers"], ++ content => "", ++ notify => [Service['ldap']] ++ } ++ ++ file { '/etc/openldap/mandriva-dit-access.conf': ++ ensure => present, ++ owner => root, ++ group => root, ++ mode => 644, ++ require => Package["openldap-servers"], ++ content => "", ++ notify => [Service['ldap']] ++ } ++ ++ class master inherits base { ++ file { '/etc/openldap/mandriva-dit-access.conf': ++ content => template("openldap/mandriva-dit-access.conf"), ++ } ++ ++ file { '/etc/openldap/slapd.conf': ++ content => template("bind/slapd.conf"), ++ } ++ } ++} +</ins></span></pre></div> +<a id="puppetmodulesopenldaptemplatesmandrivaditaccessconf"></a> +<div class="addfile"><h4>Added: puppet/modules/openldap/templates/mandriva-dit-access.conf (0 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/modules/openldap/templates/mandriva-dit-access.conf (rev 0) ++++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -0,0 +1,157 @@ +</span><ins>+# mandriva-dit-access.conf ++ ++limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" ++ limit size=unlimited ++ limit time=unlimited ++ ++limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" ++ limit size=unlimited ++ limit time=unlimited ++ ++limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" ++ limit size=unlimited ++ limit time=unlimited ++ ++# so we don't have to add these to every other acl down there ++access to dn.subtree="dc=mageia,dc=org" ++ by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read ++ by * break ++ ++# userPassword access ++# shadowLastChange is here because it needs to be writable by the user because ++# of pam_ldap, which will update this attr whenever the password is changed. ++# And this is done with the user's credentials ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=shadowLastChange ++ by self write ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=userPassword ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by self write ++ by anonymous auth ++ by * none ++ ++# kerberos key access ++# "by auth" just in case... ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=krb5Key ++ by self write ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by anonymous auth ++ by * none ++ ++# password policies ++access to dn.subtree="ou=Password Policies,dc=mageia,dc=org" ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# samba password attributes ++# by self not strictly necessary, because samba uses its own admin user to ++# change the password on the user's behalf ++# openldap also doesn't auth on these attributes, but maybe some day it will ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=sambaLMPassword,sambaNTPassword ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by anonymous auth ++ by self write ++ by * none ++# password history attribute ++# pwdHistory is read-only, but ACL is simplier with it here ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=sambaPasswordHistory,pwdHistory ++ by self read ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * none ++ ++# pwdReset, so the admin can force an user to change a password ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=pwdReset ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# group owner can add/remove/edit members to groups ++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" ++ attrs=member ++ by dnattr=owner write ++ by * break ++ ++# let the user change some of his/her attributes ++access to dn.subtree="ou=People,dc=mageia,dc=org" ++ attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber ++ by self write ++ by * break ++ ++# create new accounts ++access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" ++ attrs=children,entry ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * break ++# access to existing entries ++access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$" ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * break ++ ++# sambaDomainName entry ++access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$" ++ attrs=children,entry,@sambaDomain,@sambaUnixIdPool ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# samba ID mapping ++access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$" ++ attrs=children,entry,@sambaIdmapEntry ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# global address book ++# XXX - which class(es) to use? ++access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org" ++ attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList ++ by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# dhcp entries ++# XXX - open up read access to anybody? ++access to dn.sub="ou=dhcp,dc=mageia,dc=org" ++ attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog ++ by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read ++ by * read ++ ++# sudoers ++access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$" ++ attrs=children,entry,@sudoRole ++ by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# dns ++access to dn="ou=dns,dc=mageia,dc=org" ++ attrs=entry,@extensibleObject ++ by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++access to dn.sub="ou=dns,dc=mageia,dc=org" ++ attrs=children,entry,@dNSZone ++ by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read ++ by * none ++ ++# MTA ++# XXX - what else can we add here? Virtual Domains? With which schema? ++access to dn.one="ou=People,dc=mageia,dc=org" ++ attrs=@inetLocalMailRecipient,mail ++ by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# KDE Configuration ++access to dn.sub="ou=KDEConfig,dc=mageia,dc=org" ++ by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# last one ++access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn ++ by * read ++ +</ins></span></pre></div> +<a id="puppetmodulesopenldaptemplatesslapdconf"></a> +<div class="addfile"><h4>Added: puppet/modules/openldap/templates/slapd.conf (0 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/modules/openldap/templates/slapd.conf (rev 0) ++++ puppet/modules/openldap/templates/slapd.conf 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -0,0 +1,95 @@ +</span><ins>+# slapd.conf template ++include /usr/share/openldap/schema/core.schema ++include /usr/share/openldap/schema/cosine.schema ++include /usr/share/openldap/schema/corba.schema ++include /usr/share/openldap/schema/inetorgperson.schema ++include /usr/share/openldap/schema/java.schema ++include /usr/share/openldap/schema/krb5-kdc.schema ++#include /usr/share/openldap/schema/kerberosobject.schema ++include /usr/share/openldap/schema/misc.schema ++include /usr/share/openldap/schema/nis.schema ++include /usr/share/openldap/schema/openldap.schema ++include /usr/share/openldap/schema/autofs.schema ++include /usr/share/openldap/schema/samba.schema ++include /usr/share/openldap/schema/kolab.schema ++include /usr/share/openldap/schema/evolutionperson.schema ++include /usr/share/openldap/schema/calendar.schema ++include /usr/share/openldap/schema/sudo.schema ++include /usr/share/openldap/schema/dnszone.schema ++include /usr/share/openldap/schema/dhcp.schema ++include /usr/share/openldap/schema/dyngroup.schema ++include /usr/share/openldap/schema/ppolicy.schema ++ ++#include /etc/openldap/schema/local.schema ++ ++pidfile /var/run/ldap/slapd.pid ++argsfile /var/run/ldap/slapd.args ++ ++modulepath /usr/lib/openldap ++moduleload back_monitor.la ++moduleload syncprov.la ++moduleload ppolicy.la ++#moduleload refint.la ++ ++TLSCertificateFile /etc/ssl/openldap/ldap.pem ++TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem ++TLSCACertificateFile /etc/ssl/openldap/ldap.pem ++ ++loglevel 256 ++ ++database bdb ++suffix "dc=mageia,dc=org" ++directory /var/lib/ldap ++rootdn "cn=manager,dc=mageia,dc=org" ++ ++checkpoint 256 5 ++# 32Mbytes, can hold about 10k posixAccount entries ++dbconfig set_cachesize 0 33554432 1 ++dbconfig set_lg_bsize 2097152 ++cachesize 1000 ++idlcachesize 3000 ++ ++index objectClass eq ++index uidNumber,gidNumber,memberuid,member eq ++index uid eq,subinitial ++index cn,mail,surname,givenname eq,subinitial ++index sambaSID eq,sub ++index sambaDomainName,displayName,sambaGroupType eq ++index sambaSIDList eq ++index krb5PrincipalName eq ++index uniqueMember pres,eq ++index zoneName,relativeDomainName eq ++index sudouser eq,sub ++index entryCSN,entryUUID eq ++index dhcpHWAddress,dhcpClassData eq ++ ++overlay syncprov ++syncprov-checkpoint 100 10 ++syncprov-sessionlog 100 ++ ++overlay ppolicy ++ppolicy_default "cn=default,ou=Password Policies,dc=mageia,dc=org" ++ppolicy_hash_cleartext yes ++ppolicy_use_lockout yes ++ ++ ++# uncomment if you want to automatically update group ++# memberships when an user is removed from the tree ++# Also uncomment the refint.la moduleload above ++#overlay refint ++#refint_attributes member ++#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com" ++ ++authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" ++ "uid=Account Admin,ou=System Accounts,dc=mageia,dc=org" ++authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,dc=mageia,dc=org ++ ++include /etc/openldap/mandriva-dit-access.conf ++ ++ ++database monitor ++access to dn.subtree="cn=Monitor" ++ by group.exact="cn=LDAP Monitors,ou=System Groups,dc=mageia,dc=org" read ++ by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" read ++ by * none ++ +</ins></span></pre> +</div> +</div> + +</body> +</html> diff --git a/zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment.html b/zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment.html new file mode 100644 index 000000000..cf08c4062 --- /dev/null +++ b/zarb-ml/mageia-sysadm/attachments/20101029/0a250102/attachment.html @@ -0,0 +1,419 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" +"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /> +<title>[53] - deploy ldap with puppet on valstar</title> +</head> +<body> + +<style type="text/css"><!-- +#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; } +#msg dl.meta dt { float: left; width: 6em; font-weight: bold; } +#msg dt:after { content:':';} +#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; } +#msg dl a { font-weight: bold} +#msg dl a:link { color:#fc3; } +#msg dl a:active { color:#ff0; } +#msg dl a:visited { color:#cc6; } +h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; } +#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; } +#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; } +#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; } +#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; } +#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; } +#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } +#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; } +#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; } +#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; } +#logmsg pre { background: #eee; padding: 1em; } +#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;} +#logmsg dl { margin: 0; } +#logmsg dt { font-weight: bold; } +#logmsg dd { margin: 0; padding: 0 0 0.5em 0; } +#logmsg dd:before { content:'\00bb';} +#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; } +#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; } +#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; } +#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; } +#logmsg table th.Corner { text-align: left; } +#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; } +#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; } +#patch { width: 100%; } +#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;} +#patch .propset h4, #patch .binary h4 {margin:0;} +#patch pre {padding:0;line-height:1.2em;margin:0;} +#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;} +#patch .propset .diff, #patch .binary .diff {padding:10px 0;} +#patch span {display:block;padding:0 10px;} +#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;} +#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;} +#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;} +#patch .lines, .info {color:#888;background:#fff;} +--></style> +<div id="msg"> +<dl class="meta"> +<dt>Revision</dt> <dd>53</dd> +<dt>Author</dt> <dd>misc</dd> +<dt>Date</dt> <dd>2010-10-29 00:55:56 +0200 (Fri, 29 Oct 2010)</dd> +</dl> + +<h3>Log Message</h3> +<pre>- deploy ldap with puppet on valstar</pre> + +<h3>Modified Paths</h3> +<ul> +<li><a href="#puppetmanifestsnodespp">puppet/manifests/nodes.pp</a></li> +</ul> + +<h3>Added Paths</h3> +<ul> +<li>puppet/modules/openldap/</li> +<li>puppet/modules/openldap/manifests/</li> +<li><a href="#puppetmodulesopenldapmanifestsinitpp">puppet/modules/openldap/manifests/init.pp</a></li> +<li>puppet/modules/openldap/templates/</li> +<li><a href="#puppetmodulesopenldaptemplatesmandrivaditaccessconf">puppet/modules/openldap/templates/mandriva-dit-access.conf</a></li> +<li><a href="#puppetmodulesopenldaptemplatesslapdconf">puppet/modules/openldap/templates/slapd.conf</a></li> +</ul> + +</div> +<div id="patch"> +<h3>Diff</h3> +<a id="puppetmanifestsnodespp"></a> +<div class="modfile"><h4>Modified: puppet/manifests/nodes.pp (52 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/manifests/nodes.pp 2010-10-28 16:47:50 UTC (rev 52) ++++ puppet/manifests/nodes.pp 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -16,6 +16,7 @@ +</span><span class="cx"> timezone::timezone { "Europe/Paris": } +</span><span class="cx"> include rsyncd +</span><span class="cx"> include mirror +</span><ins>+ include openldap::master +</ins><span class="cx"> +</span><span class="cx"> # for puppet svn checkout +</span><span class="cx"> package {"subversion": +</span></span></pre></div> +<a id="puppetmodulesopenldapmanifestsinitpp"></a> +<div class="addfile"><h4>Added: puppet/modules/openldap/manifests/init.pp (0 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/modules/openldap/manifests/init.pp (rev 0) ++++ puppet/modules/openldap/manifests/init.pp 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -0,0 +1,46 @@ +</span><ins>+class openldap { ++ class base { ++ package { 'openldap-servers': ++ ensure => installed ++ } ++ ++ service { ldap: ++ ensure => running, ++ subscribe => [ Package['openldap-servers']], ++ path => "/etc/init.d/ldap" ++ } ++ } ++ ++ # /etc/ ++ # 11:57:48| blingme> misc: nothing special, just copy slapd.conf, mandriva-dit-access.conf across, slapcat one side, slapadd other side ++ ++ file { '/etc/openldap/slapd.conf': ++ ensure => present, ++ owner => root, ++ group => root, ++ mode => 644, ++ require => Package["openldap-servers"], ++ content => "", ++ notify => [Service['ldap']] ++ } ++ ++ file { '/etc/openldap/mandriva-dit-access.conf': ++ ensure => present, ++ owner => root, ++ group => root, ++ mode => 644, ++ require => Package["openldap-servers"], ++ content => "", ++ notify => [Service['ldap']] ++ } ++ ++ class master inherits base { ++ file { '/etc/openldap/mandriva-dit-access.conf': ++ content => template("openldap/mandriva-dit-access.conf"), ++ } ++ ++ file { '/etc/openldap/slapd.conf': ++ content => template("bind/slapd.conf"), ++ } ++ } ++} +</ins></span></pre></div> +<a id="puppetmodulesopenldaptemplatesmandrivaditaccessconf"></a> +<div class="addfile"><h4>Added: puppet/modules/openldap/templates/mandriva-dit-access.conf (0 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/modules/openldap/templates/mandriva-dit-access.conf (rev 0) ++++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -0,0 +1,157 @@ +</span><ins>+# mandriva-dit-access.conf ++ ++limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" ++ limit size=unlimited ++ limit time=unlimited ++ ++limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" ++ limit size=unlimited ++ limit time=unlimited ++ ++limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" ++ limit size=unlimited ++ limit time=unlimited ++ ++# so we don't have to add these to every other acl down there ++access to dn.subtree="dc=mageia,dc=org" ++ by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read ++ by * break ++ ++# userPassword access ++# shadowLastChange is here because it needs to be writable by the user because ++# of pam_ldap, which will update this attr whenever the password is changed. ++# And this is done with the user's credentials ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=shadowLastChange ++ by self write ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=userPassword ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by self write ++ by anonymous auth ++ by * none ++ ++# kerberos key access ++# "by auth" just in case... ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=krb5Key ++ by self write ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by anonymous auth ++ by * none ++ ++# password policies ++access to dn.subtree="ou=Password Policies,dc=mageia,dc=org" ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# samba password attributes ++# by self not strictly necessary, because samba uses its own admin user to ++# change the password on the user's behalf ++# openldap also doesn't auth on these attributes, but maybe some day it will ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=sambaLMPassword,sambaNTPassword ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by anonymous auth ++ by self write ++ by * none ++# password history attribute ++# pwdHistory is read-only, but ACL is simplier with it here ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=sambaPasswordHistory,pwdHistory ++ by self read ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * none ++ ++# pwdReset, so the admin can force an user to change a password ++access to dn.subtree="dc=mageia,dc=org" ++ attrs=pwdReset ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# group owner can add/remove/edit members to groups ++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" ++ attrs=member ++ by dnattr=owner write ++ by * break ++ ++# let the user change some of his/her attributes ++access to dn.subtree="ou=People,dc=mageia,dc=org" ++ attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber ++ by self write ++ by * break ++ ++# create new accounts ++access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" ++ attrs=children,entry ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * break ++# access to existing entries ++access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$" ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * break ++ ++# sambaDomainName entry ++access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$" ++ attrs=children,entry,@sambaDomain,@sambaUnixIdPool ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# samba ID mapping ++access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$" ++ attrs=children,entry,@sambaIdmapEntry ++ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# global address book ++# XXX - which class(es) to use? ++access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org" ++ attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList ++ by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# dhcp entries ++# XXX - open up read access to anybody? ++access to dn.sub="ou=dhcp,dc=mageia,dc=org" ++ attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog ++ by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read ++ by * read ++ ++# sudoers ++access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$" ++ attrs=children,entry,@sudoRole ++ by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# dns ++access to dn="ou=dns,dc=mageia,dc=org" ++ attrs=entry,@extensibleObject ++ by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++access to dn.sub="ou=dns,dc=mageia,dc=org" ++ attrs=children,entry,@dNSZone ++ by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read ++ by * none ++ ++# MTA ++# XXX - what else can we add here? Virtual Domains? With which schema? ++access to dn.one="ou=People,dc=mageia,dc=org" ++ attrs=@inetLocalMailRecipient,mail ++ by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# KDE Configuration ++access to dn.sub="ou=KDEConfig,dc=mageia,dc=org" ++ by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write ++ by * read ++ ++# last one ++access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn ++ by * read ++ +</ins></span></pre></div> +<a id="puppetmodulesopenldaptemplatesslapdconf"></a> +<div class="addfile"><h4>Added: puppet/modules/openldap/templates/slapd.conf (0 => 53)</h4> +<pre class="diff"><span> +<span class="info">--- puppet/modules/openldap/templates/slapd.conf (rev 0) ++++ puppet/modules/openldap/templates/slapd.conf 2010-10-28 22:55:56 UTC (rev 53) +</span><span class="lines">@@ -0,0 +1,95 @@ +</span><ins>+# slapd.conf template ++include /usr/share/openldap/schema/core.schema ++include /usr/share/openldap/schema/cosine.schema ++include /usr/share/openldap/schema/corba.schema ++include /usr/share/openldap/schema/inetorgperson.schema ++include /usr/share/openldap/schema/java.schema ++include /usr/share/openldap/schema/krb5-kdc.schema ++#include /usr/share/openldap/schema/kerberosobject.schema ++include /usr/share/openldap/schema/misc.schema ++include /usr/share/openldap/schema/nis.schema ++include /usr/share/openldap/schema/openldap.schema ++include /usr/share/openldap/schema/autofs.schema ++include /usr/share/openldap/schema/samba.schema ++include /usr/share/openldap/schema/kolab.schema ++include /usr/share/openldap/schema/evolutionperson.schema ++include /usr/share/openldap/schema/calendar.schema ++include /usr/share/openldap/schema/sudo.schema ++include /usr/share/openldap/schema/dnszone.schema ++include /usr/share/openldap/schema/dhcp.schema ++include /usr/share/openldap/schema/dyngroup.schema ++include /usr/share/openldap/schema/ppolicy.schema ++ ++#include /etc/openldap/schema/local.schema ++ ++pidfile /var/run/ldap/slapd.pid ++argsfile /var/run/ldap/slapd.args ++ ++modulepath /usr/lib/openldap ++moduleload back_monitor.la ++moduleload syncprov.la ++moduleload ppolicy.la ++#moduleload refint.la ++ ++TLSCertificateFile /etc/ssl/openldap/ldap.pem ++TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem ++TLSCACertificateFile /etc/ssl/openldap/ldap.pem ++ ++loglevel 256 ++ ++database bdb ++suffix "dc=mageia,dc=org" ++directory /var/lib/ldap ++rootdn "cn=manager,dc=mageia,dc=org" ++ ++checkpoint 256 5 ++# 32Mbytes, can hold about 10k posixAccount entries ++dbconfig set_cachesize 0 33554432 1 ++dbconfig set_lg_bsize 2097152 ++cachesize 1000 ++idlcachesize 3000 ++ ++index objectClass eq ++index uidNumber,gidNumber,memberuid,member eq ++index uid eq,subinitial ++index cn,mail,surname,givenname eq,subinitial ++index sambaSID eq,sub ++index sambaDomainName,displayName,sambaGroupType eq ++index sambaSIDList eq ++index krb5PrincipalName eq ++index uniqueMember pres,eq ++index zoneName,relativeDomainName eq ++index sudouser eq,sub ++index entryCSN,entryUUID eq ++index dhcpHWAddress,dhcpClassData eq ++ ++overlay syncprov ++syncprov-checkpoint 100 10 ++syncprov-sessionlog 100 ++ ++overlay ppolicy ++ppolicy_default "cn=default,ou=Password Policies,dc=mageia,dc=org" ++ppolicy_hash_cleartext yes ++ppolicy_use_lockout yes ++ ++ ++# uncomment if you want to automatically update group ++# memberships when an user is removed from the tree ++# Also uncomment the refint.la moduleload above ++#overlay refint ++#refint_attributes member ++#refint_nothing "uid=LDAP Admin,ou=System Accounts,dc=example,dc=com" ++ ++authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" ++ "uid=Account Admin,ou=System Accounts,dc=mageia,dc=org" ++authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,dc=mageia,dc=org ++ ++include /etc/openldap/mandriva-dit-access.conf ++ ++ ++database monitor ++access to dn.subtree="cn=Monitor" ++ by group.exact="cn=LDAP Monitors,ou=System Groups,dc=mageia,dc=org" read ++ by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" read ++ by * none ++ +</ins></span></pre> +</div> +</div> + +</body> +</html> + |