infrataster-plugin-ldap 0.0.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +22 -0
- data/.rspec +2 -0
- data/Gemfile +3 -0
- data/LICENSE.txt +22 -0
- data/README.md +51 -0
- data/Rakefile +36 -0
- data/infrataster-plugin-ldap.gemspec +23 -0
- data/lib/infrataster-plugin-ldap.rb +4 -0
- data/lib/infrataster/contexts/ldap_context.rb +63 -0
- data/lib/infrataster/helpers/ldap_resource_helper.rb +12 -0
- data/lib/infrataster/resources/ldap_resource.rb +19 -0
- data/spec/.vagrant/machines/default/virtualbox/action_provision +1 -0
- data/spec/.vagrant/machines/default/virtualbox/action_set_name +1 -0
- data/spec/.vagrant/machines/default/virtualbox/id +1 -0
- data/spec/.vagrant/machines/default/virtualbox/index_uuid +1 -0
- data/spec/.vagrant/machines/default/virtualbox/synced_folders +1 -0
- data/spec/Vagrantfile +20 -0
- data/spec/cookbooks/apt/CHANGELOG.md +208 -0
- data/spec/cookbooks/apt/README.md +252 -0
- data/spec/cookbooks/apt/attributes/default.rb +46 -0
- data/spec/cookbooks/apt/files/default/apt-proxy-v2.conf +50 -0
- data/spec/cookbooks/apt/libraries/helpers.rb +49 -0
- data/spec/cookbooks/apt/libraries/matchers.rb +17 -0
- data/spec/cookbooks/apt/libraries/network.rb +31 -0
- data/spec/cookbooks/apt/metadata.json +54 -0
- data/spec/cookbooks/apt/metadata.rb +34 -0
- data/spec/cookbooks/apt/providers/preference.rb +63 -0
- data/spec/cookbooks/apt/providers/repository.rb +203 -0
- data/spec/cookbooks/apt/recipes/cacher-client.rb +81 -0
- data/spec/cookbooks/apt/recipes/cacher-ng.rb +43 -0
- data/spec/cookbooks/apt/recipes/default.rb +98 -0
- data/spec/cookbooks/apt/recipes/unattended-upgrades.rb +43 -0
- data/spec/cookbooks/apt/resources/preference.rb +32 -0
- data/spec/cookbooks/apt/resources/repository.rb +43 -0
- data/spec/cookbooks/apt/templates/debian-6.0/acng.conf.erb +173 -0
- data/spec/cookbooks/apt/templates/default/01proxy.erb +5 -0
- data/spec/cookbooks/apt/templates/default/20auto-upgrades.erb +2 -0
- data/spec/cookbooks/apt/templates/default/50unattended-upgrades.erb +62 -0
- data/spec/cookbooks/apt/templates/default/acng.conf.erb +275 -0
- data/spec/cookbooks/apt/templates/default/unattended-upgrades.seed.erb +1 -0
- data/spec/cookbooks/apt/templates/ubuntu-10.04/acng.conf.erb +269 -0
- data/spec/cookbooks/openldap/CHANGELOG.md +68 -0
- data/spec/cookbooks/openldap/README.md +185 -0
- data/spec/cookbooks/openldap/attributes/default.rb +76 -0
- data/spec/cookbooks/openldap/files/default/common-account +7 -0
- data/spec/cookbooks/openldap/files/default/common-auth +9 -0
- data/spec/cookbooks/openldap/files/default/common-password +7 -0
- data/spec/cookbooks/openldap/files/default/common-session +9 -0
- data/spec/cookbooks/openldap/files/default/nsswitch.conf +21 -0
- data/spec/cookbooks/openldap/files/default/slapd.seed +21 -0
- data/spec/cookbooks/openldap/files/default/test/auth_test.rb +7 -0
- data/spec/cookbooks/openldap/files/default/test/server_test.rb +24 -0
- data/spec/cookbooks/openldap/metadata.json +124 -0
- data/spec/cookbooks/openldap/metadata.rb +102 -0
- data/spec/cookbooks/openldap/recipes/auth.rb +71 -0
- data/spec/cookbooks/openldap/recipes/client.rb +28 -0
- data/spec/cookbooks/openldap/recipes/default.rb +18 -0
- data/spec/cookbooks/openldap/recipes/master.rb +23 -0
- data/spec/cookbooks/openldap/recipes/server.rb +124 -0
- data/spec/cookbooks/openldap/recipes/slave.rb +32 -0
- data/spec/cookbooks/openldap/templates/default/default_slapd.erb +47 -0
- data/spec/cookbooks/openldap/templates/default/ldap-ldap.conf.erb +16 -0
- data/spec/cookbooks/openldap/templates/default/ldap.conf.erb +31 -0
- data/spec/cookbooks/openldap/templates/default/libnss-ldap.conf.erb +28 -0
- data/spec/cookbooks/openldap/templates/default/login_access.conf.erb +16 -0
- data/spec/cookbooks/openldap/templates/default/slapd.conf.erb +132 -0
- data/spec/ldap_spec.rb +10 -0
- data/spec/spec_helper.rb +17 -0
- metadata +253 -0
@@ -0,0 +1,68 @@
|
|
1
|
+
openldap Cookbok CHANGELOG
|
2
|
+
==========================
|
3
|
+
This file is used to list changes made in each version of the openldap cookbook.
|
4
|
+
|
5
|
+
|
6
|
+
v1.12.10 (2014-04-09)
|
7
|
+
---------------------
|
8
|
+
- [COOK-4239] - Service enable/start resource moved to end
|
9
|
+
- [COOK-4239] - Fix sslfiles + ubuntu fix
|
10
|
+
|
11
|
+
|
12
|
+
v1.12.8 (2014-01-03)
|
13
|
+
--------------------
|
14
|
+
Merged nildomain branch
|
15
|
+
|
16
|
+
|
17
|
+
v1.12.6 (2014-01-03)
|
18
|
+
--------------------
|
19
|
+
adding checks for node['domain'].nil? in attributes
|
20
|
+
|
21
|
+
|
22
|
+
v1.12.4
|
23
|
+
-------
|
24
|
+
|
25
|
+
- [COOK-3772] - nscd clears don't work
|
26
|
+
- [COOK-411] - Openldap authentication should validate server certificate
|
27
|
+
|
28
|
+
|
29
|
+
v1.12.2
|
30
|
+
-------
|
31
|
+
### Improvement
|
32
|
+
- **[COOK-3699](https://tickets.opscode.com/browse/COOK-3699)** - OpenLDAP Cookbooks - add extra options
|
33
|
+
|
34
|
+
|
35
|
+
u tv0.12.0
|
36
|
+
-------
|
37
|
+
### New Feature
|
38
|
+
- **[COOK-3561](https://tickets.opscode.com/browse/COOK-3561)** - Support out of band SSL certificates in openldap::server
|
39
|
+
|
40
|
+
### Bug
|
41
|
+
- **[COOK-3548](https://tickets.opscode.com/browse/COOK-3548)** - Fix an issue where preseeding may fail if directory does not exist
|
42
|
+
- **[COOK-3543](https://tickets.opscode.com/browse/COOK-3543)** - Do not try to set up as a slave
|
43
|
+
- **[COOK-3351](https://tickets.opscode.com/browse/COOK-3351)** - Fix a typo in `ldap-ldap.conf.erb` template
|
44
|
+
|
45
|
+
|
46
|
+
v0.11.4
|
47
|
+
-------
|
48
|
+
### Bug
|
49
|
+
- **[COOK-3348](https://tickets.opscode.com/browse/COOK-3348)** - Fix typo in default attributes
|
50
|
+
|
51
|
+
v0.11.2
|
52
|
+
-------
|
53
|
+
### Bug
|
54
|
+
- [COOK-2496]: openldap: rootpw is badly set in attributes file
|
55
|
+
- [COOK-2970]: openldap cookbook has foodcritic failures
|
56
|
+
|
57
|
+
v0.11.0
|
58
|
+
-------
|
59
|
+
- [COOK-1588] - general cleanup/improvements
|
60
|
+
- [COOK-1985] - attributes file has a search method
|
61
|
+
|
62
|
+
v0.10.0
|
63
|
+
-------
|
64
|
+
- [COOK-307] - create directory with attribute
|
65
|
+
|
66
|
+
v0.9.4
|
67
|
+
-------
|
68
|
+
- Initial/Current release
|
@@ -0,0 +1,185 @@
|
|
1
|
+
openldap Cookbook
|
2
|
+
=================
|
3
|
+
Configures a server to be an OpenLDAP master, OpenLDAP replication slave, or OpenLDAP client.
|
4
|
+
|
5
|
+
|
6
|
+
Requirements
|
7
|
+
------------
|
8
|
+
### Platform
|
9
|
+
Ubuntu 10.04 was primarily used in testing this cookbook. Other Ubuntu versions and Debian may work. Red Hat and derivatives are not fully supported, but we take patches.
|
10
|
+
|
11
|
+
### Cookbooks
|
12
|
+
- openssh
|
13
|
+
- nscd
|
14
|
+
- openssl (for slave recipe)
|
15
|
+
|
16
|
+
|
17
|
+
Attributes
|
18
|
+
----------
|
19
|
+
Be aware of the attributes used by this cookbook and adjust the defaults for your environment where required, in `attributes/openldap.rb`.
|
20
|
+
|
21
|
+
### Client node attributes
|
22
|
+
|
23
|
+
- `openldap[:basedn]` - basedn
|
24
|
+
- `openldap[:server]` - the LDAP server fully qualified domain name, default `'ldap'.node[:domain]`.
|
25
|
+
- `openldap[:tls_enabled]` - specifies whether TLS will be used at all. Setting this to fals will result in your credentials being sent in clear-text.
|
26
|
+
- `openldap[:tls_checkpeer]` - specifies whether the client should verify the server's TLS certificate. Highly recommended to set tls_checkpeer to true for production uses in order to avoid man-in-the-middle attacks. Defaults to false for testing and backwards compatibility.
|
27
|
+
- `openldap[:pam_password]` - specifies the password change protocol to use. Defaults to md5.
|
28
|
+
|
29
|
+
### Server node attributes
|
30
|
+
|
31
|
+
- `openldap[:slapd_type]` - master | slave
|
32
|
+
- `openldap[:slapd_rid]` - unique integer ID, required if type is slave.
|
33
|
+
- `openldap[:slapd_master]` - hostname of slapd master, attempts to search for slapd_type master.
|
34
|
+
- `openldap[:manage_ssl]` - Whether or not this cookbook manages your SSL certificates.
|
35
|
+
If set to `true`, this cookbook will expect your SSL certificates to be in files/default/ssl and will configure slapd appropriately.
|
36
|
+
If set to `false`, you will need to provide your SSL certificates **prior** to this recipe being run. Be sure to set `openldap[:ssl_cert]` and `openldap[:ssl_key]` appropriately.
|
37
|
+
- `openldap[:ssl_cert]` - The full path to your SSL certificate.
|
38
|
+
- `openldap[:ssl_key]` - The full path to your SSL key.
|
39
|
+
- `openldap[:cacert]` - Your certificate authority's certificate (or intermediate authorities), if needed.
|
40
|
+
|
41
|
+
### Apache configuration attributes
|
42
|
+
|
43
|
+
Attributes useful for Apache authentication with LDAP.
|
44
|
+
|
45
|
+
COOK-128 - set automatically based on openldap[:server] and openldap[:basedn] if those attributes are set. openldap[:auth_bindpw] remains nil by default as a default value is not easily predicted.
|
46
|
+
|
47
|
+
- `openldap[:auth_type]` - determine whether binddn and bindpw are required (openldap no, ad yes)
|
48
|
+
- `openldap[:auth_url]` - AuthLDAPURL
|
49
|
+
- `openldap[:auth_binddn]` - AuthLDAPBindDN
|
50
|
+
- `openldap[:auth_bindpw]` - AuthLDAPBindPassword
|
51
|
+
|
52
|
+
|
53
|
+
Recipes
|
54
|
+
-------
|
55
|
+
### auth
|
56
|
+
|
57
|
+
Sets up the system for using openldap for user authentication.
|
58
|
+
|
59
|
+
### default
|
60
|
+
|
61
|
+
Empty recipe, you may want client.
|
62
|
+
|
63
|
+
### client
|
64
|
+
|
65
|
+
Install the openldap client packages.
|
66
|
+
|
67
|
+
### server
|
68
|
+
|
69
|
+
Set up openldap to be a slapd server. Use this if your environment would only have a single slapd server.
|
70
|
+
|
71
|
+
### master
|
72
|
+
|
73
|
+
Sets the `node['openldap']['slapd_type']` to master and then includes the `openldap::server` recipe.
|
74
|
+
|
75
|
+
### slave
|
76
|
+
|
77
|
+
Sets the `node['openldap']['slapd_type']` to slave, then includes the `openldap::server` recipe. If the node is running chef-solo, then the `node['openldap']['slapd_replpw']` and `node['openldap']['slapd_master']` attributes must be set in the JSON attributes file passed to `chef-solo`.
|
78
|
+
|
79
|
+
|
80
|
+
Usage
|
81
|
+
-----
|
82
|
+
Edit Rakefile variables for SSL certificate.
|
83
|
+
|
84
|
+
On client systems,
|
85
|
+
|
86
|
+
```ruby
|
87
|
+
include_recipe "openldap::auth"
|
88
|
+
```
|
89
|
+
|
90
|
+
This will get the required packages and configuration for client systems. This will be required on server systems as well, so this is a good candidate for inclusion in a base role.
|
91
|
+
|
92
|
+
On server systems, if there's only one LDAP server, then use the `openldap::server` recipe. If replication is required, use the `openldap::master` and `openldap::slave` recipes instead.
|
93
|
+
|
94
|
+
When initially installing a brand new LDAP master server on Ubuntu 8.10, the configuration directory may need to be removed and recreated before slapd will start successfully. Doing this programmatically may cause other issues, so fix the directory manually :-).
|
95
|
+
|
96
|
+
$ sudo slaptest -F /etc/ldap/slapd.d
|
97
|
+
str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
|
98
|
+
=> ldif_enum_tree: failed to read entry for /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
|
99
|
+
slaptest: bad configuration directory!
|
100
|
+
|
101
|
+
For some reason slapd isn't getting started even though the service resource is notified to start, so start it manually.
|
102
|
+
Solution is to simply remove the configuration:
|
103
|
+
|
104
|
+
$ sudo rm -rf /etc/ldap/slapd.d/ /etc/ldap/slapd.conf
|
105
|
+
$ sudo chef-client
|
106
|
+
$ sudo /etc/init.d/slapd start
|
107
|
+
|
108
|
+
Or in your wrapper cookbook rewind with ubuntu related fix:
|
109
|
+
|
110
|
+
#Fix the wrong content of slapd.d dir on ubuntu 12.04
|
111
|
+
chef_gem "chef-rewind"
|
112
|
+
require 'chef/rewind'
|
113
|
+
case node['platform']
|
114
|
+
when 'ubuntu'
|
115
|
+
rewind "package[slapd]" do
|
116
|
+
response_file "slapd.seed"
|
117
|
+
action :upgrade
|
118
|
+
notifies :run, "execute[fix-ubuntu-slapdd]", :immediately
|
119
|
+
end
|
120
|
+
end
|
121
|
+
#Removes slapd.d/cn=config and slapd.conf deployed from distribution. They will be re-created during the openldap recipe cooking.
|
122
|
+
execute "fix-ubuntu-slapdd" do
|
123
|
+
cmd = " test -d #{node['openldap']['dir']}/slapd.d && rm -rf #{node['openldap']['dir']}/slapd.d/cn=config"
|
124
|
+
cmd << " ; test -d #{node['openldap']['dir']}/slapd.conf && rm -rf #{node['openldap']['dir']}/slapd.conf"
|
125
|
+
cmd << " ; touch #{node['openldap']['dir']}/.fix-ubuntu-slapdd.done"
|
126
|
+
command cmd
|
127
|
+
ignore_failure true
|
128
|
+
action :nothing
|
129
|
+
not_if { ::File.exists?("#{node['openldap']['dir']}/.fix-ubuntu-slapdd.done") }
|
130
|
+
end
|
131
|
+
|
132
|
+
|
133
|
+
### A note about certificates
|
134
|
+
|
135
|
+
Certificates created by the Rakefile are self signed. If you have a purchased CA, that can be used.
|
136
|
+
|
137
|
+
We provide two methods of managing SSL certificates, based off of `openldap[:manage_ssl]`.
|
138
|
+
|
139
|
+
If `openldap[:manage_ssl]` is `true`, then this cookbook manage your certificates itself, and will expect all certificates, intermediate certificates, and keys to be in the same file as defined in `openldap[:ssl_cert]`.
|
140
|
+
|
141
|
+
Use https://github.com/atomic-penguin/cookbook-certificate cookbook for advanced certificate deployment or use wrapper cookbook with following code to source ssl files from the wrapper cookbook folder structure:
|
142
|
+
|
143
|
+
r = resources("cookbook_file[#{node['openldap']['ssl_cert']}]")
|
144
|
+
r.cookbook('NAME OF YOUR WRAPPER COOKBOK')
|
145
|
+
|
146
|
+
r = resources("cookbook_file[#{node['openldap']['ssl_key']}]")
|
147
|
+
r.cookbook('NAME OF YOUR WRAPPER COOKBOK')
|
148
|
+
|
149
|
+
Be sure to update the certificate locations in the templates as required. We suggest copying this cookbook to the site-cookbooks for such modifications, so you can still pull from our master for updates, and then merge your changes in.
|
150
|
+
|
151
|
+
However, if `openldap[:manage_ssl]` is `false`, then you will need to place the SSL certificates on the client file system **prior** to this cookbook being run. This provides you the flexibility to provide the same set of SSL certificates for multiple uses as well as in one place across your environment, but you will need to manage them.
|
152
|
+
- Set `openldap[:ssl-cert]`, `openldap[:ssl_key]`, and `openldap[:cacert]` appropriately.
|
153
|
+
- Ensure that that user openldap can access these files. Watch out for apparmor and SELinux if you are placing your SSL certificates in a non-default location.
|
154
|
+
|
155
|
+
### New Directory
|
156
|
+
If installing for the first time, the initial directory needs to be created. Create an ldif file, and start populating the directory.
|
157
|
+
|
158
|
+
### Passwords
|
159
|
+
Set the password, openldap[:rootpw] for the rootdn in the node's attributes. This should be a password hash generated from slappasswd. The default slappasswd command on Ubuntu 8.10 and Mac OS X 10.5 will generate a SHA1 hash:
|
160
|
+
|
161
|
+
$ slappasswd -s "secretsauce"
|
162
|
+
{SSHA}6BjlvtSbVCL88li8IorkqMSofkLio58/
|
163
|
+
|
164
|
+
Set this by default in the attributes file, or on the node's entry in the webui.
|
165
|
+
|
166
|
+
|
167
|
+
License & Authors
|
168
|
+
-----------------
|
169
|
+
- Author:: Joshua Timberman (<joshua@opscode.com>)
|
170
|
+
|
171
|
+
```text
|
172
|
+
Copyright:: 2009, Opscode, Inc
|
173
|
+
|
174
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
175
|
+
you may not use this file except in compliance with the License.
|
176
|
+
You may obtain a copy of the License at
|
177
|
+
|
178
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
179
|
+
|
180
|
+
Unless required by applicable law or agreed to in writing, software
|
181
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
182
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
183
|
+
See the License for the specific language governing permissions and
|
184
|
+
limitations under the License.
|
185
|
+
```
|
@@ -0,0 +1,76 @@
|
|
1
|
+
# Cookbook Name:: openldap
|
2
|
+
# Attributes:: openldap
|
3
|
+
#
|
4
|
+
# Copyright 2008-2009, Opscode, Inc.
|
5
|
+
#
|
6
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
|
+
# you may not use this file except in compliance with the License.
|
8
|
+
# You may obtain a copy of the License at
|
9
|
+
#
|
10
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
11
|
+
#
|
12
|
+
# Unless required by applicable law or agreed to in writing, software
|
13
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
14
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
15
|
+
# See the License for the specific language governing permissions and
|
16
|
+
# limitations under the License.
|
17
|
+
#
|
18
|
+
|
19
|
+
default['openldap']['basedn'] = "dc=localdomain"
|
20
|
+
default['openldap']['server'] = "ldap.localdomain"
|
21
|
+
default['openldap']['tls_enabled'] = true
|
22
|
+
default['openldap']['pam_password'] = 'md5'
|
23
|
+
|
24
|
+
default['openldap']['passwd_ou'] = 'people'
|
25
|
+
default['openldap']['shadow_ou'] = 'people'
|
26
|
+
default['openldap']['group_ou'] = 'groups'
|
27
|
+
default['openldap']['automount_ou'] = 'automount'
|
28
|
+
|
29
|
+
unless node['domain'].nil? || node['domain'].split('.').count < 2
|
30
|
+
default['openldap']['basedn'] = "dc=#{node['domain'].split('.').join(",dc=")}"
|
31
|
+
default['openldap']['server'] = "ldap.#{node['domain']}"
|
32
|
+
end
|
33
|
+
|
34
|
+
default['openldap']['rootpw'] = nil
|
35
|
+
|
36
|
+
# File and directory locations for openldap.
|
37
|
+
case node['platform']
|
38
|
+
when "redhat","centos","amazon","scientific"
|
39
|
+
default['openldap']['dir'] = "/etc/openldap"
|
40
|
+
default['openldap']['run_dir'] = "/var/run/openldap"
|
41
|
+
default['openldap']['module_dir'] = "/usr/lib64/openldap"
|
42
|
+
when "debian","ubuntu"
|
43
|
+
default['openldap']['dir'] = "/etc/ldap"
|
44
|
+
default['openldap']['run_dir'] = "/var/run/slapd"
|
45
|
+
default['openldap']['module_dir'] = "/usr/lib/ldap"
|
46
|
+
else
|
47
|
+
default['openldap']['dir'] = "/etc/ldap"
|
48
|
+
default['openldap']['run_dir'] = "/var/run/slapd"
|
49
|
+
default['openldap']['module_dir'] = "/usr/lib/ldap"
|
50
|
+
end
|
51
|
+
|
52
|
+
default['openldap']['preseed_dir'] = "/var/cache/local/preseeding"
|
53
|
+
default['openldap']['tls_checkpeer'] = false
|
54
|
+
default['openldap']['pam_password'] = 'md5'
|
55
|
+
|
56
|
+
default['openldap']['manage_ssl'] = true
|
57
|
+
default['openldap']['ssl_dir'] = "#{openldap['dir']}/ssl"
|
58
|
+
default['openldap']['cafile'] = nil
|
59
|
+
default['openldap']['ssl_cert'] = "#{openldap['ssl_dir']}/#{openldap['server']}_cert.pem"
|
60
|
+
default['openldap']['ssl_key'] = "#{openldap['ssl_dir']}/#{openldap['server']}.pem"
|
61
|
+
|
62
|
+
default['openldap']['slapd_type'] = nil
|
63
|
+
|
64
|
+
if node['openldap']['slapd_type'] == "slave"
|
65
|
+
default['openldap']['slapd_master'] = node['openldap']['server']
|
66
|
+
default['openldap']['slapd_replpw'] = nil
|
67
|
+
default['openldap']['slapd_rid'] = 102
|
68
|
+
end
|
69
|
+
|
70
|
+
# Auth settings for Apache
|
71
|
+
if node['openldap']['basedn'] && node['openldap']['server']
|
72
|
+
default['openldap']['auth_type'] = "openldap"
|
73
|
+
default['openldap']['auth_binddn'] = "ou=people,#{openldap['basedn']}"
|
74
|
+
default['openldap']['auth_bindpw'] = nil
|
75
|
+
default['openldap']['auth_url'] = "ldap://#{openldap['server']}/#{openldap['auth_binddn']}?uid?sub?(objectClass=*)"
|
76
|
+
end
|
@@ -0,0 +1,9 @@
|
|
1
|
+
# Generated by Chef. Local modifications will be overwritten.
|
2
|
+
#
|
3
|
+
# /etc/pam.d/common-auth - authentication settings common to all services
|
4
|
+
#
|
5
|
+
auth sufficient pam_unix.so likeauth nullok_secure
|
6
|
+
auth sufficient pam_ldap.so use_first_pass
|
7
|
+
|
8
|
+
auth required pam_deny.so
|
9
|
+
auth required pam_warn.so
|
@@ -0,0 +1,9 @@
|
|
1
|
+
# Generated by Chef. Local modifications will be overwritten.
|
2
|
+
#
|
3
|
+
# /etc/pam.d/common-session - session-related modules common to all services
|
4
|
+
#
|
5
|
+
session required pam_unix.so
|
6
|
+
session required pam_mkhomedir.so skel=/etc/skel/
|
7
|
+
session required pam_ldap.so
|
8
|
+
#session optional pam_foreground.so
|
9
|
+
|
@@ -0,0 +1,21 @@
|
|
1
|
+
# Generated by Chef. Local modifications will be overwritten.
|
2
|
+
#
|
3
|
+
# /etc/nsswitch.conf
|
4
|
+
#
|
5
|
+
# Example configuration of GNU Name Service Switch functionality.
|
6
|
+
# If you have the `glibc-doc-reference' and `info' packages installed, try:
|
7
|
+
# `info libc "Name Service Switch"' for information about this file.
|
8
|
+
|
9
|
+
passwd: files ldap
|
10
|
+
group: files ldap
|
11
|
+
shadow: files ldap
|
12
|
+
|
13
|
+
hosts: files dns
|
14
|
+
networks: files
|
15
|
+
|
16
|
+
protocols: db files
|
17
|
+
services: db files
|
18
|
+
ethers: db files
|
19
|
+
rpc: db files
|
20
|
+
|
21
|
+
netgroup: nis
|
@@ -0,0 +1,21 @@
|
|
1
|
+
slapd slapd/password1 password
|
2
|
+
slapd slapd/internal/adminpw password
|
3
|
+
slapd slapd/password2 password
|
4
|
+
slapd slapd/allow_ldap_v2 boolean false
|
5
|
+
slapd slapd/password_mismatch note
|
6
|
+
slapd slapd/suffix_change boolean false
|
7
|
+
slapd slapd/fix_directory boolean true
|
8
|
+
slapd slapd/invalid_config boolean true
|
9
|
+
slapd slapd/slave_databases_require_updateref note
|
10
|
+
slapd shared/organization string monkey
|
11
|
+
slapd slapd/upgrade_slapcat_failure note
|
12
|
+
slapd slapd/dump_database_destdir string /var/backups/slapd-VERSION
|
13
|
+
slapd slapd/autoconf_modules boolean true
|
14
|
+
slapd slapd/purge_database boolean false
|
15
|
+
slapd slapd/domain string monkey.com
|
16
|
+
slapd slapd/backend select BDB
|
17
|
+
slapd slapd/no_configuration boolean false
|
18
|
+
slapd slapd/migrate_ldbm_to_bdb boolean true
|
19
|
+
slapd slapd/move_old_database boolean true
|
20
|
+
slapd slapd/dump_database select when needed
|
21
|
+
slapd slapd/upgrade_slapadd_failure note
|
@@ -0,0 +1,24 @@
|
|
1
|
+
describe_recipe 'openldap::server' do
|
2
|
+
|
3
|
+
it 'runs slapd' do
|
4
|
+
service("slapd").must_be_running
|
5
|
+
end
|
6
|
+
|
7
|
+
it 'sets the rootpw' do
|
8
|
+
file("#{node['openldap']['dir']}/slapd.conf").must_include node['openldap']['rootpw']
|
9
|
+
end
|
10
|
+
|
11
|
+
it 'ldap references the ssl certs' do
|
12
|
+
if node['openldap']['tls_enabled']
|
13
|
+
file("#{node['openldap']['dir']}/slapd.conf").must_include node['openldap']['ssl_cert']
|
14
|
+
file("#{node['openldap']['dir']}/slapd.conf").must_include node['openldap']['ssl_key']
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
it 'places the ssl certs' do
|
19
|
+
if node['openldap']['tls_enabled']
|
20
|
+
file(node['openldap']['ssl_cert']).must_exist
|
21
|
+
file(node['openldap']['ssl_cert']).must_exist
|
22
|
+
end
|
23
|
+
end
|
24
|
+
end
|