infrataster-plugin-ldap 0.0.1

data/spec/cookbooks/openldap/recipes/slave.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook Name:: openldap
+# Recipe:: slave
+#
+# Copyright 2012, Opscode, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+node.default['openldap']['slapd_type'] = 'slave'
+
+if Chef::Config[:solo]
+  Chef::Log.warn("To use #{cookbook_name}::#{recipe_name} with solo, set attributes node['openldap']['slapd_replpw'] and node['openldap']['slapd_master'].")
+else
+  ::Chef::Recipe.send(:include, Opscode::OpenSSL::Password)
+  node.default['openldap']['slapd_replpw'] = secure_password
+  node.default['openldap']['slapd_master'] = search(:nodes, 'openldap_slapd_type:master').map {|n| n['openldap']['server']}.first
+  node.save
+end
+
+include_recipe "openldap::server"
+

data/spec/cookbooks/openldap/templates/default/default_slapd.erb

@@ -0,0 +1,47 @@
+# Location of the slapd configuration to use.  If using the cn=config
+# backend to store configuration in LDIF, set this variable to the
+# directory containing the cn=config data; otherwise set it to the location
+# of your slapd.conf file.  If empty, use the compiled-in default
+# (/etc/ldap/slapd.d).
+SLAPD_CONF=/etc/ldap/slapd.conf
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldap:/// ldapi:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""

data/spec/cookbooks/openldap/templates/default/ldap-ldap.conf.erb

@@ -0,0 +1,16 @@
+#
+# LDAP Defaults
+#
+# Generated by Chef for <%= node['hostname'] %>
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+BASE <%= node['openldap']['basedn'] %>
+TLS_REQCERT never
+#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never

data/spec/cookbooks/openldap/templates/default/ldap.conf.erb

@@ -0,0 +1,31 @@
+#
+# <%= node['openldap']['dir'] %>.conf generated for <%= node['hostname'] %>
+#
+# Managed by Chef
+#
+
+host <%= node['openldap']['server'] %>
+port 389
+bind_policy soft
+
+ldap_version 3
+
+# Where to find data
+base <%= node['openldap']['basedn'] %>
+scope sub
+nss_base_passwd ou=<%= node['openldap']['passwd_ou'] %>,<%= node['openldap']['basedn'] %>
+nss_base_shadow ou=<%= node['openldap']['shadow_ou'] %>,<%= node['openldap']['basedn'] %>
+nss_base_group ou=<%= node['openldap']['group_ou'] %>,<%= node['openldap']['basedn'] %>
+nss_base_automount ou=<%= node['openldap']['automount_ou'] %>,<%= node['openldap']['basedn'] %>
+
+<% if node['openldap']['tls_enabled'] -%>
+# TLS Options
+ssl start_tls
+<% if node['openldap']['tls_checkpeer'] -%>
+tls_checkpeer yes
+<% else -%>
+tls_checkpeer no
+<% end -%>
+<% end -%>
+
+pam_password <%= node['openldap']['pam_password'] %>

data/spec/cookbooks/openldap/templates/default/libnss-ldap.conf.erb

@@ -0,0 +1,28 @@
+#
+# libnss-ldap.conf generated for <%= node['hostname'] %>
+#
+# Managed by Chef
+#
+# $Id:$
+
+host <%= node['openldap']['server'] %>
+port 389
+#bind_policy soft
+nss_reconnect_tries 2
+ldap_version 3
+
+# Where to find data
+base <%= node['openldap']['basedn'] %>
+scope sub
+nss_base_passwd ou=people,<%= node['openldap']['basedn'] %>
+nss_base_shadow ou=people,<%= node['openldap']['basedn'] %>
+nss_base_group ou=group,<%= node['openldap']['basedn'] %>
+
+# TLS Options
+ssl start_tls
+
+<% if node['openldap']['tls_checkpeer'] -%>
+tls_checkpeer yes
+<% else -%>
+tls_checkpeer no
+<% end -%>

data/spec/cookbooks/openldap/templates/default/login_access.conf.erb

@@ -0,0 +1,16 @@
+#
+# /etc/security/login_access.conf
+#
+# Prepared for <%= node['fqdn'] %> by Chef
+#
+<% logingroup = node['hostname'] -%>
+<% logingroup = node['hostname'].sub(/^(.+?)\d+(.+)$/, '\1-\2-login') -%>
+<% rootgroup = node['hostname'].sub(/^(.+?)\d+(.+)$/, '\1-\2-root') -%>
+
++:root:ALL
++:admin:ALL
++:<%= logingroup %>:ALL
++:<%= rootgroup %>:ALL
+
+# Everyone else cannot login
+-:ALL:ALL

data/spec/cookbooks/openldap/templates/default/slapd.conf.erb

@@ -0,0 +1,132 @@
+#####
+#
+# This is a slapd.conf file.  See slapd.conf(5) for more info.
+#
+# Generated by Chef for <%= node['fqdn'] %>
+#
+# $Id:$
+####
+
+# TLS configuration
+<% if node['openldap']['tls_enabled'] -%>
+TLSCertificateFile     <%= node['openldap']['ssl_cert'] %>
+TLSCertificateKeyFile  <%= node['openldap']['ssl_key'] %>
+<% if node['openldap']['cafile'] -%>
+TLSCACertificateFile   <%= node['openldap']['cafile'] %>
+<% end -%>
+<% end -%>
+
+# Schema and objectClass definitions
+include         <%= node['openldap']['dir'] %>/schema/core.schema
+include         <%= node['openldap']['dir'] %>/schema/cosine.schema
+include         <%= node['openldap']['dir'] %>/schema/nis.schema
+include         <%= node['openldap']['dir'] %>/schema/inetorgperson.schema
+
+# Where the pid file is put. The init.d script
+# will not stop the server if you change this.
+pidfile         <%= node['openldap']['run_dir'] %>/slapd.pid
+
+# List of arguments that were passed to the server
+argsfile        <%= node['openldap']['run_dir'] %>/slapd.args
+
+# Read slapd.conf(5) for possible values
+loglevel        0
+
+<% unless node['platform'] == "centos" -%>
+# Where the dynamically loaded modules are stored
+modulepath	<%= node['openldap']['module_dir'] %>
+moduleload	back_hdb
+<% if node['openldap']['slapd_type'] == "master" -%>
+moduleload  syncprov
+<% end -%>
+<% end -%>
+
+# The maximum number of entries that is returned for a search operation
+sizelimit 500
+
+# The tool-threads parameter sets the actual amount of cpu's that is used
+# for indexing.
+tool-threads 1
+
+#######################################################################
+# Specific Backend Directives for hdb:
+# Backend specific directives apply to this backend until another
+# 'backend' directive occurs
+backend		hdb
+
+#####
+# Database
+#####
+database        hdb
+suffix          "<%= node['openldap']['basedn'] %>"
+rootdn          "cn=admin,<%= node['openldap']['basedn'] %>"
+rootpw		      <%= node['openldap']['rootpw'] %>
+directory       "/var/lib/ldap"
+lastmod         on
+
+dbconfig set_cachesize 0 31457280 0
+
+# Number of objects that can be locked at the same time.
+dbconfig set_lk_max_objects 1500
+# Number of locks (both requested and granted)
+dbconfig set_lk_max_locks 1500
+# Number of lockers
+dbconfig set_lk_max_lockers 1500
+
+##
+# Indexes
+##
+index default pres,eq,approx,sub
+index objectClass eq
+index cn,ou,sn,uid,l,mail,gecos,memberUid,description
+index loginShell,homeDirectory pres,eq,approx
+index uidNumber,gidNumber pres,eq
+
+<% if node['openldap']['slapd_type'] == "master" -%>
+overlay syncprov
+syncprov-checkpoint 100 10
+syncprov-sessionlog 100
+<% end -%>
+<% if node['openldap']['slapd_type'] == "slave" -%>
+syncrepl rid=<%= node['openldap']['slapd_rid'] %>
+  provider=ldap://<%= node['openldap']['slapd_master'] %>:389
+  type=refreshAndPersist
+  interval=01:00:00:00
+  searchbase="<%= node['openldap']['basedn'] %>"
+  filter="(objectClass=*)"
+  scope=sub
+  schemachecking=off
+  bindmethod=simple
+  binddn="cn=syncrole,<%= node['openldap']['basedn'] %>"
+  starttls=yes
+  credentials="<%= node['openldap']['slapd_replpw'] %>"
+<% end -%>
+# The userPassword by default can be changed
+# by the entry owning it if they are authenticated.
+# Others should not be able to see it, except the
+# admin entry below
+# These access lines apply to database #1 only
+access to attrs=userPassword,shadowLastChange
+        by group.exact="cn=administrators,<%= node['openldap']['basedn'] %>" write
+        by dn="cn=syncrole,<%= node['openldap']['basedn'] %>" read
+        by anonymous auth
+        by self write
+        by * none
+
+# Ensure read access to the base for things like
+# supportedSASLMechanisms.  Without this you may
+# have problems with SASL not knowing what
+# mechanisms are available and the like.
+# Note that this is covered by the 'access to *'
+# ACL below too but if you change that as people
+# are wont to do you'll still need this if you
+# want SASL (and possible other things) to work
+# happily.
+access to dn.base="" by * read
+
+# The admin dn has full write access, everyone else
+# can read everything.
+access to *
+        by group.exact="cn=administrators,<%= node['openldap']['basedn'] %>" write
+        by dn="cn=syncrole,<%= node['openldap']['basedn'] %>" read
+        by * read

data/spec/ldap_spec.rb

@@ -0,0 +1,10 @@
+require 'spec_helper'
+
+describe server(:master) do
+  describe ldap("dc=localdomain") do
+    it "accepts bind requests" do
+      result = bind()
+      expect(result['code']).to eq 0
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+require 'infrataster/rspec'
+require 'infrataster-plugin-ldap'
+
+Infrataster::Server.define(
+  :master,
+  '192.168.44.21',
+  vagrant: true,
+  ldap: { username: 'cn=admin,dc=nodomain', password: 'wibble!', basedn: 'dc=nodomain' }
+)
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  config.order = 'random'
+end

metadata

@@ -0,0 +1,253 @@
+--- !ruby/object:Gem::Specification
+name: infrataster-plugin-ldap
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Paul Thomas
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-12-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: infrataster
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.2.0
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email:
+- pthomas@dyn.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- infrataster-plugin-ldap.gemspec
+- lib/infrataster-plugin-ldap.rb
+- lib/infrataster/contexts/ldap_context.rb
+- lib/infrataster/helpers/ldap_resource_helper.rb
+- lib/infrataster/resources/ldap_resource.rb
+- spec/.vagrant/machines/default/virtualbox/action_provision
+- spec/.vagrant/machines/default/virtualbox/action_set_name
+- spec/.vagrant/machines/default/virtualbox/id
+- spec/.vagrant/machines/default/virtualbox/index_uuid
+- spec/.vagrant/machines/default/virtualbox/synced_folders
+- spec/Vagrantfile
+- spec/cookbooks/apt/CHANGELOG.md
+- spec/cookbooks/apt/README.md
+- spec/cookbooks/apt/attributes/default.rb
+- spec/cookbooks/apt/files/default/apt-proxy-v2.conf
+- spec/cookbooks/apt/libraries/helpers.rb
+- spec/cookbooks/apt/libraries/matchers.rb
+- spec/cookbooks/apt/libraries/network.rb
+- spec/cookbooks/apt/metadata.json
+- spec/cookbooks/apt/metadata.rb
+- spec/cookbooks/apt/providers/preference.rb
+- spec/cookbooks/apt/providers/repository.rb
+- spec/cookbooks/apt/recipes/cacher-client.rb
+- spec/cookbooks/apt/recipes/cacher-ng.rb
+- spec/cookbooks/apt/recipes/default.rb
+- spec/cookbooks/apt/recipes/unattended-upgrades.rb
+- spec/cookbooks/apt/resources/preference.rb
+- spec/cookbooks/apt/resources/repository.rb
+- spec/cookbooks/apt/templates/debian-6.0/acng.conf.erb
+- spec/cookbooks/apt/templates/default/01proxy.erb
+- spec/cookbooks/apt/templates/default/20auto-upgrades.erb
+- spec/cookbooks/apt/templates/default/50unattended-upgrades.erb
+- spec/cookbooks/apt/templates/default/acng.conf.erb
+- spec/cookbooks/apt/templates/default/unattended-upgrades.seed.erb
+- spec/cookbooks/apt/templates/ubuntu-10.04/acng.conf.erb
+- spec/cookbooks/openldap/CHANGELOG.md
+- spec/cookbooks/openldap/README.md
+- spec/cookbooks/openldap/attributes/default.rb
+- spec/cookbooks/openldap/files/default/common-account
+- spec/cookbooks/openldap/files/default/common-auth
+- spec/cookbooks/openldap/files/default/common-password
+- spec/cookbooks/openldap/files/default/common-session
+- spec/cookbooks/openldap/files/default/nsswitch.conf
+- spec/cookbooks/openldap/files/default/slapd.seed
+- spec/cookbooks/openldap/files/default/test/auth_test.rb
+- spec/cookbooks/openldap/files/default/test/server_test.rb
+- spec/cookbooks/openldap/metadata.json
+- spec/cookbooks/openldap/metadata.rb
+- spec/cookbooks/openldap/recipes/auth.rb
+- spec/cookbooks/openldap/recipes/client.rb
+- spec/cookbooks/openldap/recipes/default.rb
+- spec/cookbooks/openldap/recipes/master.rb
+- spec/cookbooks/openldap/recipes/server.rb
+- spec/cookbooks/openldap/recipes/slave.rb
+- spec/cookbooks/openldap/templates/default/default_slapd.erb
+- spec/cookbooks/openldap/templates/default/ldap-ldap.conf.erb
+- spec/cookbooks/openldap/templates/default/ldap.conf.erb
+- spec/cookbooks/openldap/templates/default/libnss-ldap.conf.erb
+- spec/cookbooks/openldap/templates/default/login_access.conf.erb
+- spec/cookbooks/openldap/templates/default/slapd.conf.erb
+- spec/ldap_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: LDAP plugin for Infrataster
+test_files:
+- spec/.vagrant/machines/default/virtualbox/action_provision
+- spec/.vagrant/machines/default/virtualbox/action_set_name
+- spec/.vagrant/machines/default/virtualbox/id
+- spec/.vagrant/machines/default/virtualbox/index_uuid
+- spec/.vagrant/machines/default/virtualbox/synced_folders
+- spec/Vagrantfile
+- spec/cookbooks/apt/CHANGELOG.md
+- spec/cookbooks/apt/README.md
+- spec/cookbooks/apt/attributes/default.rb
+- spec/cookbooks/apt/files/default/apt-proxy-v2.conf
+- spec/cookbooks/apt/libraries/helpers.rb
+- spec/cookbooks/apt/libraries/matchers.rb
+- spec/cookbooks/apt/libraries/network.rb
+- spec/cookbooks/apt/metadata.json
+- spec/cookbooks/apt/metadata.rb
+- spec/cookbooks/apt/providers/preference.rb
+- spec/cookbooks/apt/providers/repository.rb
+- spec/cookbooks/apt/recipes/cacher-client.rb
+- spec/cookbooks/apt/recipes/cacher-ng.rb
+- spec/cookbooks/apt/recipes/default.rb
+- spec/cookbooks/apt/recipes/unattended-upgrades.rb
+- spec/cookbooks/apt/resources/preference.rb
+- spec/cookbooks/apt/resources/repository.rb
+- spec/cookbooks/apt/templates/debian-6.0/acng.conf.erb
+- spec/cookbooks/apt/templates/default/01proxy.erb
+- spec/cookbooks/apt/templates/default/20auto-upgrades.erb
+- spec/cookbooks/apt/templates/default/50unattended-upgrades.erb
+- spec/cookbooks/apt/templates/default/acng.conf.erb
+- spec/cookbooks/apt/templates/default/unattended-upgrades.seed.erb
+- spec/cookbooks/apt/templates/ubuntu-10.04/acng.conf.erb
+- spec/cookbooks/openldap/CHANGELOG.md
+- spec/cookbooks/openldap/README.md
+- spec/cookbooks/openldap/attributes/default.rb
+- spec/cookbooks/openldap/files/default/common-account
+- spec/cookbooks/openldap/files/default/common-auth
+- spec/cookbooks/openldap/files/default/common-password
+- spec/cookbooks/openldap/files/default/common-session
+- spec/cookbooks/openldap/files/default/nsswitch.conf
+- spec/cookbooks/openldap/files/default/slapd.seed
+- spec/cookbooks/openldap/files/default/test/auth_test.rb
+- spec/cookbooks/openldap/files/default/test/server_test.rb
+- spec/cookbooks/openldap/metadata.json
+- spec/cookbooks/openldap/metadata.rb
+- spec/cookbooks/openldap/recipes/auth.rb
+- spec/cookbooks/openldap/recipes/client.rb
+- spec/cookbooks/openldap/recipes/default.rb
+- spec/cookbooks/openldap/recipes/master.rb
+- spec/cookbooks/openldap/recipes/server.rb
+- spec/cookbooks/openldap/recipes/slave.rb
+- spec/cookbooks/openldap/templates/default/default_slapd.erb
+- spec/cookbooks/openldap/templates/default/ldap-ldap.conf.erb
+- spec/cookbooks/openldap/templates/default/ldap.conf.erb
+- spec/cookbooks/openldap/templates/default/libnss-ldap.conf.erb
+- spec/cookbooks/openldap/templates/default/login_access.conf.erb
+- spec/cookbooks/openldap/templates/default/slapd.conf.erb
+- spec/ldap_spec.rb
+- spec/spec_helper.rb