GithubHelp home page GithubHelp logo

puppet-nslcd's Introduction

puppet-nslcd

Table of Contents

  1. Overview
  2. Dependencies
  3. Usage
  4. What the module affects
  5. Parameters
  6. Extend the configuration
  7. Limitations
  8. Development

Overview

This module installs and configured a local NSLCD daemon. NSLCD is used to provide LDAP authentication through PAM/NSS.

Dependencies

Stdlib - https://forge.puppet.com/modules/puppetlabs/stdlib

Usage

The module includes a few sane defaults, so it should work out of the box.
Just fill in these parameters :

  • Example
class
{
  'nslcd':
    ldap_uris => ['ldap://ldap01.mycompany.com:389','ldap://ldap02.mycompany.com:389'],
    ldap_search_base => 'dc=company,dc=com'
}
  • The same in Hiera
nslcd::ldap_uris:
  - 'ldap://ldap01.company.com:389'
  - 'ldap://ldap02.company.com:389'
nslcd::ldap_search_base: 'dc=company,dc=com'
  • Will give this in the config file
uri ldap://ldap01.company.com:389 ldap://ldap02.company.com:389
base dc=company,dc=com

What the module affects

  • nslcd package and service
  • /etc/nslcd.conf

Parameters

Parameter Parameter type Default value Description
package_ensure Variant[Boolean,String] present Sets if the package should be present or absent.
package_name String Depends on the Linux distrib Name of the package to install. Set if your platform is not supported.
package_manage Boolean true Sets if the module should manage or not the package installation.
service_ensure Variant[Boolean,Enum['stopped','running']] running Sets if the service should be running or stopped.
service_enable Boolean true Sets if the service should be started on system boot.
service_name String nslcd Sets the name of the service. Set if your platform is not supported.
service_manage Boolean true Sets if the module should manage or not the service.
uid String nslcd Sets the user to start the daemon.
gid String Depends on the Linux distrib Sets the group to start the daemon.
config Stdlib::Unixpath /etc/nslcd.conf Sets the path of the config file.
config_user String root Sets the owner of the config file.
config_group String Depends on the Linux distrib Sets the group of the config file.
config_mode Stdlib::Filemode Depends on the Linux distrib Permission of the config file.
config_show_diff Boolean false If set to true, the diff of the configuration file will be shown in the logs and reports. For security reason, it is disabled by default.
ldap_uris Array[String] ldap:/// Array of LDAP servers.
ldap_version Enum['2','3'] 3 Sets the LDAP version to use.
ldap_binddn String undef Sets the DN (distinguished name) to bind to the LDAP servers.
ldap_bindpw String undef Sets the password to bind to the LDAP servers. Only used if the parameter ldap_binddn is set.
ldap_search_base String undef Sets the base DN (distinguished name) to use as the search base.
ldap_group_base String undef Sets the base DN (distinguished name) to use as the group search base.
ldap_search_scope Enum['sub','subtree','one','onelevel','base'] subtree Sets the search scope depth.
config_options Hash {} Key/Value hash to extend the configuration.
ldap_filters Hash {} Sets the LDAP search filter for specific mapping.
ldap_maps Hash {} Allows for custom attributes to be looked up.
ldap_ssl Enum['on','off','start_tls'] off Whether to use SSL/TLS for the connexion to the LDAP servers.
ldap_tls_reqcert Enum['never','allow','try','demand','hard'] allow Sets what checks to perform on a server-supplied certificate.
ldap_tls_cacertfile String undef Sets the path of the PEM-format file containing certificates for the CA's that will be trusted.
bind_timelimit Integer undef Sets the time limit (in seconds) to setup a connexion with the LDAP server.
timelimit Integer undef Sets the time limit (in seconds) to wait for a response from the LDAP server.
idle_timelimit Integer undef Sets the period if inactivity (in seconds) after which the connection to the LDAP server will be closed.
reconnect_sleeptime Integer 1 Sets the number of seconds to sleep when connecting to all LDAP servers fails.
reconnect_retrytime Integer 10 Sets the time after which the LDAP server is considered to be permanently unavailable. Once this time is reached retries will be done only once per this time period.

Extend the configuration

The module exposes the most commonly used paramaters. However, to extend the configuration use the config_options parameter. It allows you to set any parameter not listed above.

  • Example configuration
class
{
  'nslcd':
    config_options:
      threads: '10'
}
  • The same config in Hiera
nslcd::config_options:
  threads: '10'
  • Will give this in the config file
threads 10

Limitations

The module has been tested with :

  • Ubuntu 14.04 / 16.04 / 18.04 / 20.04
  • Debian 8 / 9 / 10 / 11 / 12
  • Puppet 4 / 5 / 6 / 7

Development

If you want to improve this module, send us a pull request !

puppet-nslcd's People

Contributors

geekix avatar kobybr avatar mastermind2k avatar natemccurdy avatar oasys avatar t0xiccode avatar virus2500 avatar werekraken avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

michalrychlik bowdoincollege miamioh bmorehead-gpsw sfuerte rstruber hdep gogo-d-o-o hpc-unibe-ch maxherrmannsva virus2500

puppet-nslcd's Issues

$package_name and $service_name can conflict with other Puppet modules

I'm using both your nslcd and the authconfig module from https://github.com/Mylezeem/puppet-authconfig.

Since the authconfig module also includes nss-pam-ldapd for Red Hat, the Package 'nss-pam-ldapd' is defined twice when including both authconfig and nslcd. The same goes for the 'nslcd' service.

I have changed my fork of init.pp to check to see if $service_name and/or $package_name are undefined. If either are undefined, the manifest modifies the anchor statement to include/exclude the appropriate service or package.

Due to the possibility of duplicate resource declarations with other modules

(ie: https://github.com/Mylezeem/puppet-authconfig), check to see if

$package_name is undefined. If it is undefined then don't attempt to

install it. The same is true for $service_name.

if $package_name == undef and $service_name == undef {
anchor { 'nslcd::begin': } ->
class { 'nslcd::config': } ~>
anchor { 'nslcd::end': }
} elsif $package_name == undef {
anchor { 'nslcd::begin': } ->
class { 'nslcd::config': } ~>
class { 'nslcd::service': } ->
anchor { 'nslcd::end': }
} elsif $service_name == undef {
anchor { 'nslcd::begin': } ->
class { 'nslcd::install': } ->
class { 'nslcd::config': } ~>
anchor { 'nslcd::end': }
} else {
anchor { 'nslcd::begin': } ->
class { 'nslcd::install': } ->
class { 'nslcd::config': } ~>
class { 'nslcd::service': } ->
anchor { 'nslcd::end': }
}

This is my first experience with anchors. If there's a better way to do this (ie: define the anchor) please feel free to let me know.

LDAP URI structure isn't compatible with 'authconfig'

The code that specified the LDAP URI isn't compatible with the command line 'authconfig' or the puppet module MyLezeem/puppet-authconfig
(https://github.com/Mylezeem/puppet-authconfig).

When running 'authconfig --update', authconfig condenses the LDAP URIs into a single line. This causes puppet-nslcd to see that /etc/nslcd.conf file has changed and puppet-nslcd will change /etc/nslcd.conf back to a [potentially] multi-line URI.

<% @ldap_uris.each do |ldap_uri| -%>
uri <%= ldap_uri %>
<% end -%>

I recommend changing the three lines in templates/nslcd.erb thusly:

The location at which the LDAP server(s) should be reachable.

uri <%= @ldap_uris.join(' ').sort %>

This will make puppet-nslcd more compatible with command line authconfig and as a bonus, more compatible with MyLezeem/puppet-authconfig (https://github.com/Mylezeem/puppet-authconfig) module.

What is the format of $ldap_maps?

Can someone give me an example of $ldap_maps format?

I've tried:
$ldap_maps = { group => 'uniqueMember member', passwd => ['homedirectory unixHomeDirectory', 'uid sAMAccountName', 'gecos displayName', ], shadow => ['shadowLastChange pwdLastSet', 'uid sAMAccountName', ], }

...but the module incorrectly updates /etc/nslcd.conf thusly:

Custom maps

map group uniqueMember member
map passwd ["homedirectory unixHomeDirectory", "uid sAMAccountName", "gecos displayName"]
map shadow ["shadowLastChange pwdLastSet", "uid sAMAccountName"]

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.