FAQ
Hi folks,

I can't find a _working_ module for setting LDAP authentication through
nsswitch and PAM for Ubuntu.
Does anybody know if such a module exists?

I'm trying to set up at work a Puppet infrastructure to manage the whole of
our workstations: I previously configured by hand LDAP authentication, and
there is a lot of configuration to be done, therefore I'd really need
Puppet to do it for me.

Thank you guys,
Federico


--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Craig White at May 15, 2013 at 3:48 pm

    On May 15, 2013, at 3:45 AM, Federico Bonelli wrote:

    Hi folks,

    I can't find a _working_ module for setting LDAP authentication through nsswitch and PAM for Ubuntu.
    Does anybody know if such a module exists?

    I'm trying to set up at work a Puppet infrastructure to manage the whole of our workstations: I previously configured by hand LDAP authentication, and there is a lot of configuration to be done, therefore I'd really need Puppet to do it for me.

    Thank you guys,
    ----
    Never made it into a module but here is my relatively complete solution to Ubuntu LDAP client configuration. (note that I'm going to leave the contents of /etc/ldap.conf, /etc/ldap/ldap.conf and all of the affected pam.d files to you as well as the implementation of log rotation)

    cat -n client_install.pp
          1 # ldap::client_install class
          2 #
          3 # Last update 03/02/2012
          4 #
          5 # Craig White
          6 #
          7 # ensures sufficient changes to permit users to authenticate via TTI's LDAP server
          8 #
          9 class ldap::client_install {
         10 include ldap::configure
         11 include nscd
         12 case $operatingsystem {
         13 centos, redhat: {
         14 package { [ "openldap-clients", "openldap", "openldap-devel" ]:
         15 ensure => present,
         16 require => Class["nscd::install", "apt::updates"],
         17 notify => Class["nscd::service"],
         18 }
         19 }
         20 debian, ubuntu: {
         21 package { [ "ldap-utils", "libnss-ldap", "auth-client-config" ]:
         22 ensure => present,
         23 require => Class["nscd::install", "apt::updates"],
         24 notify => Class["nscd::service"],
         25 }
         26 }
         27 }
         28 }

    cat -n configure.pp
          1 # ldap::configure class
          2 #
          3 # Last update 03/02/2012
          4 #
          5 # Craig White
          6 #
          7 # ensures sufficient changes to permit users to authenticate via TTI's LDAP server
          8 #
          9 class ldap::configure {
         10 include ldap::client_install
         11 if (tagged("ldap::server_install")) {
         12 case $hostname {
         13 default: {
         14 $ldap_servers_nss = "ldap://ldap.example.com ldap://ldap2.example.com"
         15 $ldap_servers = "ldap://ldap.example.com ldap://ldap2.example.com"
         16 }
         17 ldap3: {
         18 $ldap_servers_nss = "ldap://ldap3.example.com ldap://ldap4.example.com"
         19 $ldap_servers = "ldap://ldap3.example.com ldap://ldap4.example.com"
         20 }
         21 ldap4: {
         22 $ldap_servers_nss = "ldap://ldap4.example.com ldap://ldap3.example.com"
         23 $ldap_servers = "ldap://ldap4.example.com ldap://ldap3.example.com"
         24 }
         25 ldap2: {
         26 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com"
         27 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com"
         28 }
         29 ldap5: {
         30 $ldap_servers_nss = "ldap://ldap5.example.com ldap://ldap6.example.com"
         31 $ldap_servers = "ldapi://ldap5.example.com ldap://ldap6.example.com"
         32 }
         33 ldap6: {
         34 $ldap_servers_nss = "ldap://ldap6.example.com ldap://ldap5.example.com"
         35 $ldap_servers = "ldap://ldap6.example.com ldap://ldap5.example.com"
         36 }
         37 }
         38 } else {
         39 case $datacenter {
         40 default: {
         41 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com"
         42 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com"
         43 }
         44 Pacesetter-DynamicIPAddr: {
         45 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com"
         46 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com"
         47 }
         48 Pacesetter-FixedIPAddr: {
         49 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com"
         50 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com"
         51 }
         52 Pacesetter-DMZ: {
         53 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com"
         54 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com"
         55 }
         56 IO: {
         57 $ldap_servers_nss = "ldap://ldap6.example.com ldap://ldap5.example.com"
         58 $ldap_servers = "ldap://ldap5.example.com ldap://ldap6.example.com"
         59 }
         60 Canada: {
         61 $ldap_servers_nss = "ldap://ldap2.example.com ldap://ldap.example.com"
         62 $ldap_servers = "ldap://ldap2.example.com ldap://ldap.example.com"
         63 }
         64 Amsterdam: {
         65 $ldap_servers_nss = "ldap://ldap4.example.com ldap://ldap3.example.com"
         66 $ldap_servers = "ldap://ldap4.example.com ldap://ldap3.example.com"
         67 }
         68 }
         69 }
         70 case $operatingsystem {
         71 default: {
         72 }
         73 centos, redhat: {
         74 # Puppet maintained file /etc/openldap/ldap.conf (RHEL/CentOS)
         75 file {"/etc/openldap/ldap.conf":
         76 content => template("ldap/openldap_ldap.conf.erb"),
         77 owner => root,
         78 group => root,
         79 mode => "0644",
         80 require => Class[ "ldap::client_install" ],
         81 notify => Class[ "nscd::service" ],
         82 }
         83 # Puppet maintained file /etc/pam.d/system-auth
         84 file {"/etc/pam.d/system-auth":
         85 content => template("ldap/system-auth.erb"),
         86 owner => root,
         87 group => root,
         88 mode => "0644",
         89 notify => Class[ "nscd::service" ],
         90 require => Class[ "ldap::client_install" ],
         91 }
         92 }
         93 debian, ubuntu: {
         94 # Puppet maintained file /etc/ldap/ldap.conf (Debian/Ubuntu)
         95 file {"/etc/ldap/ldap.conf":
         96 content => template("ldap/openldap_ldap.conf.erb"),
         97 owner => root,
         98 group => root,
         99 mode => "0644",
        100 require => Class[ "ldap::client_install" ],
        101 notify => Class[ "nscd::service" ],
        102 }
        103 # Puppet maintained file /etc/pam.d/common-session
        104 file {"/etc/pam.d/common-session":
        105 content => template("ldap/common-session.erb"),
        106 owner => root,
        107 group => root,
        108 mode => "0644",
        109 require => Class[ "ldap::client_install" ],
        110 notify => Class[ "nscd::service" ],
        111 }
        112 # Puppet maintained file /etc/pam.d/common-password
        113 file {"/etc/pam.d/common-password":
        114 content => template("ldap/common-password.erb"),
        115 owner => root,
        116 group => root,
        117 mode => "0644",
        118 require => Class[ "ldap::client_install" ],
        119 }
        120 # Puppet maintained file /etc/pam.d/common-password
        121 file {"/etc/pam.d/common-account":
        122 content => template("ldap/common-account.erb"),
        123 owner => root,
        124 group => root,
        125 mode => "0644",
        126 require => Class[ "ldap::client_install" ],
        127 }
        128 }
        129 }
        130 # Puppet maintained directory /home/users
        131 exec { "Creating /home/users directory for LDAP users":
        132 path => "/usr/local/bin:/usr/local/sbin:/bin:/usr/bin",
        133 environment => "HOME=/root",
        134 command => "/bin/mkdir /home/users",
        135 user => "root",
        136 group => "root",
        137 unless => "/bin/ls -l /home/users",
        138 logoutput => on_failure,
        139 require => Class[ "ldap::client_install" ],
        140 }
        141 # Puppet maintained file /etc/ldap.conf
        142 file {"/etc/ldap.conf":
        143 content => template("ldap/ldap.conf.erb"),
        144 owner => root,
        145 group => root,
        146 mode => "0644",
        147 require => Class[ "ldap::client_install" ],
        148 }
        149 # Puppet maintained file /etc/nsswitch.conf
        150 file {"/etc/nsswitch.conf":
        151 content => template("ldap/nsswitch.conf.erb"),
        152 owner => root,
        153 group => root,
        154 mode => "0644",
        155 require => Class[ "ldap::client_install" ],
        156 notify => Class[ "nscd::service" ],
        157 }
        158 # Puppet maintained file /etc/ldap.secret
        159 file {"/etc/ldap.secret":
        160 content => template("ldap/ldap.secret.erb"),
        161 owner => root,
        162 group => root,
        163 mode => "0600",
        164 require => Class[ "ldap::client_install" ],
        165 }
        166 }

    cat -n init.pp
          1 # ldap class
          2 #
          3 # Last update 07/20/2011
          4 #
          5 # Craig White
          6 #
          7 # includes ldap::configure class
          8 #
          9 # includes ldap::client_install class
         10 #
         11 # includes ldap::server_install class
         12 #
         13 # includes ldap::service class
         14 #
         15 class ldap {
         16 include ldap::client_install, ldap::server_install, ldap::service, ldap::configure
         17 }


    cat -n server_install.pp
          1 # ldap::server_install class
          2 #
          3 # Last update 09/25/2012
          4 #
          5 # Craig White
          6 #
          7 # ensures Open LDAP server is installed
          8 #
          9 class ldap::server_install {
         10 case $operatingsystem {
         11 centos, redhat: {
         12 package { [ "openldap-server" ]:
         13 ensure => present,
         14 require => Class["ldap::client_install"],
         15 }
         16 }
         17 debian, ubuntu: {
         18 package { [ "slapd" ]:
         19 ensure => present,
         20 require => Class["ldap::client_install"],
         21 }
         22 # Puppet maintained file /etc/logrotate.d/slapd
         23 file {"/etc/logrotate.d/slapd":
         24 source => "puppet:///modules/ldap/slapd",
         25 owner => root,
         26 group => root,
         27 mode => "0644",
         28 require => Class[ "ldap::client_install" ],
         29 }
         30 }
         31 }
         32 }

    # cat -n service.pp
          1 # ldap::service class
          2 #
          3 # Last update 07/20/2011
          4 #
          5 # Craig White
          6 #
          7 # ensures LDAP (slapd) server is running
          8 #
          9 #
         10 class ldap::service {
         11 case $operatingsystem {
         12 centos, redhat: {
         13 service { "ldap":
         14 ensure => running,
         15 hasstatus => true,
         16 hasrestart => true,
         17 enable => true,
         18 require => Class["ldap::server_install"],
         19 }
         20 }
         21 debian, ubuntu: {
         22 service { "slapd":
         23 ensure => running,
         24 hasstatus => true,
         25 hasrestart => true,
         26 enable => true,
         27 require => Class["ldap::server_install"],
         28 }
         29 }
         30 }
         31 }

    ls -l ../files/
    total 4
    -rw-r--r-- 1 puppet puppet 252 2012-10-22 10:52 slapd

    ls -l ../templates/
    total 40
    -rw-r--r-- 1 puppet puppet 1345 2012-05-04 08:09 common-account.erb
    -rw-r--r-- 1 puppet puppet 1607 2012-02-08 14:45 common-password.erb
    -rw-r--r-- 1 puppet puppet 1331 2012-02-08 14:45 common-session.erb
    -rw-r--r-- 1 puppet puppet 9466 2012-03-02 11:07 ldap.conf.erb
    -rw-r--r-- 1 puppet puppet 11 2012-02-08 14:45 ldap.secret.erb
    -rw-r--r-- 1 puppet puppet 539 2012-02-14 12:57 nsswitch.conf.erb
    -rw-r--r-- 1 puppet puppet 600 2012-02-08 14:45 openldap_ldap.conf.erb
    -rw-r--r-- 1 puppet puppet 1312 2012-02-08 14:45 system-auth.erb

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users?hl=en.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedMay 15, '13 at 1:58p
activeMay 15, '13 at 3:48p
posts2
users2
websitepuppetlabs.com

2 users in discussion

Craig White: 1 post Federico Bonelli: 1 post

People

Translate

site design / logo © 2022 Grokbase