Puppet Class: ldap::client::utils

Defined in:
modules/ldap/manifests/client/utils.pp

Overview

Parameters:

  • ldapconfig (Any)


6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File 'modules/ldap/manifests/client/utils.pp', line 6

class ldap::client::utils($ldapconfig) {
    require_package('python-pycurl')
    require_package('python3-pycurl')

    # this may be already declared by openstack's keystone, where
    # we need python-pyldap rather than python-ldap (so is ensure => absent there)
    if ! defined(Package['python-ldap']) {
        require_package('python-ldap')
    }

    if os_version('debian > jessie') {
        if ! defined(Package['python3-pyldap']) {
            require_package('python3-pyldap')
        }
    }

    file { '/usr/local/sbin/add-ldap-group':
        owner  => 'root',
        group  => 'root',
        mode   => '0544',
        source => 'puppet:///modules/ldap/scripts/add-ldap-group.py',
    }

    file { '/usr/local/sbin/ldaplist':
        ensure => link,
        target => '/usr/local/bin/ldaplist',
    }

    file { '/usr/local/bin/ldaplist':
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
        source => 'puppet:///modules/ldap/scripts/ldaplist.py',
    }

    if $::realm == 'labs' {
        # The 'ssh-key-ldap-lookup' tool is called during login ssh via AuthorizedKeysCommand.  It
        #  returns public keys from ldap for the specified username.
        # It is in /usr/sbin and not /usr/local/sbin because on Debian /usr/local is 0775
        # and sshd refuses to use anything under /usr/local because of the permissive group
        # permission there (and group is set to 'staff', slightly different from root).
        # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538392
        if os_version('debian == jessie') {
            file { '/usr/sbin/ssh-key-ldap-lookup':
                owner  => 'root',
                group  => 'root',
                mode   => '0555',
                source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup-python2.py',
            }
        } else {
            file { '/usr/sbin/ssh-key-ldap-lookup':
                owner  => 'root',
                group  => 'root',
                mode   => '0555',
                source => 'puppet:///modules/ldap/scripts/ssh-key-ldap-lookup.py',
            }
        }
        # For security purposes, sshd will only run ssh-key-ldap-lookup as the 'ssh-key-ldap-lookup' user.
        user { 'ssh-key-ldap-lookup':
            ensure => present,
            system => true,
            home   => '/nonexistent', # Since things seem to check for $HOME/.whatever unconditionally...
            shell  => '/bin/false',
        }
    }
    $python3_version = $facts['os']['release']['major'] ? {
        '8'     => '3.4',
        '9'     => '3.5',
        '10'    => '3.7',
        default => '3.7',
    }

    file { ['/usr/local/lib/python2.7/dist-packages/ldapsupportlib.py',
            "/usr/local/lib/python${python3_version}/dist-packages/ldapsupportlib.py"]:
        owner  => 'root',
        group  => 'root',
        mode   => '0444',
        source => 'puppet:///modules/ldap/scripts/ldapsupportlib.py',
    }

    if ( $::realm != 'labs' ) {
        file { '/etc/ldap/.ldapscriptrc':
            owner   => 'root',
            group   => 'root',
            mode    => '0700',
            content => template('ldap/ldapscriptrc.erb'),
        }
    }
}