Puppet Class: profile::ldap::client::labs

Defined in:
modules/profile/manifests/ldap/client/labs.pp

Overview

SPDX-License-Identifier: Apache-2.0

Parameters:

  • restricted_to (Optional[Array[String]]) (defaults to: lookup('profile::ldap::client::labs::restricted_to', {default_value => undef}))
  • restricted_from (Optional[Array[String]]) (defaults to: lookup('profile::ldap::client::labs::restricted_from', {default_value => undef}))


2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'modules/profile/manifests/ldap/client/labs.pp', line 2

class profile::ldap::client::labs(
    Optional[Array[String]] $restricted_to   = lookup('profile::ldap::client::labs::restricted_to',   {default_value => undef}),
    Optional[Array[String]] $restricted_from = lookup('profile::ldap::client::labs::restricted_from', {default_value => undef}),
) {
    include profile::ldap::client::utils

    unless $::realm == 'labs' {
        fail('profile::ldap::client::labs: only Cloud VPS VMs are supported')
    }

    # bypass pam_access restrictions for local commands
    security::access::config { 'labs-local':
        content  => "+:ALL:LOCAL\n",
        priority => 0,
    }

    # Cloud VPS instances default to allowing root and project
    # members only (members of the project-foo group).
    #
    # In addition, there are Hiera variables that can be set
    # via Horizon/ENC to alter that:
    #   $restricted_from
    #       limits the specified group or user from loggin in
    #       (used to prevent SREs from logging onto unsecured
    #       bastions, for instance)
    #   $restricted_to
    #       replaces the default group allowed to login
    #       (project members) with an explicitly specified one.
    #
    if $restricted_from != undef {
        $restricted_from_formatted = $restricted_from.map |String $group| { "(${group})" }.join(' ')

        security::access::config { 'labs-restrict-from':
            content  => "-:${restricted_from_formatted}:ALL\n",
            priority => 98,
        }
    }

    if $restricted_to != undef {
        $restricted_to_formatted = $restricted_to.map |String $group| { "(${group})" }.join(' ')

        security::access::config { 'labs-restrict-to-group':
            content  => "-:ALL EXCEPT ${restricted_to_formatted} root:ALL\n",
            priority => 99,
        }
    } else {
        security::access::config { 'labs-restrict-to-project':
            content  => "-:ALL EXCEPT (${::projectgroup}) root:ALL\n",
            priority => 99,
        }
    }

    class { 'ldap::client::sssd':
        servers      => $profile::ldap::client::utils::ldapconfig['servernames'],
        base_dn      => $profile::ldap::client::utils::ldapconfig['basedn'],
        proxy_pass   => $profile::ldap::client::utils::ldapconfig['proxypass'],
        sudo_base_dn => $profile::ldap::client::utils::ldapconfig['sudobasedn'],
        page_size    => $profile::ldap::client::utils::ldapconfig['pagesize'],
        ca_file      => $profile::ldap::client::utils::ldapconfig['ca'],
    }

    # The ldap nss package recommends this package
    # and this package will reconfigure pam as well as add
    # its support
    # TODO: this was moved from ldap::client::includes, check
    # if it's still needed
    package { 'libpam-ldapd':
        ensure => absent,
    }
}