Puppet Class: profile::ldap::client::labs

Defined in:
modules/profile/manifests/ldap/client/labs.pp

Overview

Parameters:

  • sudo_flavor (Enum['sudo','sudoldap']) (defaults to: lookup('sudo_flavor', {default_value => 'sudoldap'}))
  • client_stack (String) (defaults to: lookup('profile::ldap::client::labs::client_stack', String, 'first', 'classic'))
  • ldapincludes (Any) (defaults to: hiera('profile::ldap::client::labs::ldapincludes', ['openldap', 'utils']))
  • restricted_to (Any) (defaults to: hiera('profile::ldap::client::labs::restricted_to', $::restricted_to))
  • restricted_from (Any) (defaults to: hiera('profile::ldap::client::labs::restricted_from', $::restricted_from))


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# File 'modules/profile/manifests/ldap/client/labs.pp', line 1

class profile::ldap::client::labs(
    Enum['sudo','sudoldap'] $sudo_flavor = lookup('sudo_flavor', {default_value => 'sudoldap'}),
    String $client_stack = lookup('profile::ldap::client::labs::client_stack', String, 'first', 'classic'),
    $ldapincludes=hiera('profile::ldap::client::labs::ldapincludes', ['openldap', 'utils']),
    $restricted_to=hiera('profile::ldap::client::labs::restricted_to', $::restricted_to),
    $restricted_from=hiera('profile::ldap::client::labs::restricted_from', $::restricted_from),
) {
    class { '::ldap::config::labs': }

    if ( $::realm == 'labs' ) {
        if $::lsbdistcodename == 'buster' {
            $_sudo_flavor  = 'sudo'
            $_client_stack = 'sssd'
        } else {
            $_sudo_flavor  = $sudo_flavor
            $_client_stack = $client_stack
        }

        notify { 'LDAP client stack':
            message => "The LDAP client stack for this host is: ${_client_stack}/${_sudo_flavor}",
        }

        if $_client_stack == 'sssd' and $_sudo_flavor == 'sudoldap' {
            fail('to run sssd you need sudo instead of sudoldap')
        }

        $includes = $_client_stack ? {
            'classic' => ['openldap', 'pam', 'nss', 'sudoldap', 'utils', 'nosssd'],
            'sssd'    => ['openldap', 'utils', 'sssd'],
        }

        # bypass pam_access restrictions for local commands
        security::access::config { 'labs-local':
            content  => "+:ALL:LOCAL\n",
            priority => '00',
        }

        # Labs instance default to allowing root and project members
        # only (members of the project-foo group).
        #
        # In addition, there are variables that can be set on wikitech
        # to alter that:
        #   $restricted_from
        #       limits the specified group or user from loggin in
        #       (used to prevent opsen from logging onto unsecured
        #       bastions, for instance)
        #   $restricted_to
        #       replaces the default group allowed to login
        #       (project members) with an explicitly specified one.
        #
        if ( $restricted_from ) {
            security::access::config { 'labs-restrict-from':
                content  => "-:${restricted_from}:ALL\n",
                priority => '98',
            }
        }

        if ( $restricted_to ) {
            security::access::config { 'labs-restrict-to-group':
                content  => "-:ALL EXCEPT (${restricted_to}) root:ALL\n",
                priority => '99',
            }
        } else {
            security::access::config { 'labs-restrict-to-project':
                content  => "-:ALL EXCEPT (${::projectgroup}) root:ALL\n",
                priority => '99',
            }
        }

    } else {
        $includes = $ldapincludes
    }

    class{ '::ldap::client::includes':
        ldapincludes => $includes,
        ldapconfig   => $ldap::config::labs::ldapconfig,
    }
}