Puppet Class: profile::openldap::management

Defined in:
modules/profile/manifests/openldap/management.pp

Overview

SPDX-License-Identifier: Apache-2.0

Class profile::openldap::management

Tools / scripts for helping manage the users in LDAP installation Note: This is for the so-called 'labs LDAP', which is used to manage both users on labs as well as access control for many things in prod

Parameters

timer_active

Whether to activate the daily account consistency check or not.

Parameters:

  • ldap (Hash) (defaults to: lookup('ldap'))
  • timer_active (Boolean) (defaults to: lookup('profile::openldap::management::timer_active')) 


12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'modules/profile/manifests/openldap/management.pp', line 12

class profile::openldap::management(
    Hash    $ldap         = lookup('ldap'),
    Boolean $timer_active = lookup('profile::openldap::management::timer_active'),
) {
    include profile::ldap::bitu
    include profile::openldap::client
    include passwords::phabricator

    class { 'ldap::management':
        server   => $ldap['rw-server'],
        basedn   => $ldap['base-dn'],
        user     => $ldap['script_user_dn'],
        password => $ldap['script_user_pass'],
    }

    ensure_packages([
        'python-yaml', 'python-ldap',
        'python3-yaml', 'python3-ldap', 'python3-phabricator',
    ])

    file { '/usr/local/bin/cross-validate-accounts':
        ensure => present,
        source => 'puppet:///modules/openldap/cross-validate-accounts.py',
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
    }

    file { '/usr/local/bin/offboard-user':
        ensure => present,
        source => 'puppet:///modules/openldap/offboard-user.py',
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
    }

    user { 'accountcheck':
        ensure => present,
        system => true,
    }

    $ensure = $timer_active ? {
        true => present,
        default => absent
    }
    systemd::timer::job { 'daily_account_consistency_check':
        ensure        => $ensure,
        description   => 'Daily account consistency check',
        command       => '/usr/local/bin/cross-validate-accounts',
        interval      => {'start' => 'OnCalendar', 'interval' => 'Mon..Fri 04:00'},
        user          => 'accountcheck',
        send_mail     => true,
        ignore_errors => true,
        require       => [ File['/usr/local/bin/cross-validate-accounts'], User['accountcheck']],
    }

    class { 'phabricator::bot':
        username => 'offboarding',
        token    => $passwords::phabricator::offboarding_script_token,
        owner    => 'root',
        group    => 'ops',
    }
}