Newer
Older
##############################################################################
# Using Stanford Workgroups with PAM
##############################################################################
#
# This module Configures PAM to allow the control of access to a
# system using Stanford Workgroups. For Debian/Ubuntu systems this
# module installs and configures nslcd. For Redhat this module
# installs a local LDAP proxy server that uses a Kerberos bind to the
# central service and allows anonymous local access to the directory
# information.
#
# There are two steps require to implement Workgroup control:
#
# 1. The LDAP directory ACLs must be updated to grant access to
# the Workgroup or Workgroup stem. If the requestor is also
# the administrator of the Workgroup or stem then Data Owner
# approval is _not_ required. Just send a HelpSU required to
# the directory team with the kerberos principals that will be
# used to access the directory. It is simplest to just use the
# host principals.
#
# If the requestor is not the administrator of the Workgroup or
# stem then Data Owner Approval is required. Request access to
# the directory data using the form at
# http://tools.stanford.edu/dataowner. The request is for access
# to the suPrivilegGroup attribute. The request description
# should be similar to:
#
# The XYZ department would like to use Workgroup membership to
# control access to a set of Linux systems and requests access
# to the suPrivilegeGroup attribute for users in the ABC
# Workgroup stem.
#
# 2. Update the puppet model of any hosts that will use this control.
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
#
# Examples:
#
# To restrict access to a single Workgoup specify an LDAP filter
# that selects the current suPrivilegeGroups.
#
# base::pam::workgroup { 'anesthesia':
# ensure => 'present',
# ldap_filter => '(suPrivilegeGroup=stanford:staff)',
# }
#
# To allow anyone in the workgroup stem access an LDAP filter does
# not need to be specified.
#
# base::pam::workgroup { 'anesthesia': ensure => 'present' }
#
# Testing:
#
# To make sure that the correct account information is being
# return the getent command can be used. For example:
#
# % getent passwd whm
#
# On systems that have an ldap proxy installed a simple ldapsearch
# can be used to verify anonymous directory connectivity. For
# example:
#
# % ldapsearch -x
#
# should return all of the posixAccount entries for the choosen
# Workgroup stem.
define base::pam::workgroup (
$ensure = 'present',
$ldap_host = 'ldap.stanford.edu',
$ldap_filter = '(objectclass=posixAccount)',
$ldap_proxy = 'NONE',
$ldap_base = 'cn=Accounts,dc=stanford,dc=edu',
$principal = 'HOST'
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
) {
# When the nslcd.conf file changes reload the changes.
exec {'nslcd refresh':
command => '/etc/init.d/nslcd force-reload',
path => ['/bin','/usr/sbin'],
refreshonly => true,
require => File['/etc/nslcd.conf'],
returns => 0,
logoutput => true,
}
case $ensure {
'absent': {
# Remove the packages and the configuration files directly
# supporting the packages, but don't change nsswitch.conf.
# That will need to be handled manually.
file { '/etc/nslcd.conf': ensure => absent }
case $::operatingsystem {
'RedHat': {
file { '/etc/pam_ldap.conf': ensure => absent }
package {
'nss-pam-ldapd': ensure => absent;
'pam_ldap': ensure => absent;
}
}
'Debian', 'Ubuntu': {
package {
'libpam-ldapd': ensure => absent;
'libnss-ldapd': ensure => absent;
}
}
default: { fail('unrecognized operating system') }
}
}
default: {
# Turn off user management
include user::managed::disabled
# Add packages and configuration files.
file { '/etc/nsswitch.conf':
source => 'puppet:///modules/base/pam/etc/nsswitch.conf';
}
case $::operatingsystem {
# RedHat requires a proxy server because the pam/nss support
# available with RHEL does not support kerberos binds to the
# directory.
'RedHat': {
$thisUID = 'nslcd'
$thisGID = 'ldap'
# Create a slapd proxy to allow anonymous local searches.
$useProxy = true
slapd_proxy::new {$::hostname:
ensure => present,
principal => $principal,
ldapHost => $ldap_host,
ldapConfBase => $ldap_base
}
include base::pam::workgroup_redhat
package {
'nss-pam-ldapd': ensure => present;
'pam_ldap': ensure => present;
}
file { '/etc/pam_ldap.conf':
content => template('base/pam/etc/pam_ldap.conf.erb'),
require => Package['pam_ldap'],
}
file { '/etc/nslcd.conf':
content => template('base/pam/etc/nslcd.conf.erb'),
notify => Exec['nslcd refresh'],
require => Package['nss-pam-ldapd'],
}
}
# Later versions of debian and ubuntu support pam/nss kerberos
# binds to the directory which obviates the need for a slapd
# proxy server. Once can be used it desired, but recommended
# practice is to not use a proxy.
'Debian', 'Ubuntu': {
$thisUID = 'nslcd'
$thisGID = 'nslcd'
package {
'libpam-ldapd': ensure => present;
'libnss-ldapd': ensure => present;
}
if $ldap_proxy == 'NONE' {
$useProxy = false
$ldapConfBase = $ldap_base
file {
'/etc/ldap':
ensure => directory,
mode => 755;
'/etc/ldap/ldap.conf':
mode => 644,
content => template('base/pam/etc/ldap/ldap.conf.erb'),
require => File['/etc/ldap'];
'/var/run/nslcd':
ensure => directory,
mode => 755,
owner => $thisUID,
group => $thisGID,
require => Package['libpam-ldapd','libnss-ldapd'];
}
package {
'libsasl2-modules-gssapi-mit':
ensure => installed;
'ldap-utils':
ensure => installed,
require => File['/etc/ldap'];
}
} else {
$useProxy = true
slapd_proxy::new {$::hostname:
ensure => present,
principal => $principal,
ldapHost => $ldap_host,
ldapConfBase => $ldap_base
}
}
file { '/etc/nslcd.conf':
content => template('base/pam/etc/nslcd.conf.erb'),
notify => Exec['nslcd refresh'],
require => Package['libnss-ldapd'],
}
}
default: { fail('unrecognized operating system') }
}
}
}
}
# Over ride pam configuration on redhat systems
class base::pam::workgroup_redhat inherits base::pam::redhat {
File['/etc/pam.d/system-auth'] { target => '/etc/pam.d/system-auth-ldap' }
file {
'/etc/pam.d/system-auth-ldap':
mode => 644,
source => 'puppet:///modules/base/pam/etc/pam.d/system-auth-ldap',
}