Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
# Configure PAM to allow the control of access to a system using
# Stanford Workgroups. This module installs a local LDAP proxy
# server that uses a Kerberos bind to the central service and
# allows anonymous local access to the directory information.
#
# There are two steps require to implement Workgroup control:
#
# 1. Request access to the directory data using the form at
# http://tools.stanford.edu/dataowner. The request is
# for access to the suPrivilegGroup attribute. The request
# description should be similar to:
#
# The XYZ department would like to use Workgroup membership to
# control access to a set of Linux systems and requests access
# to the suPrivilegeGroup attribute for users in the ABC
# Workgroup stem.
#
# The default principal name used to access the LDAP directory is
# the host principal.
#
# 2. Configure any hosts that need the access control with either:
# 1) ldap proxy server and pam/nss ldap packages or 2) pam/nss
# ldap packages that support kerberos binds to the directory.
# This module will perform the required tasks. In general,
# systems should use kerberos bind packages where they are
# available which current means newer debian or ubuntu systems.
# RedHat systems require a slapd proxy.
#
# Examples:
#
# To restrict access to a single Workgoup specify an LDAP filter
# that selects the current suPrivilegeGroups.
#
# base::pam::workgroup { 'anesthesia':
# ensure => 'present',
# ldap_filter => '(suPrivilegeGroup=stanford:staff)',
# }
#
# To allow anyone in the workgroup stem access an LDAP filter does
# not need to be specified.
#
# base::pam::workgroup { 'anesthesia': ensure => 'present' }
#
# Testing:
#
# To make sure that the correct account information is being
# return the getent command can be used. For example:
#
# % getent passwd whm
#
# On systems that have an ldap proxy installed a simple ldapsearch
# can be used to verify anonymous directory connectivity. For
# example:
#
# % ldapsearch -x
#
# should return all of the posixAccount entries for the choosen
# Workgroup stem.
define base::pam::workgroup (
$ensure = 'present',
$ldap_host = 'ldap.stanford.edu',
$ldap_filter = '(objectclass=posixAccount)',
$ldap_proxy = 'NONE',
$ldap_base = 'cn=Accounts,dc=stanford,dc=edu',
$principal = 'HOST',
$workgroup_stem = 'NONE'
) {
# Nice default for the stem
case $workgroup_stem {
'NONE': { $stem = $name }
default: { $stem = $workgroup_stem }
}
# When the nslcd.conf file changes reload the changes.
exec {'nslcd refresh':
command => '/etc/init.d/nslcd force-reload',
path => ['/bin','/usr/sbin'],
refreshonly => true,
require => File['/etc/nslcd.conf'],
returns => 0,
logoutput => true,
}
case $ensure {
'absent': {
# Remove the packages and the configuration files directly
# supporting the packages, but don't change nsswitch.conf.
# That will need to be handled manually.
file { '/etc/nslcd.conf': ensure => absent }
case $::operatingsystem {
'RedHat': {
file { '/etc/pam_ldap.conf': ensure => absent }
package {
'nss-pam-ldapd': ensure => absent;
'pam_ldap': ensure => absent;
}
}
'Debian', 'Ubuntu': {
package {
'libpam-ldapd': ensure => absent;
'libnss-ldapd': ensure => absent;
}
}
default: { fail('unrecognized operating system') }
}
}
default: {
# Turn off user management
include user::managed::disabled
# Add packages and configuration files.
file { '/etc/nsswitch.conf':
source => 'puppet:///modules/base/pam/etc/nsswitch.conf';
}
case $::operatingsystem {
# RedHat requires a proxy server because the pam/nss support
# available with RHEL does not support kerberos binds to the
# directory.
'RedHat': {
$thisUID = 'nslcd'
$thisGID = 'ldap'
# Create a slapd proxy to allow anonymous local searches.
$useProxy = true
slapd_proxy::new {$::hostname:
ensure => present,
principal => $principal,
ldapHost => $ldap_host,
ldapConfBase => $ldap_base
}
include base::pam::workgroup_redhat
package {
'nss-pam-ldapd': ensure => present;
'pam_ldap': ensure => present;
}
file { '/etc/pam_ldap.conf':
content => template('base/pam/etc/pam_ldap.conf.erb'),
require => Package['pam_ldap'],
}
file { '/etc/nslcd.conf':
content => template('base/pam/etc/nslcd.conf.erb'),
notify => Exec['nslcd refresh'],
require => Package['nss-pam-ldapd'],
}
}
# Later versions of debian and ubuntu support pam/nss kerberos
# binds to the directory which obviates the need for a slapd
# proxy server. Once can be used it desired, but recommended
# practice is to not use a proxy.
'Debian', 'Ubuntu': {
$thisUID = 'nslcd'
$thisGID = 'nslcd'
package {
'libpam-ldapd': ensure => present;
'libnss-ldapd': ensure => present;
}
if $ldap_proxy == 'NONE' {
$useProxy = false
$ldapConfBase = $ldap_base
file {
'/etc/ldap':
ensure => directory,
mode => 755;
'/etc/ldap/ldap.conf':
mode => 644,
content => template('base/pam/etc/ldap/ldap.conf.erb'),
require => File['/etc/ldap'];
'/var/run/nslcd':
ensure => directory,
mode => 755,
owner => $thisUID,
group => $thisGID,
require => Package['libpam-ldapd','libnss-ldapd'];
}
package {
'libsasl2-modules-gssapi-mit':
ensure => installed;
'ldap-utils':
ensure => installed,
require => File['/etc/ldap'];
}
} else {
$useProxy = true
slapd_proxy::new {$::hostname:
ensure => present,
principal => $principal,
ldapHost => $ldap_host,
ldapConfBase => $ldap_base
}
}
file { '/etc/nslcd.conf':
content => template('base/pam/etc/nslcd.conf.erb'),
notify => Exec['nslcd refresh'],
require => Package['libnss-ldapd'],
}
}
default: { fail('unrecognized operating system') }
}
}
}
}
# Over ride pam configuration on redhat systems
class base::pam::workgroup_redhat inherits base::pam::redhat {
File['/etc/pam.d/system-auth'] { target => '/etc/pam.d/system-auth-ldap' }
file {
'/etc/pam.d/system-auth-ldap':
mode => 644,
source => 'puppet:///modules/base/pam/etc/pam.d/system-auth-ldap',
}
}