Newer
Older
# Manage the sync scripts and their configurations.
# the reason that each one is selected seperately is that not all environments get the same sync scripts.
# while these are intended for install on the tools server,
# this is still flexible enough to put it on the master
# select the sync scripts one by one in the hiera file
$enable_ldap_wg_maint = false,
$enable_ldap_group_maint = false,
$enable_ldap_sync_sugal_attributes = false,
$enable_ldap_sync_suprivilegegroup = false,
$enable_ldap_alias_maint = false,
$enable_posix_account_sync = false,
$enable_ldap_posix_group_remctl = false,
# install the sync scripts package first
package{ 'libstanford-ldap-sync-scripts-perl': ensure => installed }
# some of the syncs need this
ensure_packages(['libcrypt-ssleay-perl'], { ensure => 'present' })
## First, a single ketab for all this stuph
# this is the sync keytab ticket, for service/ldap-$env
$k5start_service_name = "k5start-ldap-sync-$env"
$keytab_path = "/etc/ldapadmin/ldap-sync-$env.keytab"
$ticket_file_path = "/var/run/ldap-sync-$env.tkt"
#notify { "k5start_service_name = k5start-ldap-sync-$env ; keytab_path = /etc/ldapadmin/ldap-sync-$env.keytab ; ticket_file_path = /var/run/ldap-sync-$env.tkt": }
# A directory where we put any configuration for ldap monitoring.
file { '/etc/ldapadmin':
ensure => directory,
}
# Set up a krb5 ticket keep-alive service for the above principal.
systemd_k5start { $k5start_service_name:
ensure => present,
keytab => $keytab_path,
ticket_file => $ticket_file_path,
}
service { $k5start_service_name:
ensure => 'running',
enable => true,
require => Systemd_K5start[$k5start_service_name],
}
# Add the service/ldap-$env keytab. This is single env only, with accountsTreeWrite,peopleTreeWrite,groupsTreeWrite.
path => $keytab_path,
primary => false,
require => Base::Wallet["host/$fqdn"],
ensure => present,
}
# several things use this, so put it here
## Service (listener)
include s_ldap::base::systemd
# ldap-wg-maint.service
class { 'su_ldap::sync_scripts::ldap_wg_maint':
ldap_master_fqdn => $ldap_master_fqdn,
ticket_file_path => $ticket_file_path,
Linda J Laubenheimer
committed
} else {
class { 'su_ldap::sync_scripts::ldap_wg_maint':
ensure => absent,
ldap_master_fqdn => $ldap_master_fqdn,
ticket_file_path => $ticket_file_path,
env => $env,
Linda J Laubenheimer
committed
}
# ldap-group-maint.service
class { 'su_ldap::sync_scripts::ldap_group_maint':
env => $env,
ldap_master_fqdn => $ldap_master_fqdn,
} else {
class { 'su_ldap::sync_scripts::ldap_group_maint':
ensure => absent,
env => $env,
ldap_master_fqdn => $ldap_master_fqdn,
## this one is obnoxious. If you have the ldap-group-main program present,
## there are two modules that need its base .conf file. Since there's no
## clean way to specify them both places, just put the base conf file
## on regardless of whether either of the syncs/remctls is present
## we need to define some basic stuff, too
case $env {
'prod' : {
$generate_gid = '0'
}
default: {
$generate_gid = '1'
}
}
file {
'/etc/ldapadmin/ldap-group-maint.conf':
ensure => present,
content => template('su_ldap/etc/ldapadmin/ldap-group-maint.conf.erb'),
require => File['/etc/ldapadmin'];
}
# ldap-sync-sugal-attributes.service
if ($enable_ldap_sync_sugal_attributes) {
class { 'su_ldap::sync_scripts::ldap_sync_sugal_attributes':
env => $env,
ldap_master_fqdn => $ldap_master_fqdn,
} else {
class { 'su_ldap::sync_scripts::ldap_sync_sugal_attributes':
ensure => absent,
env => $env,
ldap_master_fqdn => $ldap_master_fqdn,
# ldap-sync-suprivilegegroup.service
if ($enable_ldap_sync_suprivilegegroup) {
class { 'su_ldap::sync_scripts::ldap_sync_suprivilegegroup':
env => $env,
ldap_master_fqdn => $ldap_master_fqdn,
} else {
class { 'su_ldap::sync_scripts::ldap_sync_suprivilegegroup':
ensure => absent,
env => $env,
ldap_master_fqdn => $ldap_master_fqdn,
# ldap-alias-maint
if ($enable_ldap_alias_maint) {
class { 'su_ldap::sync_scripts::ldap_alias_maint':
ldap_master_fqdn => $ldap_master_fqdn,
} else {
class { 'su_ldap::sync_scripts::ldap_alias_maint':
su_ldap::sync_scripts::posix_account_sync { 'aeroastroarl':
ensure => present,
env => $env,
}
su_ldap::sync_scripts::posix_account_sync { 'anesthesia':
ensure => present,
env => $env,
}
su_ldap::sync_scripts::posix_account_sync { 'statistics':
ensure => present,
env => $env,
} else {
su_ldap::sync_scripts::posix_account_sync { 'aeroastroarl':
ensure => absent,
su_ldap::sync_scripts::posix_account_sync { 'anesthesia':
ensure => absent,
env => $env,
}
su_ldap::sync_scripts::posix_account_sync { 'statistics':
ensure => absent,
env => $env,
}
class { 'su_ldap::sync_scripts::ldap_reports':
ldap_master_fqdn => $ldap_master_fqdn,
}
} else {
class { 'su_ldap::sync_scripts::ldap_reports':
ensure => absent,
## add another remctl driven sync
# LDAP posixgroup (ldap-posix-group)
class { 'su_ldap::ldapadmin::posixgroup':
env => $env,
ensure => 'present',
}
} else {
class { 'su_ldap::ldapadmin::posixgroup':
env => $env,
ensure => 'absent',
}
}