more work on ldap:/// and ldaps:///

cc579e02 · Adam Lewenberg · Linda J Laubenheimer · add8ac07 · cc579e02 · cc579e02
Commit cc579e02 authored 5 years ago by Adam Lewenberg Committed by Linda J Laubenheimer 5 years ago
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -15,6 +15,10 @@ class su_ldap::config (
  $basedir       = '/var/lib/ldap',
  $keytab_path   = '/etc/krb5.keytab',
  $krb5ccname    = '/var/run/ldap_syncreplica.tkt',
+  Boolean $auth_gssapi   = true,
+  Boolean $auth_simple   = true,
+  Boolean $ldap_over_tcp = true,
+  Boolean $ldap_over_tls = true,
 ) {

  # Set up some directories including the ones where the databases

--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -29,7 +29,15 @@
 # $repository: If the package is found in a non-standard location,
 #   you can indicate the repository here. See the file apt_setup for
 #   more information and examples.
-#
+
+# We default to enabling both connection methods (ldap:/// and ldaps:///)
+# for all servers regardless of which authentication method(s)
+# enabled. HOWEVER, ldap:/// is not safe for simple bind servers, so if
+# both ldap:/// and simple bind authentication are enabled it is
+# IMPERATIVE that you put firewall restrictions on port 389 so that only
+# monitoring or special-purpose servers get access to that port. This must
+# be done in the calling class.
+
 class su_ldap (
  $hosting_model = 'traditional',
  #
@@ -38,6 +46,9 @@ class su_ldap (
  $auth_gssapi    = true,
  $auth_simple    = true,
  #
+  $ldap_over_tcp  = true,  # enable ldap:///
+  $ldap_over_tls  = true,  # enable ldaps:///
+  #
  $ldap_debian_distribution = 'stretch',
  $ldap_debian_archive      = 'debian-stanford',
  $ldap_debian_repository   = undef,
@@ -76,6 +87,7 @@ class su_ldap (


  ## Basic configuration: /etc/ldap/ldap.conf, /etc/default/slapd, et al.
+  ## This is all managed in the su_ldap::config class.

  # Make sure /etc/ldap exists and is a directory.
  file { '/etc/ldap':
@@ -88,6 +100,10 @@ class su_ldap (
  class { 'su_ldap::config':
    hosting_model => $hosting_model,
    keytab_path   => $keytab_path,
+    auth_gssapi   => $auth_gssapi,
+    auth_simple   => $auth_simple,
+    ldap_over_tcp => $ldap_over_tcp,
+    ldap_over_tls => $ldap_over_tls,
  }

  ## We don't install the sync scripts in this class. If they are needed,

--- a/templates/etc/default/slapd.erb
+++ b/templates/etc/default/slapd.erb
@@ -39,5 +39,44 @@ ulimit -n 16384
 # Point at the new configuration directory
 SLAPD_CONF=/etc/ldap/slapd.d/

-# Listen on ports 389 and 636.
+<%-
+  $simple_over_389_warning =
+      "WARNING!!! Allowing simple bind authentication when ldap:/// is enabled "
+    + "is inherently unsafe UNLESS you have put firewall restrictions on port "
+    + "389 to only allow trusted servers (e.g., monitoring servers) to access "
+    + "port 389."
+
+  if (@ldap_over_tcp and @ldap_over_tls) then
+-%>
+# Accept connections via both of these:
+# * LDAP over TCP (ldap:///)
+# * LDAP over TLS (ldaps:///)
 SLAPD_SERVICES="ldap:/// ldaps:///"
+<%-
+    if (@auth_simple) then
+-%>
+<%= $simple_over_389_warning %>
+<%-
+    end
+  elsif (@ldap_over_tcp and (not @ldap_over_tls)) then
+-%>
+# Accept connections via LDAP over TCP (ldap:///) ONLY
+SLAPD_SERVICES="ldap:///"
+<%-
+    if (@auth_simple) then
+-%>
+<%= $simple_over_389_warning %>
+<%-
+    end
+  elsif ((not @ldap_over_tcp) and @ldap_over_tls) then
+-%>
+# Accept connections via LDAP over TLS (ldaps:///) ONLY
+SLAPD_SERVICES="ldaps:///"
+<%-
+  else
+-%>
+# PROBLEM!! No protocols have been specified!?!
+<%-
+  end
+-%>
+