Grid環境構築用のChefリポジトリです。
Revision | f291e9961b4324f8e6cf8122bbb4983b81b6fbb7 (tree) |
---|---|
Zeit | 2016-01-16 13:03:02 |
Autor | whitestar <whitestar@gaea...> |
Commiter | whitestar |
rename openldap cookbook to openldap-grid.
@@ -0,0 +1,22 @@ | ||
1 | +# CHANGELOG for openldap-grid | |
2 | + | |
3 | +0.2.0 | |
4 | +----- | |
5 | +- rename cookbook. | |
6 | + | |
7 | +# CHANGELOG for openldap | |
8 | + | |
9 | +0.1.2 | |
10 | +----- | |
11 | +- add ['openldap']['server']['ldaps'] attribute. | |
12 | +- add ['openldap']['server']['KRB5_KTNAME'] attribute. | |
13 | + | |
14 | +0.1.1 | |
15 | +----- | |
16 | +- add server recipe. | |
17 | +- add linkage with ssl_cert cookbook. | |
18 | + | |
19 | +0.1.0 | |
20 | +----- | |
21 | +- Initial release of openldap | |
22 | + |
@@ -0,0 +1,75 @@ | ||
1 | +openldap-grid Cookbook | |
2 | +================= | |
3 | + | |
4 | +This cookbook sets up OpenLDAP client, server and nss-ldapd. | |
5 | + | |
6 | +Requirements | |
7 | +------------ | |
8 | + | |
9 | +None. | |
10 | + | |
11 | +Attributes | |
12 | +---------- | |
13 | + | |
14 | +#### openldap::default | |
15 | +|Key|Type|Description, example|Default| | |
16 | +|:--|:--|:--|:--| | |
17 | +|`['openldap']['with_ssl_cert_cookbook']`|Boolean|make it work with ssl_cert cookbook. (ver. 0.1.1 or later)|`false`| | |
18 | +|`['openldap']['ssl_cert']['ca_name']`|String|CA name used by ssl_cert (ver. 0.1.1 or later)|`nil`| | |
19 | +|`['openldap']['ssl_cert']['common_name']`|String|Server common name useed by ssl_cert. (ver. 0.1.1 or later)|`node['fqdn']`| | |
20 | +|`['openldap']['client']['URI']`|String|ldap://ldap.example.com ldap://ldap-master.example.com:666|`nil`| | |
21 | +|`['openldap']['client']['BASE']`|String|dc=example,dc=com|`nil`| | |
22 | +|`['openldap']['client']['SIZELIMIT']`|String|12|`nil`| | |
23 | +|`['openldap']['client']['TIMELIMIT']`|String|15|`nil`| | |
24 | +|`['openldap']['client']['DEREF']`|String|never|`nil`| | |
25 | +|`['openldap']['client']['TLS_CACERT']`|String|/etc/ssl/certs/cacert.pem|`nil`| | |
26 | +|`['openldap']['client']['TLS_REQUEST']`|String|never,allow,try,demand*|`nil`| | |
27 | +|`['openldap']['client']['TLS_CHECKPEER']`|String|yes*,no|`nil`| | |
28 | +|`['openldap']['client']['SASL_MECH']`|String|GSSAPI|`nil`| | |
29 | +|`['openldap']['client']['<ldap.conf key>']`|String|other ldap.conf key|| | |
30 | +|`['openldap']['nss-ldapd']['uri']`|Strig||`ldap://127.0.0.1/`| | |
31 | +|`['openldap']['nss-ldapd']['base']`|String||`dc=example,dc=net`| | |
32 | +|`['openldap']['nss-ldapd']['<nscd.conf key>']`|String|other nscd.conf key|| | |
33 | +|`['openldap']['ldap_lookup_nameservices']`|Array|['passwd', 'group']|`empty`| | |
34 | +|`['openldap']['server']['ldaps']`|Boolean|enable ldaps (ver. 0.1.2 or later)|`false`| | |
35 | +|`['openldap']['server']['KRB5_KTNAME']`|String|e.g. `'/etc/krb5.keytab'` (ver. 0.1.2 or later)|`nil`| | |
36 | + | |
37 | +Usage | |
38 | +----- | |
39 | + | |
40 | +Just include `openldap-grid::recipe` in your node's `run_list`: | |
41 | + | |
42 | +```json | |
43 | +{ | |
44 | + "name":"my_node", | |
45 | + "run_list": [ | |
46 | + "recipe[openldap-grid::client]", | |
47 | + "recipe[openldap-grid::server]", | |
48 | + "recipe[openldap-grid::nss-ldapd]" | |
49 | + ] | |
50 | +} | |
51 | +``` | |
52 | + | |
53 | +#### with ssl_cert cookbook | |
54 | + | |
55 | +If `node['openldap']['with_ssl_cert_cookbook']` is `true`, `node['openldap']['client']['TLS_CACERT']` and `node['openldap']['nss-ldapd']['tls_cacertfile']` are overridden by the file path based on `['openldap']['ssl_cert']['ca_name']` attribute. | |
56 | + | |
57 | +License and Authors | |
58 | +------------------- | |
59 | +- Author:: whitestar at osdn.jp | |
60 | + | |
61 | +```text | |
62 | +Copyright 2013-2016, whitestar | |
63 | + | |
64 | +Licensed under the Apache License, Version 2.0 (the "License"); | |
65 | +you may not use this file except in compliance with the License. | |
66 | +You may obtain a copy of the License at | |
67 | + | |
68 | + http://www.apache.org/licenses/LICENSE-2.0 | |
69 | + | |
70 | +Unless required by applicable law or agreed to in writing, software | |
71 | +distributed under the License is distributed on an "AS IS" BASIS, | |
72 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
73 | +See the License for the specific language governing permissions and | |
74 | +limitations under the License. | |
75 | +``` |
@@ -0,0 +1,50 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap-grid | |
3 | +# Attributes:: default | |
4 | +# | |
5 | +# Copyright 2013-2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +default['openldap']['with_ssl_cert_cookbook'] = false | |
21 | +# If node['openldap']['with_ssl_cert_cookbook'] is true, | |
22 | +# node['openldap']['client']['TLS_CACERT'] and ['openldap']['nss-ldapd']['tls_cacertfile'] | |
23 | +# are overridden by the following 'ca_name' attributes. | |
24 | +default['openldap']['ssl_cert']['ca_name'] = nil | |
25 | +default['openldap']['ssl_cert']['common_name'] = node['fqdn'] | |
26 | + | |
27 | +default['openldap']['client']['URI'] = nil # ldap://ldap.example.com ldap://ldap-master.example.com:666 | |
28 | +default['openldap']['client']['BASE'] = nil # dc=example,dc=com | |
29 | +default['openldap']['client']['SIZELIMIT'] = nil # 12 | |
30 | +default['openldap']['client']['TIMELIMIT'] = nil # 15 | |
31 | +default['openldap']['client']['DEREF'] = nil # never | |
32 | +default['openldap']['client']['TLS_CACERT'] = nil # /etc/ssl/certs/cacert.pem | |
33 | +default['openldap']['client']['TLS_REQCERT'] = nil # never|allow|try|demand* | |
34 | +default['openldap']['client']['TLS_CHECKPEER'] = nil # yes*|no | |
35 | +default['openldap']['client']['SASL_MECH'] = nil # GSSAPI | |
36 | +default['openldap']['client']['TLS_CACERTDIR'] = node.value_for_platform_family( | |
37 | + 'debian' => nil, | |
38 | + 'rhel' => '/etc/openldap/certs' | |
39 | +) | |
40 | +#default['openldap']['client']['<ldap.conf keys>'] = ... | |
41 | + | |
42 | +default['openldap']['nss-ldapd']['uri'] = 'ldap://127.0.0.1/' | |
43 | +default['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net' | |
44 | +#default['openldap']['nss-ldapd']['<nslcd.conf keys>'] = ... | |
45 | +default['openldap']['ldap_lookup_nameservices'] = [] # e.g. ['passwd', 'group'] | |
46 | +#default['openldap'][''] = | |
47 | + | |
48 | +default['openldap']['server']['ldaps'] = false | |
49 | +default['openldap']['server']['KRB5_KTNAME'] = nil # e.g. '/etc/krb5.keytab' | |
50 | + |
@@ -0,0 +1,10 @@ | ||
1 | +name 'openldap-grid' | |
2 | +maintainer 'whitestar' | |
3 | +maintainer_email '' | |
4 | +license 'Apache 2.0' | |
5 | +description 'Installs/Configures openldap' | |
6 | +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) | |
7 | +version '0.2.0' | |
8 | + | |
9 | +depends 'ssl_cert', '>= 0.1.5' | |
10 | + |
@@ -0,0 +1,84 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap-grid | |
3 | +# Recipe:: client | |
4 | +# | |
5 | +# Copyright 2013-2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +ldap_conf_keys = [ | |
21 | + 'URI', | |
22 | + 'BASE', | |
23 | + 'BINDDN', | |
24 | + 'DEREF', | |
25 | + 'HOST', | |
26 | + 'NETWORK_TIMEOUT', | |
27 | + 'PORT', | |
28 | + 'REFERRALS', | |
29 | + 'SIZELIMIT', | |
30 | + 'TIMELIMIT', | |
31 | + 'TIMEOUT', | |
32 | + 'SASL_MECH', | |
33 | + 'SASL_REALM', | |
34 | + 'SASL_AUTHCID', | |
35 | + 'SASL_AUTHZID', | |
36 | + 'SASL_SECPROPS', | |
37 | + 'GSSAPI_SIGN', | |
38 | + 'GSSAPI_ENCRYPT', | |
39 | + 'GSSAPI_ALLOW_REMOTE_PRINCIPAL', | |
40 | + 'TLS_CACERT', | |
41 | + 'TLS_CACERTDIR', | |
42 | + 'TLS_CERT', | |
43 | + 'TLS_CHECKPEER', | |
44 | + 'TLS_KEY', | |
45 | + 'TLS_CIPHER_SUITE', | |
46 | + 'TLS_RANDFILE', | |
47 | + 'TLS_REQCERT', | |
48 | + 'TLS_CRLCHECK', | |
49 | + 'TLS_CRLFILE' | |
50 | +] | |
51 | + | |
52 | +if node['openldap']['with_ssl_cert_cookbook'] then | |
53 | + node.override['openldap']['client']['TLS_CACERT'] \ | |
54 | + = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] | |
55 | +end | |
56 | + | |
57 | +case node[:platform_family] | |
58 | + when 'debian' | |
59 | + pkg = 'ldap-utils' | |
60 | + resources(:package => pkg) rescue package pkg do | |
61 | + action :install | |
62 | + end | |
63 | + | |
64 | + template '/etc/ldap/ldap.conf' do | |
65 | + source 'etc/ldap/ldap.conf' | |
66 | + owner 'root' | |
67 | + group 'root' | |
68 | + mode '0644' | |
69 | + variables({'ldap_conf_keys' => ldap_conf_keys}) | |
70 | + end | |
71 | + when 'rhel' | |
72 | + pkg = 'openldap-clients' | |
73 | + resources(:package => pkg) rescue package pkg do | |
74 | + action :install | |
75 | + end | |
76 | + | |
77 | + template '/etc/openldap/ldap.conf' do | |
78 | + source 'etc/openldap/ldap.conf' | |
79 | + owner 'root' | |
80 | + group 'root' | |
81 | + mode '0644' | |
82 | + variables({'ldap_conf_keys' => ldap_conf_keys}) | |
83 | + end | |
84 | +end |
@@ -0,0 +1,18 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap-grid | |
3 | +# Recipe:: default | |
4 | +# | |
5 | +# Copyright 2013-2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# |
@@ -0,0 +1,148 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap-grid | |
3 | +# Recipe:: nss-ldapd | |
4 | +# | |
5 | +# Copyright 2013-2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +nslcd_conf_keys = [ | |
21 | + 'threads', | |
22 | + #'uid', | |
23 | + #'gid', | |
24 | + 'uri', | |
25 | + 'ldap_version', | |
26 | + 'binddn', | |
27 | + 'bindpw', | |
28 | + 'rootpwmoddn', | |
29 | + 'sasl_mech', | |
30 | + 'sasl_realm', | |
31 | + 'sasl_authcid', | |
32 | + 'sasl_authzid', | |
33 | + 'sasl_secprops', | |
34 | + 'base', | |
35 | + 'scope', | |
36 | + 'deref', | |
37 | + 'referrals', | |
38 | + 'filter', | |
39 | + 'map', | |
40 | + 'bind_timelimit', | |
41 | + 'timelimit', | |
42 | + 'idle_timelimit', | |
43 | + 'reconnect_sleeptime', | |
44 | + 'reconnect_retrytime', | |
45 | + 'ssl', | |
46 | + 'tls_reqcert', | |
47 | + 'tls_cacertdir', | |
48 | + 'tls_cacertfile', | |
49 | + 'tls_randfile', | |
50 | + 'tls_ciphers', | |
51 | + 'tls_cert', | |
52 | + 'tls_key', | |
53 | + 'pagesize', | |
54 | + 'nss_initgroups_ignoreusers', | |
55 | + 'pam_authz_search' | |
56 | +] | |
57 | + | |
58 | +if node['openldap']['with_ssl_cert_cookbook'] then | |
59 | + node.override['openldap']['nss-ldapd']['tls_cacertfile'] \ | |
60 | + = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] | |
61 | +end | |
62 | + | |
63 | +case node[:platform_family] | |
64 | + when 'debian' | |
65 | + %w{ | |
66 | + libnss-ldapd | |
67 | + nscd | |
68 | + }.each {|pkg| | |
69 | + package pkg do | |
70 | + action :install | |
71 | + end | |
72 | + } | |
73 | + | |
74 | + service 'nslcd' do | |
75 | + action [:enable] | |
76 | + supports :status => true, :restart => true, :reload => false | |
77 | + end | |
78 | + | |
79 | + resources(:service => 'nscd') rescue service 'nscd' do | |
80 | + action [:enable] | |
81 | + supports :status => true, :restart => true, :reload => false | |
82 | + end | |
83 | + | |
84 | + template '/etc/nslcd.conf' do | |
85 | + source 'etc/nslcd.conf' | |
86 | + owner 'root' | |
87 | + group 'nslcd' | |
88 | + mode '0640' | |
89 | + variables({'nslcd_conf_keys' => nslcd_conf_keys}) | |
90 | + notifies :restart, 'service[nslcd]' | |
91 | + notifies :restart, 'service[nscd]' | |
92 | + end | |
93 | + when 'rhel' | |
94 | + package 'nss-pam-ldapd' do | |
95 | + action :install | |
96 | + end | |
97 | + | |
98 | + service 'nslcd' do | |
99 | + action [:enable] | |
100 | + supports :status => true, :restart => true, :reload => true | |
101 | + end | |
102 | + | |
103 | + resources(:service => 'nscd') rescue service 'nscd' do | |
104 | + action [:enable] | |
105 | + supports :status => true, :restart => true, :reload => true | |
106 | + end | |
107 | + | |
108 | + template '/etc/nslcd.conf' do | |
109 | + source 'etc/nslcd.conf' | |
110 | + owner 'root' | |
111 | + group 'root' | |
112 | + mode '0600' | |
113 | + variables({'nslcd_conf_keys' => nslcd_conf_keys}) | |
114 | + notifies :restart, 'service[nslcd]' | |
115 | + notifies :restart, 'service[nscd]' | |
116 | + end | |
117 | +end | |
118 | + | |
119 | +ruby_block 'configuring_nameservices' do | |
120 | + block do | |
121 | + conf_file = '/etc/nsswitch.conf' | |
122 | + nameservices = node['openldap']['ldap_lookup_nameservices'] | |
123 | + if !nameservices.nil? && !nameservices.empty? then | |
124 | + open(conf_file, 'r+') {|file| | |
125 | + file.flock(File::LOCK_EX) | |
126 | + is_modified = false | |
127 | + buf = '' | |
128 | + file.each {|line| | |
129 | + if line =~ /^(\w+):\s+(.*)$/ then | |
130 | + if nameservices.include?($1) && !$2.include?('ldap') | |
131 | + line.chomp! << " ldap\n" | |
132 | + is_modified = true | |
133 | + end | |
134 | + end | |
135 | + buf << line | |
136 | + } | |
137 | + if is_modified then | |
138 | + print "\nnew #{conf_file}: [#{buf}]" | |
139 | + file.rewind | |
140 | + file.puts buf | |
141 | + file.truncate(file.tell) | |
142 | + end | |
143 | + } | |
144 | + end | |
145 | + end | |
146 | + action :run | |
147 | + notifies :restart, 'service[nscd]' | |
148 | +end |
@@ -0,0 +1,103 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap-grid | |
3 | +# Recipe:: server | |
4 | +# | |
5 | +# Copyright 2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +case node[:platform_family] | |
21 | + when 'debian' | |
22 | + [ | |
23 | + 'slapd', | |
24 | + 'ldap-utils', | |
25 | + 'ssl-cert', | |
26 | + ].each {|pkg| | |
27 | + resources(:package => pkg) rescue package pkg do | |
28 | + action :install | |
29 | + end | |
30 | + } | |
31 | + | |
32 | + # for SSL server key access | |
33 | + group 'ssl-cert' do | |
34 | + action :modify | |
35 | + members 'openldap' | |
36 | + append true | |
37 | + end | |
38 | + | |
39 | + template "/etc/default/slapd" do | |
40 | + source "etc/default/slapd" | |
41 | + owner 'root' | |
42 | + group 'root' | |
43 | + mode '0644' | |
44 | + end | |
45 | + when 'rhel' | |
46 | + [ | |
47 | + 'openldap-servers', | |
48 | + 'openldap-clients', | |
49 | + ].each {|pkg| | |
50 | + resources(:package => pkg) rescue package pkg do | |
51 | + action :install | |
52 | + end | |
53 | + } | |
54 | + | |
55 | + # for SSL server key access | |
56 | + if node['openldap']['with_ssl_cert_cookbook'] \ | |
57 | + && node['ssl_cert']['rhel']['key_access_group'] != 'root' then | |
58 | + group node['ssl_cert']['rhel']['key_access_group'] do | |
59 | + action :modify | |
60 | + members 'ldap' | |
61 | + append true | |
62 | + end | |
63 | + end | |
64 | + | |
65 | + template "/etc/sysconfig/ldap" do | |
66 | + source "etc/sysconfig/ldap" | |
67 | + owner 'root' | |
68 | + group 'root' | |
69 | + mode '0644' | |
70 | + end | |
71 | +end | |
72 | + | |
73 | +# deploy ldif file for TLS settings. | |
74 | +if node['openldap']['with_ssl_cert_cookbook'] then | |
75 | + [ | |
76 | + '00_olc-add-ldaps.ldif', | |
77 | + '00_olc-mod-ldaps.ldif', | |
78 | + ].each {|ldif| | |
79 | + template "/etc/ldap/#{ldif}" do | |
80 | + source "etc/ldap/#{ldif}" | |
81 | + owner 'root' | |
82 | + group 'root' | |
83 | + mode '0644' | |
84 | + end | |
85 | + } | |
86 | +end | |
87 | + | |
88 | +service 'slapd' do | |
89 | + #action [:enable, :start] | |
90 | + action [:enable] | |
91 | + supports :status => true, :restart => true, :reload => false | |
92 | +end | |
93 | + | |
94 | +log <<-EOM | |
95 | +Note: | |
96 | +You must setup OpenLDAP configurations in the first installation: | |
97 | + [Debian] | |
98 | + $ sudo sudo dpkg-reconfigure -plow slapd | |
99 | + [CentOS] | |
100 | + edit /etc/openldap/slap.d configurations | |
101 | + $ sudo service slapd restart | |
102 | +EOM | |
103 | + |
@@ -0,0 +1,61 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap | |
3 | +# Recipe Spec:: client_spec | |
4 | +# | |
5 | +# Copyright 2015, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +require_relative '../spec_helper' | |
21 | + | |
22 | +describe 'openldap::client' do | |
23 | + let(:chef_run_on_debian) { | |
24 | + ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node| | |
25 | + node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com' | |
26 | + node.set['openldap']['client']['BASE'] = 'dc=example,dc=com' | |
27 | + }.converge(described_recipe) | |
28 | + } | |
29 | + | |
30 | + it 'installs ldap-utils package on debian family.' do | |
31 | + expect(chef_run_on_debian).to install_package('ldap-utils') | |
32 | + end | |
33 | + | |
34 | + it 'renders /etc/ldap/ldap.conf on debian family.' do | |
35 | + expected = expect(chef_run_on_debian) | |
36 | + expected.to render_file('/etc/ldap/ldap.conf'). | |
37 | + with_content(%r|^URI\s+ldap://ldap\.example\.com$|) | |
38 | + expected.to render_file('/etc/ldap/ldap.conf'). | |
39 | + with_content(%r|^BASE\s+dc=example,dc=com$|) | |
40 | + end | |
41 | + | |
42 | + let(:chef_run_on_rhel) { | |
43 | + ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node| | |
44 | + node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com' | |
45 | + node.set['openldap']['client']['BASE'] = 'dc=example,dc=com' | |
46 | + }.converge(described_recipe) | |
47 | + } | |
48 | + | |
49 | + it 'installs openldap-clients on rhel family.' do | |
50 | + expect(chef_run_on_rhel).to install_package('openldap-clients') | |
51 | + end | |
52 | + | |
53 | + it 'renders /etc/openldap/ldap.conf on rhel family.' do | |
54 | + expected = expect(chef_run_on_rhel) | |
55 | + expected.to render_file('/etc/openldap/ldap.conf'). | |
56 | + with_content(%r|^URI\s+ldap://ldap\.example\.com$|) | |
57 | + expected.to render_file('/etc/openldap/ldap.conf'). | |
58 | + with_content(%r|^BASE\s+dc=example,dc=com$|) | |
59 | + end | |
60 | +end | |
61 | + |
@@ -0,0 +1,101 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap | |
3 | +# Recipe Spec:: nss-ldapd_spec | |
4 | +# | |
5 | +# Copyright 2015, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +require_relative '../spec_helper' | |
21 | + | |
22 | +describe 'openldap::nss-ldapd' do | |
23 | + let(:chef_run_on_debian) { | |
24 | + ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node| | |
25 | + node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net' | |
26 | + node.set['openldap']['nss-ldapd']['invalid_key'] = 'value' | |
27 | + }.converge(described_recipe) | |
28 | + } | |
29 | + | |
30 | + it 'installs libnss-ldapd and nscd packages on debian family.' do | |
31 | + expected = expect(chef_run_on_debian) | |
32 | + expected.to install_package('libnss-ldapd') | |
33 | + expected.to enable_service('nslcd') | |
34 | + expected.to install_package('nscd') | |
35 | + expected.to enable_service('nscd') | |
36 | + end | |
37 | + | |
38 | + it 'renders /etc/nslcd.conf on debian family.' do | |
39 | + expected = expect(chef_run_on_debian) | |
40 | + expected.to render_file('/etc/nslcd.conf'). | |
41 | + with_content(%r|^base\s+dc=example,dc=net$|) | |
42 | + expected.to_not render_file('/etc/nslcd.conf'). | |
43 | + with_content(%r|^invalid_key\s+value$|) | |
44 | + end | |
45 | + | |
46 | + it 'notifies nslcd and nscd service\'s restart after rendering on debian family.' do | |
47 | + expected = expect(chef_run_on_debian.template('/etc/nslcd.conf')) | |
48 | + expected.to notify('service[nslcd]').to(:restart).delayed | |
49 | + expected.to notify('service[nscd]').to(:restart).delayed | |
50 | + end | |
51 | + | |
52 | + it 'creates ruby_block on debian family.' do | |
53 | + expected = expect(chef_run_on_debian) | |
54 | + expected.to run_ruby_block('configuring_nameservices') | |
55 | + end | |
56 | + | |
57 | + it 'notifies nscd service\'s restart after creating ruby_block on debian family.' do | |
58 | + expected = expect(chef_run_on_debian.ruby_block('configuring_nameservices')) | |
59 | + expected.to notify('service[nscd]').to(:restart).delayed | |
60 | + end | |
61 | + | |
62 | + let(:chef_run_on_rhel) { | |
63 | + ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node| | |
64 | + node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net' | |
65 | + node.set['openldap']['nss-ldapd']['invalid_key'] = 'value' | |
66 | + }.converge(described_recipe) | |
67 | + } | |
68 | + | |
69 | + it 'installs nss-pam-ldapd on rhel family.' do | |
70 | + expected = expect(chef_run_on_rhel) | |
71 | + expected.to install_package('nss-pam-ldapd') | |
72 | + expected.to enable_service('nslcd') | |
73 | + expected.to enable_service('nscd') | |
74 | + end | |
75 | + | |
76 | + it 'renders /etc/nslcd.conf on rhel family.' do | |
77 | + expected = expect(chef_run_on_rhel) | |
78 | + expected.to create_template('/etc/nslcd.conf').with(mode: '0600') | |
79 | + expected.to render_file('/etc/nslcd.conf'). | |
80 | + with_content(%r|^base\s+dc=example,dc=net$|) | |
81 | + expected.to_not render_file('/etc/nslcd.conf'). | |
82 | + with_content(%r|^invalid_key\s+value$|) | |
83 | + end | |
84 | + | |
85 | + it 'notifies nslcd and nscd service\'s restart after rendering on rhel family.' do | |
86 | + expected = expect(chef_run_on_rhel.template('/etc/nslcd.conf')) | |
87 | + expected.to notify('service[nslcd]').to(:restart).delayed | |
88 | + expected.to notify('service[nscd]').to(:restart).delayed | |
89 | + end | |
90 | + | |
91 | + it 'creates ruby_block on rhel family.' do | |
92 | + expected = expect(chef_run_on_rhel) | |
93 | + expected.to run_ruby_block('configuring_nameservices') | |
94 | + end | |
95 | + | |
96 | + it 'notifies nscd service\'s restart after creating ruby_block on rhel family.' do | |
97 | + expected = expect(chef_run_on_rhel.ruby_block('configuring_nameservices')) | |
98 | + expected.to notify('service[nscd]').to(:restart).delayed | |
99 | + end | |
100 | +end | |
101 | + |
@@ -0,0 +1,46 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: openldap | |
3 | +# Recipe Spec:: spec_helper | |
4 | +# | |
5 | +# Copyright 2015, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +# Added by ChefSpec | |
21 | +require 'chefspec' | |
22 | + | |
23 | +# Uncomment to use ChefSpec's Berkshelf extension | |
24 | +#require 'chefspec/berkshelf' | |
25 | + | |
26 | +ChefSpec::Coverage.start! | |
27 | + | |
28 | +RSpec.configure do |config| | |
29 | + # Specify the path for Chef Solo to find cookbooks | |
30 | + #config.cookbook_path = "#{File.dirname(__FILE__)}/../../cookbooks" | |
31 | + | |
32 | + # Specify the path for Chef Solo to find roles | |
33 | + # config.role_path = '/var/roles' | |
34 | + | |
35 | + # Specify the Chef log_level (default: :warn) | |
36 | + # config.log_level = :debug | |
37 | + | |
38 | + # Specify the path to a local JSON file with Ohai data | |
39 | + # config.path = 'ohai.json' | |
40 | + | |
41 | + # Specify the operating platform to mock Ohai data from | |
42 | + # config.platform = 'ubuntu' | |
43 | + | |
44 | + # Specify the operating version to mock Ohai data from | |
45 | + # config.version = '12.04' | |
46 | +end |
@@ -0,0 +1,142 @@ | ||
1 | +# This is the configuration file for the LDAP nameservice | |
2 | +# switch library's nslcd daemon. It configures the mapping | |
3 | +# between NSS names (see /etc/nsswitch.conf) and LDAP | |
4 | +# information in the directory. | |
5 | +# See the manual page nslcd.conf(5) for more information. | |
6 | + | |
7 | +# The uri pointing to the LDAP server to use for name lookups. | |
8 | +# Multiple entries may be specified. The address that is used | |
9 | +# here should be resolvable without using LDAP (obviously). | |
10 | +#uri ldap://127.0.0.1/ | |
11 | +#uri ldaps://127.0.0.1/ | |
12 | +#uri ldapi://%2fvar%2frun%2fldapi_sock/ | |
13 | +# Note: %2f encodes the '/' used as directory separator | |
14 | +# uri ldap://127.0.0.1/ | |
15 | + | |
16 | +# The LDAP version to use (defaults to 3 | |
17 | +# if supported by client library) | |
18 | +#ldap_version 3 | |
19 | + | |
20 | +# The distinguished name of the search base. | |
21 | +# base dc=example,dc=com | |
22 | + | |
23 | +# The distinguished name to bind to the server with. | |
24 | +# Optional: default is to bind anonymously. | |
25 | +#binddn cn=proxyuser,dc=example,dc=com | |
26 | + | |
27 | +# The credentials to bind with. | |
28 | +# Optional: default is no credentials. | |
29 | +# Note that if you set a bindpw you should check the permissions of this file. | |
30 | +#bindpw secret | |
31 | + | |
32 | +# The distinguished name to perform password modifications by root by. | |
33 | +#rootpwmoddn cn=admin,dc=example,dc=com | |
34 | + | |
35 | +# The default search scope. | |
36 | +#scope sub | |
37 | +#scope one | |
38 | +#scope base | |
39 | + | |
40 | +# Customize certain database lookups. | |
41 | +#base group ou=Groups,dc=example,dc=com | |
42 | +#base passwd ou=People,dc=example,dc=com | |
43 | +#base shadow ou=People,dc=example,dc=com | |
44 | +#scope group onelevel | |
45 | +#scope hosts sub | |
46 | + | |
47 | +# Bind/connect timelimit. | |
48 | +#bind_timelimit 30 | |
49 | + | |
50 | +# Search timelimit. | |
51 | +#timelimit 30 | |
52 | + | |
53 | +# Idle timelimit. nslcd will close connections if the | |
54 | +# server has not been contacted for the number of seconds. | |
55 | +#idle_timelimit 3600 | |
56 | + | |
57 | +# Use StartTLS without verifying the server certificate. | |
58 | +#ssl start_tls | |
59 | +#tls_reqcert never | |
60 | + | |
61 | +# CA certificates for server certificate verification | |
62 | +#tls_cacertdir /etc/ssl/certs | |
63 | +#tls_cacertfile /etc/ssl/ca.cert | |
64 | + | |
65 | +# Seed the PRNG if /dev/urandom is not provided | |
66 | +#tls_randfile /var/run/egd-pool | |
67 | + | |
68 | +# SSL cipher suite | |
69 | +# See man ciphers for syntax | |
70 | +#tls_ciphers TLSv1 | |
71 | + | |
72 | +# Client certificate and key | |
73 | +# Use these, if your server requires client authentication. | |
74 | +#tls_cert | |
75 | +#tls_key | |
76 | + | |
77 | +# NDS mappings | |
78 | +#map group uniqueMember member | |
79 | + | |
80 | +# Mappings for Services for UNIX 3.5 | |
81 | +#filter passwd (objectClass=User) | |
82 | +#map passwd uid msSFU30Name | |
83 | +#map passwd userPassword msSFU30Password | |
84 | +#map passwd homeDirectory msSFU30HomeDirectory | |
85 | +#map passwd homeDirectory msSFUHomeDirectory | |
86 | +#filter shadow (objectClass=User) | |
87 | +#map shadow uid msSFU30Name | |
88 | +#map shadow userPassword msSFU30Password | |
89 | +#filter group (objectClass=Group) | |
90 | +#map group uniqueMember msSFU30PosixMember | |
91 | + | |
92 | +# Mappings for Services for UNIX 2.0 | |
93 | +#filter passwd (objectClass=User) | |
94 | +#map passwd uid msSFUName | |
95 | +#map passwd userPassword msSFUPassword | |
96 | +#map passwd homeDirectory msSFUHomeDirectory | |
97 | +#map passwd gecos msSFUName | |
98 | +#filter shadow (objectClass=User) | |
99 | +#map shadow uid msSFUName | |
100 | +#map shadow userPassword msSFUPassword | |
101 | +#map shadow shadowLastChange pwdLastSet | |
102 | +#filter group (objectClass=Group) | |
103 | +#map group uniqueMember posixMember | |
104 | + | |
105 | +# Mappings for Active Directory | |
106 | +#pagesize 1000 | |
107 | +#referrals off | |
108 | +#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | |
109 | +#map passwd uid sAMAccountName | |
110 | +#map passwd homeDirectory unixHomeDirectory | |
111 | +#map passwd gecos displayName | |
112 | +#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) | |
113 | +#map shadow uid sAMAccountName | |
114 | +#map shadow shadowLastChange pwdLastSet | |
115 | +#filter group (objectClass=group) | |
116 | +#map group uniqueMember member | |
117 | + | |
118 | +# Mappings for AIX SecureWay | |
119 | +#filter passwd (objectClass=aixAccount) | |
120 | +#map passwd uid userName | |
121 | +#map passwd userPassword passwordChar | |
122 | +#map passwd uidNumber uid | |
123 | +#map passwd gidNumber gid | |
124 | +#filter group (objectClass=aixAccessGroup) | |
125 | +#map group cn groupName | |
126 | +#map group uniqueMember member | |
127 | +#map group gidNumber gid | |
128 | +uid nslcd | |
129 | +gid ldap | |
130 | +# This comment prevents repeated auto-migration of settings. | |
131 | +#uri ldap://127.0.0.1/ | |
132 | +#base dc=example,dc=com | |
133 | + | |
134 | +<% | |
135 | +node['openldap']['nss-ldapd'].each do |key, value| | |
136 | + if @nslcd_conf_keys.include?(key) && !value.nil? && !value.empty? then | |
137 | +-%> | |
138 | +<%= key %> <%= value %> | |
139 | +<% | |
140 | + end | |
141 | +end | |
142 | +-%> |
@@ -0,0 +1,23 @@ | ||
1 | +# | |
2 | +# LDAP Defaults | |
3 | +# | |
4 | + | |
5 | +# See ldap.conf(5) for details | |
6 | +# This file should be world readable but not world writable. | |
7 | + | |
8 | +#BASE dc=example,dc=com | |
9 | +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 | |
10 | + | |
11 | +#SIZELIMIT 12 | |
12 | +#TIMELIMIT 15 | |
13 | +#DEREF never | |
14 | + | |
15 | +<% | |
16 | +node['openldap']['client'].each do |key, value| | |
17 | + if @ldap_conf_keys.include?(key) && !value.nil? && !value.empty? then | |
18 | +-%> | |
19 | +<%= key %> <%= value %> | |
20 | +<% | |
21 | + end | |
22 | +end | |
23 | +-%> |
@@ -0,0 +1,41 @@ | ||
1 | +# Options of slapd (see man slapd) | |
2 | +#SLAPD_OPTIONS= | |
3 | + | |
4 | +# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'! | |
5 | +# | |
6 | +# Run slapd with -h "... ldap:/// ..." | |
7 | +# yes/no, default: yes | |
8 | +SLAPD_LDAP=yes | |
9 | + | |
10 | +# Run slapd with -h "... ldapi:/// ..." | |
11 | +# yes/no, default: yes | |
12 | +SLAPD_LDAPI=yes | |
13 | + | |
14 | +# Run slapd with -h "... ldaps:/// ..." | |
15 | +# yes/no, default: no | |
16 | +<% | |
17 | +ldaps = 'no' | |
18 | +if node['openldap']['server']['ldaps'] == true then | |
19 | + ldaps = 'yes' | |
20 | +end | |
21 | +-%> | |
22 | +SLAPD_LDAPS=<%= ldaps %> | |
23 | + | |
24 | +# Run slapd with -h "... $SLAPD_URLS ..." | |
25 | +# This option could be used instead of previous three ones, but: | |
26 | +# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options | |
27 | +# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options | |
28 | +# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///" | |
29 | +# default: empty | |
30 | +#SLAPD_URLS="" | |
31 | + | |
32 | +# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds) | |
33 | +#SLAPD_SHUTDOWN_TIMEOUT=3 | |
34 | + | |
35 | +# Parameters to ulimit, use to change system limits for slapd | |
36 | +#SLAPD_ULIMIT_SETTINGS="" | |
37 | + | |
38 | +<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%> | |
39 | +export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %> | |
40 | +<% end -%> | |
41 | + |
@@ -0,0 +1,54 @@ | ||
1 | +# Default location of the slapd.conf file or slapd.d cn=config directory. If | |
2 | +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to | |
3 | +# /etc/ldap/slapd.conf). | |
4 | +SLAPD_CONF= | |
5 | + | |
6 | +# System account to run the slapd server under. If empty the server | |
7 | +# will run as root. | |
8 | +SLAPD_USER="openldap" | |
9 | + | |
10 | +# System group to run the slapd server under. If empty the server will | |
11 | +# run in the primary group of its user. | |
12 | +SLAPD_GROUP="openldap" | |
13 | + | |
14 | +# Path to the pid file of the slapd server. If not set the init.d script | |
15 | +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by | |
16 | +# default) | |
17 | +SLAPD_PIDFILE= | |
18 | + | |
19 | +# slapd normally serves ldap only on all TCP-ports 389. slapd can also | |
20 | +# service requests on TCP-port 636 (ldaps) and requests via unix | |
21 | +# sockets. | |
22 | +# Example usage: | |
23 | +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" | |
24 | +<% | |
25 | +services = 'ldap:/// ldapi:///' | |
26 | +if node['openldap']['server']['ldaps'] == true then | |
27 | + services = "#{services} ldaps:///" | |
28 | +end | |
29 | +-%> | |
30 | +SLAPD_SERVICES="<%= services %>" | |
31 | + | |
32 | +# If SLAPD_NO_START is set, the init script will not start or restart | |
33 | +# slapd (but stop will still work). Uncomment this if you are | |
34 | +# starting slapd via some other means or if you don't want slapd normally | |
35 | +# started at boot. | |
36 | +#SLAPD_NO_START=1 | |
37 | + | |
38 | +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, | |
39 | +# the init script will not start or restart slapd (but stop will still | |
40 | +# work). Use this for temporarily disabling startup of slapd (when doing | |
41 | +# maintenance, for example, or through a configuration management system) | |
42 | +# when you don't want to edit a configuration file. | |
43 | +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd | |
44 | + | |
45 | +# For Kerberos authentication (via SASL), slapd by default uses the system | |
46 | +# keytab file (/etc/krb5.keytab). To use a different keytab file, | |
47 | +# uncomment this line and change the path. | |
48 | +#export KRB5_KTNAME=/etc/krb5.keytab | |
49 | +<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%> | |
50 | +export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %> | |
51 | +<% end -%> | |
52 | + | |
53 | +# Additional options to pass to slapd | |
54 | +SLAPD_OPTIONS="" |
@@ -0,0 +1,10 @@ | ||
1 | +# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-add-ldaps.ldif | |
2 | +dn: cn=config | |
3 | +add: olcTLSCACertificateFile | |
4 | +olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %> | |
5 | +- | |
6 | +add: olcTLSCertificateKeyFile | |
7 | +olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %> | |
8 | +- | |
9 | +add: olcTLSCertificateFile | |
10 | +olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %> |
@@ -0,0 +1,11 @@ | ||
1 | +# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-mod-ldaps.ldif | |
2 | +dn: cn=config | |
3 | +changetype: modify | |
4 | +replace: olcTLSCACertificateFile | |
5 | +olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %> | |
6 | +- | |
7 | +replace: olcTLSCertificateKeyFile | |
8 | +olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %> | |
9 | +- | |
10 | +replace: olcTLSCertificateFile | |
11 | +olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %> |
@@ -0,0 +1,23 @@ | ||
1 | +# | |
2 | +# LDAP Defaults | |
3 | +# | |
4 | + | |
5 | +# See ldap.conf(5) for details | |
6 | +# This file should be world readable but not world writable. | |
7 | + | |
8 | +#BASE dc=example,dc=com | |
9 | +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 | |
10 | + | |
11 | +#SIZELIMIT 12 | |
12 | +#TIMELIMIT 15 | |
13 | +#DEREF never | |
14 | + | |
15 | +<% | |
16 | +node['openldap']['client'].each do |key, value| | |
17 | + if @ldap_conf_keys.include?(key) && !value.nil? && !value.empty? then | |
18 | +-%> | |
19 | +<%= key %> <%= value %> | |
20 | +<% | |
21 | + end | |
22 | +end | |
23 | +-%> |
@@ -0,0 +1,40 @@ | ||
1 | +# /etc/nslcd.conf | |
2 | +# nslcd configuration file. See nslcd.conf(5) | |
3 | +# for details. | |
4 | + | |
5 | +# The user and group nslcd should run as. | |
6 | +uid nslcd | |
7 | +gid nslcd | |
8 | + | |
9 | +# The location at which the LDAP server(s) should be reachable. | |
10 | +#uri ldap://127.0.0.1/ | |
11 | + | |
12 | +# The search base that will be used for all queries. | |
13 | +#base dc=example,dc=net/ | |
14 | + | |
15 | +# The LDAP protocol version to use. | |
16 | +#ldap_version 3 | |
17 | + | |
18 | +# The DN to bind with for normal lookups. | |
19 | +#binddn cn=annonymous,dc=example,dc=net | |
20 | +#bindpw secret | |
21 | + | |
22 | +# The DN used for password modifications by root. | |
23 | +#rootpwmoddn cn=admin,dc=example,dc=com | |
24 | + | |
25 | +# SSL options | |
26 | +#ssl off | |
27 | +#tls_reqcert never | |
28 | + | |
29 | +# The search scope. | |
30 | +#scope sub | |
31 | + | |
32 | +<% | |
33 | +node['openldap']['nss-ldapd'].each do |key, value| | |
34 | + if @nslcd_conf_keys.include?(key) && !value.nil? && !value.empty? then | |
35 | +-%> | |
36 | +<%= key %> <%= value %> | |
37 | +<% | |
38 | + end | |
39 | +end | |
40 | +-%> |
@@ -1,5 +1,9 @@ | ||
1 | 1 | # CHANGELOG for openldap |
2 | 2 | |
3 | +0.2.0 | |
4 | +----- | |
5 | +- The final release. This cookbook is deprecated. | |
6 | + | |
3 | 7 | 0.1.2 |
4 | 8 | ----- |
5 | 9 | - add ['openldap']['server']['ldaps'] attribute. |
@@ -1,6 +1,8 @@ | ||
1 | 1 | openldap Cookbook |
2 | 2 | ================= |
3 | 3 | |
4 | +**DEPRECATED**: All features were ported to the `openldap-grid` cookbook. | |
5 | + | |
4 | 6 | This cookbook sets up OpenLDAP client, server and nss-ldapd. |
5 | 7 | |
6 | 8 | Requirements |
@@ -52,7 +54,7 @@ Just include `openldap::recipe` in your node's `run_list`: | ||
52 | 54 | |
53 | 55 | #### with ssl_cert cookbook |
54 | 56 | |
55 | -If node['openldap']['with_ssl_cert_cookbook'] is true, node['openldap']['client']['TLS_CACERT'] and node['openldap']['nss-ldapd']['tls_cacertfile'] are overridden by the file path based on ['openldap']['ssl_cert']['ca_name'] attribute. | |
57 | +If `node['openldap']['with_ssl_cert_cookbook']` is `true`, `node['openldap']['client']['TLS_CACERT']` and `node['openldap']['nss-ldapd']['tls_cacertfile']` are overridden by the file path based on `['openldap']['ssl_cert']['ca_name']` attribute. | |
56 | 58 | |
57 | 59 | License and Authors |
58 | 60 | ------------------- |
@@ -4,7 +4,7 @@ maintainer_email '' | ||
4 | 4 | license 'Apache 2.0' |
5 | 5 | description 'Installs/Configures openldap' |
6 | 6 | long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) |
7 | -version '0.1.2' | |
7 | +version '0.2.0' | |
8 | 8 | |
9 | 9 | depends 'ssl_cert', '>= 0.1.5' |
10 | 10 |