OSDN -- Open-Source-Software-Entwicklung und Downloads
Übersetzungsstatus von Deutsch translation status for de
  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

grid-chef-repo: Commit

Grid環境構築用のChefリポジトリです。


Commit MetaInfo

Revisionf291e9961b4324f8e6cf8122bbb4983b81b6fbb7 (tree)
Zeit2016-01-16 13:03:02
Autorwhitestar <whitestar@gaea...>
Commiterwhitestar

Log Message

rename openldap cookbook to openldap-grid.

Ändern Zusammenfassung

Diff

--- /dev/null
+++ b/cookbooks/openldap-grid/CHANGELOG.md
@@ -0,0 +1,22 @@
1+# CHANGELOG for openldap-grid
2+
3+0.2.0
4+-----
5+- rename cookbook.
6+
7+# CHANGELOG for openldap
8+
9+0.1.2
10+-----
11+- add ['openldap']['server']['ldaps'] attribute.
12+- add ['openldap']['server']['KRB5_KTNAME'] attribute.
13+
14+0.1.1
15+-----
16+- add server recipe.
17+- add linkage with ssl_cert cookbook.
18+
19+0.1.0
20+-----
21+- Initial release of openldap
22+
--- /dev/null
+++ b/cookbooks/openldap-grid/README.md
@@ -0,0 +1,75 @@
1+openldap-grid Cookbook
2+=================
3+
4+This cookbook sets up OpenLDAP client, server and nss-ldapd.
5+
6+Requirements
7+------------
8+
9+None.
10+
11+Attributes
12+----------
13+
14+#### openldap::default
15+|Key|Type|Description, example|Default|
16+|:--|:--|:--|:--|
17+|`['openldap']['with_ssl_cert_cookbook']`|Boolean|make it work with ssl_cert cookbook. (ver. 0.1.1 or later)|`false`|
18+|`['openldap']['ssl_cert']['ca_name']`|String|CA name used by ssl_cert (ver. 0.1.1 or later)|`nil`|
19+|`['openldap']['ssl_cert']['common_name']`|String|Server common name useed by ssl_cert. (ver. 0.1.1 or later)|`node['fqdn']`|
20+|`['openldap']['client']['URI']`|String|ldap://ldap.example.com ldap://ldap-master.example.com:666|`nil`|
21+|`['openldap']['client']['BASE']`|String|dc=example,dc=com|`nil`|
22+|`['openldap']['client']['SIZELIMIT']`|String|12|`nil`|
23+|`['openldap']['client']['TIMELIMIT']`|String|15|`nil`|
24+|`['openldap']['client']['DEREF']`|String|never|`nil`|
25+|`['openldap']['client']['TLS_CACERT']`|String|/etc/ssl/certs/cacert.pem|`nil`|
26+|`['openldap']['client']['TLS_REQUEST']`|String|never,allow,try,demand*|`nil`|
27+|`['openldap']['client']['TLS_CHECKPEER']`|String|yes*,no|`nil`|
28+|`['openldap']['client']['SASL_MECH']`|String|GSSAPI|`nil`|
29+|`['openldap']['client']['<ldap.conf key>']`|String|other ldap.conf key||
30+|`['openldap']['nss-ldapd']['uri']`|Strig||`ldap://127.0.0.1/`|
31+|`['openldap']['nss-ldapd']['base']`|String||`dc=example,dc=net`|
32+|`['openldap']['nss-ldapd']['<nscd.conf key>']`|String|other nscd.conf key||
33+|`['openldap']['ldap_lookup_nameservices']`|Array|['passwd', 'group']|`empty`|
34+|`['openldap']['server']['ldaps']`|Boolean|enable ldaps (ver. 0.1.2 or later)|`false`|
35+|`['openldap']['server']['KRB5_KTNAME']`|String|e.g. `'/etc/krb5.keytab'` (ver. 0.1.2 or later)|`nil`|
36+
37+Usage
38+-----
39+
40+Just include `openldap-grid::recipe` in your node's `run_list`:
41+
42+```json
43+{
44+ "name":"my_node",
45+ "run_list": [
46+ "recipe[openldap-grid::client]",
47+ "recipe[openldap-grid::server]",
48+ "recipe[openldap-grid::nss-ldapd]"
49+ ]
50+}
51+```
52+
53+#### with ssl_cert cookbook
54+
55+If `node['openldap']['with_ssl_cert_cookbook']` is `true`, `node['openldap']['client']['TLS_CACERT']` and `node['openldap']['nss-ldapd']['tls_cacertfile']` are overridden by the file path based on `['openldap']['ssl_cert']['ca_name']` attribute.
56+
57+License and Authors
58+-------------------
59+- Author:: whitestar at osdn.jp
60+
61+```text
62+Copyright 2013-2016, whitestar
63+
64+Licensed under the Apache License, Version 2.0 (the "License");
65+you may not use this file except in compliance with the License.
66+You may obtain a copy of the License at
67+
68+ http://www.apache.org/licenses/LICENSE-2.0
69+
70+Unless required by applicable law or agreed to in writing, software
71+distributed under the License is distributed on an "AS IS" BASIS,
72+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
73+See the License for the specific language governing permissions and
74+limitations under the License.
75+```
--- /dev/null
+++ b/cookbooks/openldap-grid/attributes/default.rb
@@ -0,0 +1,50 @@
1+#
2+# Cookbook Name:: openldap-grid
3+# Attributes:: default
4+#
5+# Copyright 2013-2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+default['openldap']['with_ssl_cert_cookbook'] = false
21+# If node['openldap']['with_ssl_cert_cookbook'] is true,
22+# node['openldap']['client']['TLS_CACERT'] and ['openldap']['nss-ldapd']['tls_cacertfile']
23+# are overridden by the following 'ca_name' attributes.
24+default['openldap']['ssl_cert']['ca_name'] = nil
25+default['openldap']['ssl_cert']['common_name'] = node['fqdn']
26+
27+default['openldap']['client']['URI'] = nil # ldap://ldap.example.com ldap://ldap-master.example.com:666
28+default['openldap']['client']['BASE'] = nil # dc=example,dc=com
29+default['openldap']['client']['SIZELIMIT'] = nil # 12
30+default['openldap']['client']['TIMELIMIT'] = nil # 15
31+default['openldap']['client']['DEREF'] = nil # never
32+default['openldap']['client']['TLS_CACERT'] = nil # /etc/ssl/certs/cacert.pem
33+default['openldap']['client']['TLS_REQCERT'] = nil # never|allow|try|demand*
34+default['openldap']['client']['TLS_CHECKPEER'] = nil # yes*|no
35+default['openldap']['client']['SASL_MECH'] = nil # GSSAPI
36+default['openldap']['client']['TLS_CACERTDIR'] = node.value_for_platform_family(
37+ 'debian' => nil,
38+ 'rhel' => '/etc/openldap/certs'
39+)
40+#default['openldap']['client']['<ldap.conf keys>'] = ...
41+
42+default['openldap']['nss-ldapd']['uri'] = 'ldap://127.0.0.1/'
43+default['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
44+#default['openldap']['nss-ldapd']['<nslcd.conf keys>'] = ...
45+default['openldap']['ldap_lookup_nameservices'] = [] # e.g. ['passwd', 'group']
46+#default['openldap'][''] =
47+
48+default['openldap']['server']['ldaps'] = false
49+default['openldap']['server']['KRB5_KTNAME'] = nil # e.g. '/etc/krb5.keytab'
50+
--- /dev/null
+++ b/cookbooks/openldap-grid/metadata.rb
@@ -0,0 +1,10 @@
1+name 'openldap-grid'
2+maintainer 'whitestar'
3+maintainer_email ''
4+license 'Apache 2.0'
5+description 'Installs/Configures openldap'
6+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7+version '0.2.0'
8+
9+depends 'ssl_cert', '>= 0.1.5'
10+
--- /dev/null
+++ b/cookbooks/openldap-grid/recipes/client.rb
@@ -0,0 +1,84 @@
1+#
2+# Cookbook Name:: openldap-grid
3+# Recipe:: client
4+#
5+# Copyright 2013-2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+ldap_conf_keys = [
21+ 'URI',
22+ 'BASE',
23+ 'BINDDN',
24+ 'DEREF',
25+ 'HOST',
26+ 'NETWORK_TIMEOUT',
27+ 'PORT',
28+ 'REFERRALS',
29+ 'SIZELIMIT',
30+ 'TIMELIMIT',
31+ 'TIMEOUT',
32+ 'SASL_MECH',
33+ 'SASL_REALM',
34+ 'SASL_AUTHCID',
35+ 'SASL_AUTHZID',
36+ 'SASL_SECPROPS',
37+ 'GSSAPI_SIGN',
38+ 'GSSAPI_ENCRYPT',
39+ 'GSSAPI_ALLOW_REMOTE_PRINCIPAL',
40+ 'TLS_CACERT',
41+ 'TLS_CACERTDIR',
42+ 'TLS_CERT',
43+ 'TLS_CHECKPEER',
44+ 'TLS_KEY',
45+ 'TLS_CIPHER_SUITE',
46+ 'TLS_RANDFILE',
47+ 'TLS_REQCERT',
48+ 'TLS_CRLCHECK',
49+ 'TLS_CRLFILE'
50+]
51+
52+if node['openldap']['with_ssl_cert_cookbook'] then
53+ node.override['openldap']['client']['TLS_CACERT'] \
54+ = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"]
55+end
56+
57+case node[:platform_family]
58+ when 'debian'
59+ pkg = 'ldap-utils'
60+ resources(:package => pkg) rescue package pkg do
61+ action :install
62+ end
63+
64+ template '/etc/ldap/ldap.conf' do
65+ source 'etc/ldap/ldap.conf'
66+ owner 'root'
67+ group 'root'
68+ mode '0644'
69+ variables({'ldap_conf_keys' => ldap_conf_keys})
70+ end
71+ when 'rhel'
72+ pkg = 'openldap-clients'
73+ resources(:package => pkg) rescue package pkg do
74+ action :install
75+ end
76+
77+ template '/etc/openldap/ldap.conf' do
78+ source 'etc/openldap/ldap.conf'
79+ owner 'root'
80+ group 'root'
81+ mode '0644'
82+ variables({'ldap_conf_keys' => ldap_conf_keys})
83+ end
84+end
--- /dev/null
+++ b/cookbooks/openldap-grid/recipes/default.rb
@@ -0,0 +1,18 @@
1+#
2+# Cookbook Name:: openldap-grid
3+# Recipe:: default
4+#
5+# Copyright 2013-2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
--- /dev/null
+++ b/cookbooks/openldap-grid/recipes/nss-ldapd.rb
@@ -0,0 +1,148 @@
1+#
2+# Cookbook Name:: openldap-grid
3+# Recipe:: nss-ldapd
4+#
5+# Copyright 2013-2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+nslcd_conf_keys = [
21+ 'threads',
22+ #'uid',
23+ #'gid',
24+ 'uri',
25+ 'ldap_version',
26+ 'binddn',
27+ 'bindpw',
28+ 'rootpwmoddn',
29+ 'sasl_mech',
30+ 'sasl_realm',
31+ 'sasl_authcid',
32+ 'sasl_authzid',
33+ 'sasl_secprops',
34+ 'base',
35+ 'scope',
36+ 'deref',
37+ 'referrals',
38+ 'filter',
39+ 'map',
40+ 'bind_timelimit',
41+ 'timelimit',
42+ 'idle_timelimit',
43+ 'reconnect_sleeptime',
44+ 'reconnect_retrytime',
45+ 'ssl',
46+ 'tls_reqcert',
47+ 'tls_cacertdir',
48+ 'tls_cacertfile',
49+ 'tls_randfile',
50+ 'tls_ciphers',
51+ 'tls_cert',
52+ 'tls_key',
53+ 'pagesize',
54+ 'nss_initgroups_ignoreusers',
55+ 'pam_authz_search'
56+]
57+
58+if node['openldap']['with_ssl_cert_cookbook'] then
59+ node.override['openldap']['nss-ldapd']['tls_cacertfile'] \
60+ = node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"]
61+end
62+
63+case node[:platform_family]
64+ when 'debian'
65+ %w{
66+ libnss-ldapd
67+ nscd
68+ }.each {|pkg|
69+ package pkg do
70+ action :install
71+ end
72+ }
73+
74+ service 'nslcd' do
75+ action [:enable]
76+ supports :status => true, :restart => true, :reload => false
77+ end
78+
79+ resources(:service => 'nscd') rescue service 'nscd' do
80+ action [:enable]
81+ supports :status => true, :restart => true, :reload => false
82+ end
83+
84+ template '/etc/nslcd.conf' do
85+ source 'etc/nslcd.conf'
86+ owner 'root'
87+ group 'nslcd'
88+ mode '0640'
89+ variables({'nslcd_conf_keys' => nslcd_conf_keys})
90+ notifies :restart, 'service[nslcd]'
91+ notifies :restart, 'service[nscd]'
92+ end
93+ when 'rhel'
94+ package 'nss-pam-ldapd' do
95+ action :install
96+ end
97+
98+ service 'nslcd' do
99+ action [:enable]
100+ supports :status => true, :restart => true, :reload => true
101+ end
102+
103+ resources(:service => 'nscd') rescue service 'nscd' do
104+ action [:enable]
105+ supports :status => true, :restart => true, :reload => true
106+ end
107+
108+ template '/etc/nslcd.conf' do
109+ source 'etc/nslcd.conf'
110+ owner 'root'
111+ group 'root'
112+ mode '0600'
113+ variables({'nslcd_conf_keys' => nslcd_conf_keys})
114+ notifies :restart, 'service[nslcd]'
115+ notifies :restart, 'service[nscd]'
116+ end
117+end
118+
119+ruby_block 'configuring_nameservices' do
120+ block do
121+ conf_file = '/etc/nsswitch.conf'
122+ nameservices = node['openldap']['ldap_lookup_nameservices']
123+ if !nameservices.nil? && !nameservices.empty? then
124+ open(conf_file, 'r+') {|file|
125+ file.flock(File::LOCK_EX)
126+ is_modified = false
127+ buf = ''
128+ file.each {|line|
129+ if line =~ /^(\w+):\s+(.*)$/ then
130+ if nameservices.include?($1) && !$2.include?('ldap')
131+ line.chomp! << " ldap\n"
132+ is_modified = true
133+ end
134+ end
135+ buf << line
136+ }
137+ if is_modified then
138+ print "\nnew #{conf_file}: [#{buf}]"
139+ file.rewind
140+ file.puts buf
141+ file.truncate(file.tell)
142+ end
143+ }
144+ end
145+ end
146+ action :run
147+ notifies :restart, 'service[nscd]'
148+end
--- /dev/null
+++ b/cookbooks/openldap-grid/recipes/server.rb
@@ -0,0 +1,103 @@
1+#
2+# Cookbook Name:: openldap-grid
3+# Recipe:: server
4+#
5+# Copyright 2016, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+case node[:platform_family]
21+ when 'debian'
22+ [
23+ 'slapd',
24+ 'ldap-utils',
25+ 'ssl-cert',
26+ ].each {|pkg|
27+ resources(:package => pkg) rescue package pkg do
28+ action :install
29+ end
30+ }
31+
32+ # for SSL server key access
33+ group 'ssl-cert' do
34+ action :modify
35+ members 'openldap'
36+ append true
37+ end
38+
39+ template "/etc/default/slapd" do
40+ source "etc/default/slapd"
41+ owner 'root'
42+ group 'root'
43+ mode '0644'
44+ end
45+ when 'rhel'
46+ [
47+ 'openldap-servers',
48+ 'openldap-clients',
49+ ].each {|pkg|
50+ resources(:package => pkg) rescue package pkg do
51+ action :install
52+ end
53+ }
54+
55+ # for SSL server key access
56+ if node['openldap']['with_ssl_cert_cookbook'] \
57+ && node['ssl_cert']['rhel']['key_access_group'] != 'root' then
58+ group node['ssl_cert']['rhel']['key_access_group'] do
59+ action :modify
60+ members 'ldap'
61+ append true
62+ end
63+ end
64+
65+ template "/etc/sysconfig/ldap" do
66+ source "etc/sysconfig/ldap"
67+ owner 'root'
68+ group 'root'
69+ mode '0644'
70+ end
71+end
72+
73+# deploy ldif file for TLS settings.
74+if node['openldap']['with_ssl_cert_cookbook'] then
75+ [
76+ '00_olc-add-ldaps.ldif',
77+ '00_olc-mod-ldaps.ldif',
78+ ].each {|ldif|
79+ template "/etc/ldap/#{ldif}" do
80+ source "etc/ldap/#{ldif}"
81+ owner 'root'
82+ group 'root'
83+ mode '0644'
84+ end
85+ }
86+end
87+
88+service 'slapd' do
89+ #action [:enable, :start]
90+ action [:enable]
91+ supports :status => true, :restart => true, :reload => false
92+end
93+
94+log <<-EOM
95+Note:
96+You must setup OpenLDAP configurations in the first installation:
97+ [Debian]
98+ $ sudo sudo dpkg-reconfigure -plow slapd
99+ [CentOS]
100+ edit /etc/openldap/slap.d configurations
101+ $ sudo service slapd restart
102+EOM
103+
--- /dev/null
+++ b/cookbooks/openldap-grid/spec/recipes/client_spec.rb
@@ -0,0 +1,61 @@
1+#
2+# Cookbook Name:: openldap
3+# Recipe Spec:: client_spec
4+#
5+# Copyright 2015, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+require_relative '../spec_helper'
21+
22+describe 'openldap::client' do
23+ let(:chef_run_on_debian) {
24+ ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node|
25+ node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com'
26+ node.set['openldap']['client']['BASE'] = 'dc=example,dc=com'
27+ }.converge(described_recipe)
28+ }
29+
30+ it 'installs ldap-utils package on debian family.' do
31+ expect(chef_run_on_debian).to install_package('ldap-utils')
32+ end
33+
34+ it 'renders /etc/ldap/ldap.conf on debian family.' do
35+ expected = expect(chef_run_on_debian)
36+ expected.to render_file('/etc/ldap/ldap.conf').
37+ with_content(%r|^URI\s+ldap://ldap\.example\.com$|)
38+ expected.to render_file('/etc/ldap/ldap.conf').
39+ with_content(%r|^BASE\s+dc=example,dc=com$|)
40+ end
41+
42+ let(:chef_run_on_rhel) {
43+ ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node|
44+ node.set['openldap']['client']['URI'] = 'ldap://ldap.example.com'
45+ node.set['openldap']['client']['BASE'] = 'dc=example,dc=com'
46+ }.converge(described_recipe)
47+ }
48+
49+ it 'installs openldap-clients on rhel family.' do
50+ expect(chef_run_on_rhel).to install_package('openldap-clients')
51+ end
52+
53+ it 'renders /etc/openldap/ldap.conf on rhel family.' do
54+ expected = expect(chef_run_on_rhel)
55+ expected.to render_file('/etc/openldap/ldap.conf').
56+ with_content(%r|^URI\s+ldap://ldap\.example\.com$|)
57+ expected.to render_file('/etc/openldap/ldap.conf').
58+ with_content(%r|^BASE\s+dc=example,dc=com$|)
59+ end
60+end
61+
--- /dev/null
+++ b/cookbooks/openldap-grid/spec/recipes/nss-ldapd_spec.rb
@@ -0,0 +1,101 @@
1+#
2+# Cookbook Name:: openldap
3+# Recipe Spec:: nss-ldapd_spec
4+#
5+# Copyright 2015, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+require_relative '../spec_helper'
21+
22+describe 'openldap::nss-ldapd' do
23+ let(:chef_run_on_debian) {
24+ ChefSpec::SoloRunner.new(platform: 'debian', version: '7.6') {|node|
25+ node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
26+ node.set['openldap']['nss-ldapd']['invalid_key'] = 'value'
27+ }.converge(described_recipe)
28+ }
29+
30+ it 'installs libnss-ldapd and nscd packages on debian family.' do
31+ expected = expect(chef_run_on_debian)
32+ expected.to install_package('libnss-ldapd')
33+ expected.to enable_service('nslcd')
34+ expected.to install_package('nscd')
35+ expected.to enable_service('nscd')
36+ end
37+
38+ it 'renders /etc/nslcd.conf on debian family.' do
39+ expected = expect(chef_run_on_debian)
40+ expected.to render_file('/etc/nslcd.conf').
41+ with_content(%r|^base\s+dc=example,dc=net$|)
42+ expected.to_not render_file('/etc/nslcd.conf').
43+ with_content(%r|^invalid_key\s+value$|)
44+ end
45+
46+ it 'notifies nslcd and nscd service\'s restart after rendering on debian family.' do
47+ expected = expect(chef_run_on_debian.template('/etc/nslcd.conf'))
48+ expected.to notify('service[nslcd]').to(:restart).delayed
49+ expected.to notify('service[nscd]').to(:restart).delayed
50+ end
51+
52+ it 'creates ruby_block on debian family.' do
53+ expected = expect(chef_run_on_debian)
54+ expected.to run_ruby_block('configuring_nameservices')
55+ end
56+
57+ it 'notifies nscd service\'s restart after creating ruby_block on debian family.' do
58+ expected = expect(chef_run_on_debian.ruby_block('configuring_nameservices'))
59+ expected.to notify('service[nscd]').to(:restart).delayed
60+ end
61+
62+ let(:chef_run_on_rhel) {
63+ ChefSpec::SoloRunner.new(platform: 'centos', version: '7.0') {|node|
64+ node.set['openldap']['nss-ldapd']['base'] = 'dc=example,dc=net'
65+ node.set['openldap']['nss-ldapd']['invalid_key'] = 'value'
66+ }.converge(described_recipe)
67+ }
68+
69+ it 'installs nss-pam-ldapd on rhel family.' do
70+ expected = expect(chef_run_on_rhel)
71+ expected.to install_package('nss-pam-ldapd')
72+ expected.to enable_service('nslcd')
73+ expected.to enable_service('nscd')
74+ end
75+
76+ it 'renders /etc/nslcd.conf on rhel family.' do
77+ expected = expect(chef_run_on_rhel)
78+ expected.to create_template('/etc/nslcd.conf').with(mode: '0600')
79+ expected.to render_file('/etc/nslcd.conf').
80+ with_content(%r|^base\s+dc=example,dc=net$|)
81+ expected.to_not render_file('/etc/nslcd.conf').
82+ with_content(%r|^invalid_key\s+value$|)
83+ end
84+
85+ it 'notifies nslcd and nscd service\'s restart after rendering on rhel family.' do
86+ expected = expect(chef_run_on_rhel.template('/etc/nslcd.conf'))
87+ expected.to notify('service[nslcd]').to(:restart).delayed
88+ expected.to notify('service[nscd]').to(:restart).delayed
89+ end
90+
91+ it 'creates ruby_block on rhel family.' do
92+ expected = expect(chef_run_on_rhel)
93+ expected.to run_ruby_block('configuring_nameservices')
94+ end
95+
96+ it 'notifies nscd service\'s restart after creating ruby_block on rhel family.' do
97+ expected = expect(chef_run_on_rhel.ruby_block('configuring_nameservices'))
98+ expected.to notify('service[nscd]').to(:restart).delayed
99+ end
100+end
101+
--- /dev/null
+++ b/cookbooks/openldap-grid/spec/spec_helper.rb
@@ -0,0 +1,46 @@
1+#
2+# Cookbook Name:: openldap
3+# Recipe Spec:: spec_helper
4+#
5+# Copyright 2015, whitestar
6+#
7+# Licensed under the Apache License, Version 2.0 (the "License");
8+# you may not use this file except in compliance with the License.
9+# You may obtain a copy of the License at
10+#
11+# http://www.apache.org/licenses/LICENSE-2.0
12+#
13+# Unless required by applicable law or agreed to in writing, software
14+# distributed under the License is distributed on an "AS IS" BASIS,
15+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16+# See the License for the specific language governing permissions and
17+# limitations under the License.
18+#
19+
20+# Added by ChefSpec
21+require 'chefspec'
22+
23+# Uncomment to use ChefSpec's Berkshelf extension
24+#require 'chefspec/berkshelf'
25+
26+ChefSpec::Coverage.start!
27+
28+RSpec.configure do |config|
29+ # Specify the path for Chef Solo to find cookbooks
30+ #config.cookbook_path = "#{File.dirname(__FILE__)}/../../cookbooks"
31+
32+ # Specify the path for Chef Solo to find roles
33+ # config.role_path = '/var/roles'
34+
35+ # Specify the Chef log_level (default: :warn)
36+ # config.log_level = :debug
37+
38+ # Specify the path to a local JSON file with Ohai data
39+ # config.path = 'ohai.json'
40+
41+ # Specify the operating platform to mock Ohai data from
42+ # config.platform = 'ubuntu'
43+
44+ # Specify the operating version to mock Ohai data from
45+ # config.version = '12.04'
46+end
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/centos/etc/nslcd.conf
@@ -0,0 +1,142 @@
1+# This is the configuration file for the LDAP nameservice
2+# switch library's nslcd daemon. It configures the mapping
3+# between NSS names (see /etc/nsswitch.conf) and LDAP
4+# information in the directory.
5+# See the manual page nslcd.conf(5) for more information.
6+
7+# The uri pointing to the LDAP server to use for name lookups.
8+# Multiple entries may be specified. The address that is used
9+# here should be resolvable without using LDAP (obviously).
10+#uri ldap://127.0.0.1/
11+#uri ldaps://127.0.0.1/
12+#uri ldapi://%2fvar%2frun%2fldapi_sock/
13+# Note: %2f encodes the '/' used as directory separator
14+# uri ldap://127.0.0.1/
15+
16+# The LDAP version to use (defaults to 3
17+# if supported by client library)
18+#ldap_version 3
19+
20+# The distinguished name of the search base.
21+# base dc=example,dc=com
22+
23+# The distinguished name to bind to the server with.
24+# Optional: default is to bind anonymously.
25+#binddn cn=proxyuser,dc=example,dc=com
26+
27+# The credentials to bind with.
28+# Optional: default is no credentials.
29+# Note that if you set a bindpw you should check the permissions of this file.
30+#bindpw secret
31+
32+# The distinguished name to perform password modifications by root by.
33+#rootpwmoddn cn=admin,dc=example,dc=com
34+
35+# The default search scope.
36+#scope sub
37+#scope one
38+#scope base
39+
40+# Customize certain database lookups.
41+#base group ou=Groups,dc=example,dc=com
42+#base passwd ou=People,dc=example,dc=com
43+#base shadow ou=People,dc=example,dc=com
44+#scope group onelevel
45+#scope hosts sub
46+
47+# Bind/connect timelimit.
48+#bind_timelimit 30
49+
50+# Search timelimit.
51+#timelimit 30
52+
53+# Idle timelimit. nslcd will close connections if the
54+# server has not been contacted for the number of seconds.
55+#idle_timelimit 3600
56+
57+# Use StartTLS without verifying the server certificate.
58+#ssl start_tls
59+#tls_reqcert never
60+
61+# CA certificates for server certificate verification
62+#tls_cacertdir /etc/ssl/certs
63+#tls_cacertfile /etc/ssl/ca.cert
64+
65+# Seed the PRNG if /dev/urandom is not provided
66+#tls_randfile /var/run/egd-pool
67+
68+# SSL cipher suite
69+# See man ciphers for syntax
70+#tls_ciphers TLSv1
71+
72+# Client certificate and key
73+# Use these, if your server requires client authentication.
74+#tls_cert
75+#tls_key
76+
77+# NDS mappings
78+#map group uniqueMember member
79+
80+# Mappings for Services for UNIX 3.5
81+#filter passwd (objectClass=User)
82+#map passwd uid msSFU30Name
83+#map passwd userPassword msSFU30Password
84+#map passwd homeDirectory msSFU30HomeDirectory
85+#map passwd homeDirectory msSFUHomeDirectory
86+#filter shadow (objectClass=User)
87+#map shadow uid msSFU30Name
88+#map shadow userPassword msSFU30Password
89+#filter group (objectClass=Group)
90+#map group uniqueMember msSFU30PosixMember
91+
92+# Mappings for Services for UNIX 2.0
93+#filter passwd (objectClass=User)
94+#map passwd uid msSFUName
95+#map passwd userPassword msSFUPassword
96+#map passwd homeDirectory msSFUHomeDirectory
97+#map passwd gecos msSFUName
98+#filter shadow (objectClass=User)
99+#map shadow uid msSFUName
100+#map shadow userPassword msSFUPassword
101+#map shadow shadowLastChange pwdLastSet
102+#filter group (objectClass=Group)
103+#map group uniqueMember posixMember
104+
105+# Mappings for Active Directory
106+#pagesize 1000
107+#referrals off
108+#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
109+#map passwd uid sAMAccountName
110+#map passwd homeDirectory unixHomeDirectory
111+#map passwd gecos displayName
112+#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
113+#map shadow uid sAMAccountName
114+#map shadow shadowLastChange pwdLastSet
115+#filter group (objectClass=group)
116+#map group uniqueMember member
117+
118+# Mappings for AIX SecureWay
119+#filter passwd (objectClass=aixAccount)
120+#map passwd uid userName
121+#map passwd userPassword passwordChar
122+#map passwd uidNumber uid
123+#map passwd gidNumber gid
124+#filter group (objectClass=aixAccessGroup)
125+#map group cn groupName
126+#map group uniqueMember member
127+#map group gidNumber gid
128+uid nslcd
129+gid ldap
130+# This comment prevents repeated auto-migration of settings.
131+#uri ldap://127.0.0.1/
132+#base dc=example,dc=com
133+
134+<%
135+node['openldap']['nss-ldapd'].each do |key, value|
136+ if @nslcd_conf_keys.include?(key) && !value.nil? && !value.empty? then
137+-%>
138+<%= key %> <%= value %>
139+<%
140+ end
141+end
142+-%>
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/centos/etc/openldap/ldap.conf
@@ -0,0 +1,23 @@
1+#
2+# LDAP Defaults
3+#
4+
5+# See ldap.conf(5) for details
6+# This file should be world readable but not world writable.
7+
8+#BASE dc=example,dc=com
9+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
10+
11+#SIZELIMIT 12
12+#TIMELIMIT 15
13+#DEREF never
14+
15+<%
16+node['openldap']['client'].each do |key, value|
17+ if @ldap_conf_keys.include?(key) && !value.nil? && !value.empty? then
18+-%>
19+<%= key %> <%= value %>
20+<%
21+ end
22+end
23+-%>
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/centos/etc/sysconfig/ldap
@@ -0,0 +1,41 @@
1+# Options of slapd (see man slapd)
2+#SLAPD_OPTIONS=
3+
4+# At least one of SLAPD_LDAP, SLAPD_LDAPI and SLAPD_LDAPS must be set to 'yes'!
5+#
6+# Run slapd with -h "... ldap:/// ..."
7+# yes/no, default: yes
8+SLAPD_LDAP=yes
9+
10+# Run slapd with -h "... ldapi:/// ..."
11+# yes/no, default: yes
12+SLAPD_LDAPI=yes
13+
14+# Run slapd with -h "... ldaps:/// ..."
15+# yes/no, default: no
16+<%
17+ldaps = 'no'
18+if node['openldap']['server']['ldaps'] == true then
19+ ldaps = 'yes'
20+end
21+-%>
22+SLAPD_LDAPS=<%= ldaps %>
23+
24+# Run slapd with -h "... $SLAPD_URLS ..."
25+# This option could be used instead of previous three ones, but:
26+# - it doesn't overwrite settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
27+# - it isn't overwritten by settings of $SLAPD_LDAP, $SLAPD_LDAPS and $SLAPD_LDAPI options
28+# example: SLAPD_URLS="ldapi:///var/lib/ldap_root/ldapi ldapi:/// ldaps:///"
29+# default: empty
30+#SLAPD_URLS=""
31+
32+# Maximum allowed time to wait for slapd shutdown on 'service ldap stop' (in seconds)
33+#SLAPD_SHUTDOWN_TIMEOUT=3
34+
35+# Parameters to ulimit, use to change system limits for slapd
36+#SLAPD_ULIMIT_SETTINGS=""
37+
38+<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%>
39+export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %>
40+<% end -%>
41+
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/default/etc/default/slapd
@@ -0,0 +1,54 @@
1+# Default location of the slapd.conf file or slapd.d cn=config directory. If
2+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
3+# /etc/ldap/slapd.conf).
4+SLAPD_CONF=
5+
6+# System account to run the slapd server under. If empty the server
7+# will run as root.
8+SLAPD_USER="openldap"
9+
10+# System group to run the slapd server under. If empty the server will
11+# run in the primary group of its user.
12+SLAPD_GROUP="openldap"
13+
14+# Path to the pid file of the slapd server. If not set the init.d script
15+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
16+# default)
17+SLAPD_PIDFILE=
18+
19+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
20+# service requests on TCP-port 636 (ldaps) and requests via unix
21+# sockets.
22+# Example usage:
23+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
24+<%
25+services = 'ldap:/// ldapi:///'
26+if node['openldap']['server']['ldaps'] == true then
27+ services = "#{services} ldaps:///"
28+end
29+-%>
30+SLAPD_SERVICES="<%= services %>"
31+
32+# If SLAPD_NO_START is set, the init script will not start or restart
33+# slapd (but stop will still work). Uncomment this if you are
34+# starting slapd via some other means or if you don't want slapd normally
35+# started at boot.
36+#SLAPD_NO_START=1
37+
38+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
39+# the init script will not start or restart slapd (but stop will still
40+# work). Use this for temporarily disabling startup of slapd (when doing
41+# maintenance, for example, or through a configuration management system)
42+# when you don't want to edit a configuration file.
43+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
44+
45+# For Kerberos authentication (via SASL), slapd by default uses the system
46+# keytab file (/etc/krb5.keytab). To use a different keytab file,
47+# uncomment this line and change the path.
48+#export KRB5_KTNAME=/etc/krb5.keytab
49+<% if !node['openldap']['server']['KRB5_KTNAME'].nil? then -%>
50+export KRB5_KTNAME=<%= node['openldap']['server']['KRB5_KTNAME'] %>
51+<% end -%>
52+
53+# Additional options to pass to slapd
54+SLAPD_OPTIONS=""
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/default/etc/ldap/00_olc-add-ldaps.ldif
@@ -0,0 +1,10 @@
1+# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-add-ldaps.ldif
2+dn: cn=config
3+add: olcTLSCACertificateFile
4+olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %>
5+-
6+add: olcTLSCertificateKeyFile
7+olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %>
8+-
9+add: olcTLSCertificateFile
10+olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %>
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/default/etc/ldap/00_olc-mod-ldaps.ldif
@@ -0,0 +1,11 @@
1+# $ sudo ldapmodify -QY EXTERNAL -H ldapi:/// -f 00_olc-mod-ldaps.ldif
2+dn: cn=config
3+changetype: modify
4+replace: olcTLSCACertificateFile
5+olcTLSCACertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['ca_name']}_cert_path"] %>
6+-
7+replace: olcTLSCertificateKeyFile
8+olcTLSCertificateKeyFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_key_path"] %>
9+-
10+replace: olcTLSCertificateFile
11+olcTLSCertificateFile: <%= node['ssl_cert']["#{node['openldap']['ssl_cert']['common_name'].gsub('.', '_')}_cert_path"] %>
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/default/etc/ldap/ldap.conf
@@ -0,0 +1,23 @@
1+#
2+# LDAP Defaults
3+#
4+
5+# See ldap.conf(5) for details
6+# This file should be world readable but not world writable.
7+
8+#BASE dc=example,dc=com
9+#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
10+
11+#SIZELIMIT 12
12+#TIMELIMIT 15
13+#DEREF never
14+
15+<%
16+node['openldap']['client'].each do |key, value|
17+ if @ldap_conf_keys.include?(key) && !value.nil? && !value.empty? then
18+-%>
19+<%= key %> <%= value %>
20+<%
21+ end
22+end
23+-%>
--- /dev/null
+++ b/cookbooks/openldap-grid/templates/default/etc/nslcd.conf
@@ -0,0 +1,40 @@
1+# /etc/nslcd.conf
2+# nslcd configuration file. See nslcd.conf(5)
3+# for details.
4+
5+# The user and group nslcd should run as.
6+uid nslcd
7+gid nslcd
8+
9+# The location at which the LDAP server(s) should be reachable.
10+#uri ldap://127.0.0.1/
11+
12+# The search base that will be used for all queries.
13+#base dc=example,dc=net/
14+
15+# The LDAP protocol version to use.
16+#ldap_version 3
17+
18+# The DN to bind with for normal lookups.
19+#binddn cn=annonymous,dc=example,dc=net
20+#bindpw secret
21+
22+# The DN used for password modifications by root.
23+#rootpwmoddn cn=admin,dc=example,dc=com
24+
25+# SSL options
26+#ssl off
27+#tls_reqcert never
28+
29+# The search scope.
30+#scope sub
31+
32+<%
33+node['openldap']['nss-ldapd'].each do |key, value|
34+ if @nslcd_conf_keys.include?(key) && !value.nil? && !value.empty? then
35+-%>
36+<%= key %> <%= value %>
37+<%
38+ end
39+end
40+-%>
--- a/cookbooks/openldap/CHANGELOG.md
+++ b/cookbooks/openldap/CHANGELOG.md
@@ -1,5 +1,9 @@
11 # CHANGELOG for openldap
22
3+0.2.0
4+-----
5+- The final release. This cookbook is deprecated.
6+
37 0.1.2
48 -----
59 - add ['openldap']['server']['ldaps'] attribute.
--- a/cookbooks/openldap/README.md
+++ b/cookbooks/openldap/README.md
@@ -1,6 +1,8 @@
11 openldap Cookbook
22 =================
33
4+**DEPRECATED**: All features were ported to the `openldap-grid` cookbook.
5+
46 This cookbook sets up OpenLDAP client, server and nss-ldapd.
57
68 Requirements
@@ -52,7 +54,7 @@ Just include `openldap::recipe` in your node's `run_list`:
5254
5355 #### with ssl_cert cookbook
5456
55-If node['openldap']['with_ssl_cert_cookbook'] is true, node['openldap']['client']['TLS_CACERT'] and node['openldap']['nss-ldapd']['tls_cacertfile'] are overridden by the file path based on ['openldap']['ssl_cert']['ca_name'] attribute.
57+If `node['openldap']['with_ssl_cert_cookbook']` is `true`, `node['openldap']['client']['TLS_CACERT']` and `node['openldap']['nss-ldapd']['tls_cacertfile']` are overridden by the file path based on `['openldap']['ssl_cert']['ca_name']` attribute.
5658
5759 License and Authors
5860 -------------------
--- a/cookbooks/openldap/metadata.rb
+++ b/cookbooks/openldap/metadata.rb
@@ -4,7 +4,7 @@ maintainer_email ''
44 license 'Apache 2.0'
55 description 'Installs/Configures openldap'
66 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7-version '0.1.2'
7+version '0.2.0'
88
99 depends 'ssl_cert', '>= 0.1.5'
1010
Show on old repository browser