Puppet Class: aixldap

Defined in:
manifests/init.pp

Summary

Setup AD LDAP Authentication on AIX

Overview

aixldap

A description of what this class does

Params

NOTE: defaults are provided with module level hieradata

Examples:

include aixldap

Parameters:

  • base_dn (String)

    REQUIRED LDAP Base DN, such as dc=domain,dc=com

  • bind_dn (String)

    REQUIRED LDAP Bind User DN, User account to connect with to search LDAP Directory

  • bind_password (String)

    REQUIRED LDAP Bind User Password, Password for bind_dn account.

  • bind_password_crypted (String)

    REQUIRED Encrypted String of bind_password (for ldap.cfg), use secldapclntd -e "password" on an AIX system with the LDAP Client packages installed to generate. It should look like: {DESv2}1AB38EC278 C2D186844D0501788FCBD (NOTE: the space(s) can occur randomly)

  • ldapservers (String)

    REQUIRED Comma separated list of LDAP directory servers

  • pkg_src_path (String)

    Local Path on agent machine where installp packages will be located. NOTE: Ensure the idsldap* packages are oslevel appropriate, or it may downgrade your TL. (Default: /tmp/ldap)

  • enable_ldap (Boolean)

    Whether or not to activate LDAP configuration (can be used for testing). (Default: true)

  • service_ensure (Enum['running','stopped'])

    secldapclntd service status (Default: running)

  • service_enable (Boolean)

    Whether or not to start the secldapclntd service at boot time.

  • use_ssl (Enum['yes','SSL','TLS','NONE','no'])

    SSL Parameter, used in ldap.cfg and to be passed to mksecldap. NOTE: If this is enabled, you should also specify ssl_ca_cert_content or ssl_ca_cert_source.

  • ssl_ca_cert_label (String)

    KDB Label for the SSL CA Certificate (Default adldap)

  • ssl_ca_cert_file (String)

    Filename of the SSL CA Certificate, which will be added as a trusted CA to the KDB file. (Default: /usr/lib/security/adldap.crt)

  • ssl_ca_cert_content (Optional[String])

    RAW TEXT content of SSL CA Certificate, useful to put cert into hiera. NOTE: REQUIRED IF use_ssl is yes, SSL or TLS (@see ssl_ca_cert_source)

  • ssl_ca_cert_source (Optional[String])

    Puppet File source to CA Cert file NOTE: REQUIRED IF use_ssl is yes, SSL or TLS (@see ssl_ca_cert_content)

  • user_map_file (String)

    Filename of user attribute map (Default: /etc/security/ldap/sfur2user.map)

  • user_map_content (Optional[String])

    RAW TEXT content of the user attribute map, useful to put content into hiera. (@see user_map_source)

  • user_map_source (Optional[String])

    Puppet File source for user attribute map (@see user_map_content)

  • group_map_file (String)

    Filename of group attribute map (Default: /etc/security/ldap/sfur2group.map)

  • group_map_content (Optional[String])

    RAW TEXT content of the group attribute map, useful to put content into hiera. (@see group_map_source)

  • group_map_source (Optional[String])

    Puppet File source for group attribute map (@see group_map_content)

  • ldap_cfg_file (String)

    Filename for the ldap.cfg file (Default: /etc/security/ldap/ldap.cfg)

  • ldap_cfg_options (Optional[Hash])

    Hash of options for ldap.cfg file. This is a good place for additional options that are not handled directly by this module. These options will be merged in hieradata and included in the ldap.cfg. Default: aixldap::ldap_cfg_options: serverschematype: sfur2 searchmode: ALL ldapport: 389 ldapsslport: 636 userclasses: user,person,organizationalperson groupclasses: group

  • auth_type (Enum['unix_auth','ldap_auth'])

    Authentication type, passed to mksecldap and part of ldap.cfg (Default: unix_auth)

  • default_loc (String)

    Default Entry Location in ldap.cfg and passed to mksecldap (Default: ldap)

  • domain (String)

    Domain name, (Default: (system's domain name))

  • kerb_realm (Optional[String])

    Kerberos Realm to authenticate with (Default: (uppercase system's domain name))

  • kdb_file (String)

    Filename of the SSL KDB file. (Default: /usr/lib/security/adldap.crt)

  • kdb_password (Optional[String])

    Password to “protect” KDB file (Default: ChangeMe!12345)

  • kdb_password_crypted (Optional[String])

    Encrypted KDB Password (for ldap.cfg). Use secldapclntd -e "password" on AIX system to generate. (Default: {DESv2}B264CA89603640B735E5EFA3EA4D68789D1F7F57F0 BC7E1)

  • netsvc_hosts (Optional[String])

    Override the hosts line in /etc/netsvc.conf, which handles gethostbyname order default: 'local, bind' to eliminate nis_ldap (saves 10-15 seconds at login). @see www.ibm.com/support/knowledgecenter/en/ssw_aix_72/com.ibm.aix.files/netsvc.conf.htm



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
 
# File 'manifests/init.pp', line 69

class aixldap (
  String $base_dn,
  String $bind_dn,
  String $bind_password,
  String $bind_password_crypted,
  String $ldapservers,
  String $pkg_src_path,
  Boolean $enable_ldap, # hiera
  Enum['running','stopped'] $service_ensure, # hiera
  Boolean $service_enable, #hiera
  String $ssl_ca_cert_label, # hiera
  String $ssl_ca_cert_file, # hiera
  Optional[String] $ssl_ca_cert_content,
  Optional[String] $ssl_ca_cert_source,
  String $user_map_file, # hiera
  Optional[String] $user_map_content,
  Optional[String] $user_map_source,
  String $group_map_file, # hiera
  Optional[String] $group_map_content,
  Optional[String] $group_map_source,
  String $ldap_cfg_file, #hiera
  Optional[Hash] $ldap_cfg_options, # hiera
  Enum['unix_auth','ldap_auth'] $auth_type, # hiera
  String $default_loc, # hiera
  String $domain, # hiera
  String $kdb_file, # hiera
  Optional[String] $kdb_password, # hiera
  Optional[String] $kdb_password_crypted, #hiera
  Optional[String] $kerb_realm, # hiera
  Enum['yes','SSL','TLS','NONE','no'] $use_ssl, # hiera
  Optional[String] $netsvc_hosts, # hiera
) {

  # Ensure Kerberos Realm is uppercase, default to "domain"
  $kerb_realm_real = upcase(pick($kerb_realm, $facts['networking']['domain']))

  # Ensure Local users authenticate locally
  # NOTE: root and virtuser will be handled elsewhere
  $local_users = split($facts['aix_local_users'], ' ')
  $local_users.each |$user| {
    if !defined(User[$user]) {
      user { $user:
        ensure         => 'present',
        ia_load_module => 'files',
        attributes     => [
          'SYSTEM=compat',
          'registry=files',
        ],
      }
    }
  }

  # Basic safety check - Ensure we are on AIX
  if $facts['osfamily'] != 'AIX' {
    fail('This module is only supported on AIX!')
  }

  # Default Path
  Exec {
    path => '/usr/bin:/usr/sbin',
  }

  # Install Packages
  include aixldap::install

  # Configire
  include aixldap::configure

  # Service
  include aixldap::service

  Class['aixldap::install'] -> Class['aixldap::configure']

}