X-Git-Url: https://pwan.org/git/?p=hgr.git;a=blobdiff_plain;f=manifests%2Fslapd.pp;fp=manifests%2Fslapd.pp;h=b60eda8e142977e1b6f5100e0597793408cd7cfb;hp=0000000000000000000000000000000000000000;hb=cb5a94b9d4662bcb79cc59e23c9d3f1bbdb31cc5;hpb=8e287a49e4932a8a9b7b20b4372225a9d5ea5bd9 diff --git a/manifests/slapd.pp b/manifests/slapd.pp new file mode 100644 index 0000000..b60eda8 --- /dev/null +++ b/manifests/slapd.pp @@ -0,0 +1,55 @@ +class hgr::slapd { + + # first define a admin password for LDAP + + package { + "slapd" : ensure => installed; + "ldapscripts" : ensure => installed; + } + + service { + "slapd": + ensure => running, + enable => true, + require => [Package["slapd"],File["/etc/default/slapd"]]; + } + + file { + "/etc/default/slapd": + ensure => present, + source => "puppet:///modules/hgr/slapd/slapd.default", + owner => "root", + group => "root", + mode => "0644", + require => Package["slapd"]; + + "/etc/ldap/slapd.d/tls-config.ldif": + ensure => present, + contents => template("hgr/slapd/tls-config.ldif.erb"), + owner => "root", + group => "root", + mode => "0644", + require => Package["slapd"]; + } + + exec { + "tls-config.ldif": + command => "/usr/bin/ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/tls-config.ldif", + unless => "/bin/grep olcTLS 'cn=config.ldif'", + logoutput => true, + refreshonly => true, + subscribe => File["/etc/ldap/slapd.d/tls-config.ldif"], + timeout => 5, + require => [Service["slapd"],File["/etc/ldap/slapd.d/tls-config.ldif"]]; + } + + # add openldap to the ssl-cert group + # (usermod -a -G ssl-cert openldap) + # unless 'groups openldap | grep ssl-cert' + + # Need to ensure /etc/ssl/private is group-readable + + # Need to open 636 on /etc/iptables/rules.v4 + + +}