diff --git a/.fixtures.yml b/.fixtures.yml index eaa8bfd9..5103c76f 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,9 +1,6 @@ --- fixtures: repositories: - augeas_core: https://github.com/puppetlabs/puppetlabs-augeas_core.git - augeasproviders_core: https://github.com/voxpupuli/puppet-augeasproviders_core.git - augeasproviders_shellvar: https://github.com/voxpupuli/puppet-augeasproviders_shellvar.git epel: https://github.com/voxpupuli/puppet-epel.git facts: https://github.com/puppetlabs/puppetlabs-facts.git provision: https://github.com/puppetlabs/provision.git diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 91ffce43..b6661244 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,225 +1,7 @@ # See README.md for details. class openldap::client::config { - $base = $openldap::client::base ? { - undef => undef, - 'absent' => 'rm BASE', - default => "set BASE ${openldap::client::base}", - } - $bind_policy = $openldap::client::bind_policy ? { - undef => undef, - 'absent' => 'rm BIND_POLICY', - default => "set BIND_POLICY ${openldap::client::bind_policy}", - } - $bind_timelimit = $openldap::client::bind_timelimit ? { - undef => undef, - 'absent' => 'rm BIND_TIMELIMIT', - default => "set BIND_TIMELIMIT ${openldap::client::bind_timelimit}", - } - $binddn = $openldap::client::binddn ? { - undef => undef, - 'absent' => 'rm BINDDN', - default => "set BINDDN ${openldap::client::binddn}", - } - $bindpw = $openldap::client::bindpw ? { - undef => undef, - 'absent' => 'rm BINDPW', - default => "set BINDPW ${openldap::client::bindpw}", - } - $ldap_version = $openldap::client::ldap_version ? { - undef => undef, - 'absent' => 'rm LDAP_VERSION', - default => "set LDAP_VERSION ${openldap::client::ldap_version}", - } - $network_timeout = $openldap::client::network_timeout ? { - undef => undef, - 'absent' => 'rm NETWORK_TIMEOUT', - default => "set NETWORK_TIMEOUT ${openldap::client::network_timeout}", - } - $scope = $openldap::client::scope ? { - undef => undef, - 'absent' => 'rm SCOPE', - default => "set SCOPE ${openldap::client::scope}", - } - $ssl = $openldap::client::ssl ? { - undef => undef, - 'absent' => 'rm SSL', - default => "set SSL ${openldap::client::ssl}", - } - $suffix = $openldap::client::suffix ? { - undef => undef, - 'absent' => 'rm SUFFIX', - default => "set SUFFIX ${openldap::client::suffix}", - } - $timelimit = $openldap::client::timelimit ? { - undef => undef, - 'absent' => 'rm TIMELIMIT', - default => "set TIMELIMIT ${openldap::client::timelimit}", - } - $timeout = $openldap::client::timeout ? { - undef => undef, - 'absent' => 'rm TIMEOUT', - default => "set TIMEOUT ${openldap::client::timeout}", - } - $_uri = $openldap::client::uri ? { - undef => undef, - default => join(flatten([$openldap::client::uri]), ' '), - } - $uri = $_uri ? { - undef => undef, - 'absent' => 'rm URI', - default => "set URI '${_uri}'", - } - $nss_base_group = $openldap::client::nss_base_group ? { - undef => undef, - 'absent' => 'rm NSS_BASE_GROUP', - default => "set NSS_BASE_GROUP ${openldap::client::nss_base_group}", - } - $nss_base_hosts = $openldap::client::nss_base_hosts ? { - undef => undef, - 'absent' => 'rm NSS_BASE_HOSTS', - default => "set NSS_BASE_HOSTS ${openldap::client::nss_base_hosts}", - } - $nss_base_passwd = $openldap::client::nss_base_passwd ? { - undef => undef, - 'absent' => 'rm NSS_BASE_PASSWD', - default => "set NSS_BASE_PASSWD ${openldap::client::nss_base_passwd}", - } - $nss_base_shadow = $openldap::client::nss_base_shadow ? { - undef => undef, - 'absent' => 'rm NSS_BASE_SHADOW', - default => "set NSS_BASE_SHADOW ${openldap::client::nss_base_shadow}", - } - $nss_initgroups_ignoreusers = $openldap::client::nss_initgroups_ignoreusers ? { - undef => undef, - default => "set NSS_INITGROUPS_IGNOREUSERS ${openldap::client::nss_initgroups_ignoreusers}", - } - $pam_filter = $openldap::client::pam_filter ? { - undef => undef, - 'absent' => 'rm PAM_FILTER', - default => "set PAM_FILTER ${openldap::client::pam_filter}", - } - $pam_login_attribute = $openldap::client::pam_login_attribute ? { - undef => undef, - 'absent' => 'rm PAM_LOGIN_ATTRIBUTE', - default => "set PAM_LOGIN_ATTRIBUTE ${openldap::client::pam_login_attribute}", - } - $pam_member_attribute = $openldap::client::pam_member_attribute ? { - undef => undef, - 'absent' => 'rm PAM_MEMBER_ATTRIBUTE', - default => "set PAM_MEMBER_ATTRIBUTE ${openldap::client::pam_member_attribute}", - } - $pam_password = $openldap::client::pam_password ? { - undef => undef, - 'absent' => 'rm PAM_PASSWORD', - default => "set PAM_PASSWORD ${openldap::client::pam_password}", - } - $tls_checkpeer = $openldap::client::tls_checkpeer ? { - undef => undef, - 'absent' => 'rm TLS_CHECKPEER', - default => "set TLS_CHECKPEER ${openldap::client::tls_checkpeer}", - } - $tls_cacert = $openldap::client::tls_cacert ? { - undef => undef, - 'absent' => 'rm TLS_CACERT', - default => "set TLS_CACERT ${openldap::client::tls_cacert}", - } - $tls_cacertdir = $openldap::client::tls_cacertdir ? { - undef => undef, - 'absent' => 'rm TLS_CACERTDIR', - default => "set TLS_CACERTDIR ${openldap::client::tls_cacertdir}", - } - $tls_reqcert = $openldap::client::tls_reqcert ? { - undef => undef, - 'absent' => 'rm TLS_REQCERT', - default => "set TLS_REQCERT ${openldap::client::tls_reqcert}", - } - $tls_moznss_compatibility = $openldap::client::tls_moznss_compatibility ? { - undef => undef, - 'absent' => 'rm TLS_MOZNSS_COMPATIBILITY', - default => "set TLS_MOZNSS_COMPATIBILITY ${openldap::client::tls_moznss_compatibility}", - } - $sasl_mech = $openldap::client::sasl_mech ? { - undef => undef, - default => "set SASL_MECH ${openldap::client::sasl_mech}", - } - $sasl_realm = $openldap::client::sasl_realm ? { - undef => undef, - default => "set SASL_REALM ${openldap::client::sasl_realm}", - } - $sasl_authcid = $openldap::client::sasl_authcid ? { - undef => undef, - default => "set SASL_AUTHCID ${openldap::client::sasl_authcid}", - } - $_sasl_secprops = $openldap::client::sasl_secprops ? { - undef => undef, - default => join(flatten([$openldap::client::sasl_secprops]), ','), - } - $sasl_secprops = $_sasl_secprops ? { - undef => undef, - default => "set SASL_SECPROPS ${_sasl_secprops}", - } - $sasl_nocanon = $openldap::client::sasl_nocanon ? { - undef => undef, - default => "set SASL_NOCANON ${openldap::client::sasl_nocanon}", - } - $gssapi_sign = $openldap::client::gssapi_sign ? { - undef => undef, - default => "set GSSAPI_SIGN ${openldap::client::gssapi_sign}", - } - $gssapi_encrypt = $openldap::client::gssapi_encrypt ? { - undef => undef, - default => "set GSSAPI_ENCRYPT ${openldap::client::gssapi_encrypt}", - } - $gssapi_allow_remote_principal = $openldap::client::gssapi_allow_remote_principal ? { - undef => undef, - default => "set GSSAPI_ALLOW_REMOTE_PRINCIPAL ${openldap::client::gssapi_allow_remote_principal}", - } - $sudoers_base = $openldap::client::sudoers_base ? { - undef => undef, - 'absent' => 'rm SUDOERS_BASE', - default => "set SUDOERS_BASE ${openldap::client::sudoers_base}", - } - $changes = delete_undef_values([ - $base, - $bind_policy, - $bind_timelimit, - $binddn, - $bindpw, - $ldap_version, - $network_timeout, - $scope, - $ssl, - $suffix, - $timelimit, - $timeout, - $uri, - $nss_base_group, - $nss_base_hosts, - $nss_base_passwd, - $nss_base_shadow, - $nss_initgroups_ignoreusers, - $pam_filter, - $pam_login_attribute, - $pam_member_attribute, - $pam_password, - $tls_checkpeer, - $tls_cacert, - $tls_cacertdir, - $tls_reqcert, - $tls_moznss_compatibility, - $sasl_mech, - $sasl_realm, - $sasl_authcid, - $sasl_secprops, - $sasl_nocanon, - $gssapi_sign, - $gssapi_encrypt, - $gssapi_allow_remote_principal, - $sudoers_base, - ]) - augeas { 'ldap.conf': - incl => $openldap::client::file, - lens => 'Spacevars.lns', - changes => $changes, + file { $openldap::client::file: + ensure => file, + content => epp('openldap/ldap.conf.epp'), } } diff --git a/metadata.json b/metadata.json index 5d42f7cb..10fcd538 100644 --- a/metadata.json +++ b/metadata.json @@ -12,18 +12,6 @@ "name": "puppetlabs/stdlib", "version_requirement": ">= 4.13.1 < 10.0.0" }, - { - "name": "puppetlabs/augeas_core", - "version_requirement": ">= 1.0.0 < 2.0.0" - }, - { - "name": "puppet/augeasproviders_core", - "version_requirement": ">= 2.0.0 < 5.0.0" - }, - { - "name": "puppet/augeasproviders_shellvar", - "version_requirement": ">= 2.0.0 < 7.0.0" - }, { "name": "puppet/systemd", "version_requirement": ">= 3.0.0 < 10.0.0" diff --git a/spec/classes/openldap_client_config_spec.rb b/spec/classes/openldap_client_config_spec.rb index 942721f4..4516dfe0 100644 --- a/spec/classes/openldap_client_config_spec.rb +++ b/spec/classes/openldap_client_config_spec.rb @@ -9,798 +9,137 @@ facts end - context 'with no parameters' do - let :pre_condition do - "class {'openldap::client':}" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - end - - context 'with base set' do - let :pre_condition do - "class {'openldap::client': base => 'dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BASE dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BASE dc=example,dc=com']) - } - end - end - - context 'with base set to absent' do - let :pre_condition do - "class {'openldap::client': base => 'absent', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['rm BASE']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['rm BASE']) - } - end - end - - context 'with bind_policy set' do - let :pre_condition do - "class {'openldap::client': bind_policy => 'soft', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BIND_POLICY soft']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BIND_POLICY soft']) - } - end - end - - context 'with bind_timelimit set' do - let :pre_condition do - "class {'openldap::client': bind_timelimit => '10', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BIND_TIMELIMIT 10']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BIND_TIMELIMIT 10']) - } - end - end - - context 'with binddn set' do - let :pre_condition do - "class {'openldap::client': binddn => 'cn=admin,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BINDDN cn=admin,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BINDDN cn=admin,dc=example,dc=com']) - } - end - end - - context 'with bindpw set' do - let :pre_condition do - "class {'openldap::client': bindpw => 'secret', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BINDPW secret']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BINDPW secret']) - } - end - end - - context 'with ldap_version set' do - let :pre_condition do - "class {'openldap::client': ldap_version => '3', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set LDAP_VERSION 3']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set LDAP_VERSION 3']) - } - end - end - - context 'with network_timeout set' do - let :pre_condition do - "class {'openldap::client': network_timeout => '1', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NETWORK_TIMEOUT 1']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NETWORK_TIMEOUT 1']) - } - end - end - - context 'with scope set' do - let :pre_condition do - "class {'openldap::client': scope => 'one', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SCOPE one']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SCOPE one']) - } - end - end - - context 'with ssl set' do - let :pre_condition do - "class {'openldap::client': ssl => 'on', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SSL on']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SSL on']) - } - end - end - - context 'with suffix set' do - let :pre_condition do - "class {'openldap::client': suffix => 'dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SUFFIX dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SUFFIX dc=example,dc=com']) - } - end - end - - context 'with timelimit set' do - let :pre_condition do - "class {'openldap::client': timelimit => '10', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TIMELIMIT 10']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TIMELIMIT 10']) - } - end - end - - context 'with timeout set' do - let :pre_condition do - "class {'openldap::client': timeout => '10', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TIMEOUT 10']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TIMEOUT 10']) - } - end - end - - context 'with uri set' do - let :pre_condition do - "class {'openldap::client': uri => 'ldap://ldap.example.com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ["set URI 'ldap://ldap.example.com'"]) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ["set URI 'ldap://ldap.example.com'"]) - } - end - end - - context 'with multiple uri set' do - let :pre_condition do - "class {'openldap::client': uri => ['ldap://ldap1.example.com', 'ldap://ldap2.example.com'] }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ["set URI 'ldap://ldap1.example.com ldap://ldap2.example.com'"]) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ["set URI 'ldap://ldap1.example.com ldap://ldap2.example.com'"]) - } - end - end - - context 'with nss_base_group set' do - let :pre_condition do - "class {'openldap::client': nss_base_group => 'ou=group,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_GROUP ou=group,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_GROUP ou=group,dc=example,dc=com']) - } - end - end - - context 'with nss_base_hosts set' do - let :pre_condition do - "class {'openldap::client': nss_base_hosts => 'ou=hosts,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_HOSTS ou=hosts,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_HOSTS ou=hosts,dc=example,dc=com']) - } - end - end - - context 'with nss_base_passwd set' do - let :pre_condition do - "class {'openldap::client': nss_base_passwd => 'ou=passwd,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_PASSWD ou=passwd,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_PASSWD ou=passwd,dc=example,dc=com']) - } - end - end - - context 'with nss_base_shadow set' do - let :pre_condition do - "class {'openldap::client': nss_base_shadow => 'ou=shadow,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_SHADOW ou=shadow,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_SHADOW ou=shadow,dc=example,dc=com']) - } - end - end - - context 'with nss_initgroups_ignoreusers set' do - let :pre_condition do - "class {'openldap::client': nss_initgroups_ignoreusers => 'ovahi,backup,games', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with({ - incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_INITGROUPS_IGNOREUSERS ovahi,backup,games'], - }) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with({ - incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_INITGROUPS_IGNOREUSERS ovahi,backup,games'], - }) - } - end - end - - context 'with pam_filter set' do - let :pre_condition do - "class {'openldap::client': pam_filter => 'type=FILTER', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_FILTER type=FILTER']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_FILTER type=FILTER']) - } - end - end - - context 'with pam_login_attribute set' do - let :pre_condition do - "class {'openldap::client': pam_login_attribute => 'uid', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_LOGIN_ATTRIBUTE uid']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_LOGIN_ATTRIBUTE uid']) - } - end - end - - context 'with pam_member_attribute set' do - let :pre_condition do - "class {'openldap::client': pam_member_attribute => 'memberUid', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_MEMBER_ATTRIBUTE memberUid']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_MEMBER_ATTRIBUTE memberUid']) - } - end - end - - context 'with pam_password set' do - let :pre_condition do - "class {'openldap::client': pam_password => 'md5', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_PASSWORD md5']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_PASSWORD md5']) - } - end - end - - context 'with a valid tls_cacert set' do - let :pre_condition do - "class {'openldap::client': tls_cacert => '/etc/ssl/certs/ca-certificates.crt', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_CACERT /etc/ssl/certs/ca-certificates.crt']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_CACERT /etc/ssl/certs/ca-certificates.crt']) - } - end - end - - context 'with a valid tls_cacertdir set' do - let :pre_condition do - "class {'openldap::client': tls_cacertdir => '/etc/ssl/certs/', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_CACERTDIR /etc/ssl/certs/']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_CACERTDIR /etc/ssl/certs/']) - } - end - end - - context 'with tls_checkpeer set' do - let :pre_condition do - "class {'openldap::client': tls_checkpeer => 'no', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_CHECKPEER no']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_CHECKPEER no']) - } - end - end - - context 'with tls_reqcert set' do - let :pre_condition do - "class {'openldap::client': tls_reqcert => 'never', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_REQCERT never']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_REQCERT never']) - } - end - end - - context 'with a valid tls_moznss_compatibility set' do - let :pre_condition do - "class {'openldap::client': tls_moznss_compatibility => 'true', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_MOZNSS_COMPATIBILITY true']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_MOZNSS_COMPATIBILITY true']) - } - end - end - - context 'with tls_moznss_compatibility being removed' do - let :pre_condition do - "class {'openldap::client': tls_moznss_compatibility => 'absent', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['rm TLS_MOZNSS_COMPATIBILITY']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['rm TLS_MOZNSS_COMPATIBILITY']) - } - end - end - - context 'with sasl options set' do - let :pre_condition do - "class {'openldap::client': - sasl_mech => 'gssapi', - sasl_realm => 'TEST.REALM', - sasl_authcid => 'dn:uid=test,cn=mech,cn=authzid', - sasl_secprops => ['noplain','noactive'], - sasl_nocanon => true, - }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SASL_MECH gssapi', - 'set SASL_REALM TEST.REALM', - 'set SASL_AUTHCID dn:uid=test,cn=mech,cn=authzid', - 'set SASL_SECPROPS noplain,noactive', - 'set SASL_NOCANON true']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SASL_MECH gssapi', - 'set SASL_REALM TEST.REALM', - 'set SASL_AUTHCID dn:uid=test,cn=mech,cn=authzid', - 'set SASL_SECPROPS noplain,noactive', - 'set SASL_NOCANON true']) - } - end - end - - context 'with gssapi options set' do - let :pre_condition do - "class {'openldap::client': - gssapi_sign => false, - gssapi_encrypt => true, - gssapi_allow_remote_principal => 'on' - }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set GSSAPI_SIGN false', - 'set GSSAPI_ENCRYPT true', - 'set GSSAPI_ALLOW_REMOTE_PRINCIPAL on']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set GSSAPI_SIGN false', - 'set GSSAPI_ENCRYPT true', - 'set GSSAPI_ALLOW_REMOTE_PRINCIPAL on']) - } - end - end - - context 'with sudoers_base set' do - let :pre_condition do - "class {'openldap::client': sudoers_base => 'ou=sudoers,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SUDOERS_BASE ou=sudoers,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SUDOERS_BASE ou=sudoers,dc=example,dc=com']) - } - end + let(:ldap_conf_path) do + case facts[:os]['family'] + when 'Debian' + '/etc/ldap/ldap.conf' + when 'FreeBSD' + '/usr/local/etc/openldap/ldap.conf' + when 'RedHat', 'Suse' + '/etc/openldap/ldap.conf' + end + end + + context 'with no parameters set' do + let :pre_condition do + <<~PP + class { 'openldap::client': + } + PP + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('openldap::client::config') } + it { is_expected.to contain_file(ldap_conf_path).with(content: <<~LDAP_CONF) } + # This file is managed by Puppet + + LDAP_CONF + end + + context 'with all parameters set' do + let :pre_condition do + <<~PP + class { 'openldap::client': + base => 'dc=example,dc=com', + bind_policy => 'soft', + bind_timelimit => '10', + binddn => 'cn=admin,dc=example,dc=com', + bindpw => 'secret', + ldap_version => '3', + network_timeout => '1', + scope => 'one', + ssl => 'on', + suffix => 'dc=example,dc=com', + timelimit => '10', + timeout => '10', + uri => 'ldap://ldap.example.com', + nss_base_group => 'ou=group,dc=example,dc=com', + nss_base_hosts => 'ou=hosts,dc=example,dc=com', + nss_base_passwd => 'ou=passwd,dc=example,dc=com', + nss_base_shadow => 'ou=shadow,dc=example,dc=com', + nss_initgroups_ignoreusers => 'ovahi,backup,games', + pam_filter => 'type=FILTER', + pam_login_attribute => 'uid', + pam_member_attribute => 'memberUid', + pam_password => 'md5', + tls_cacert => '/etc/ssl/certs/ca-certificates.crt', + tls_cacertdir => '/etc/ssl/certs/', + tls_checkpeer => 'no', + tls_reqcert => 'never', + tls_moznss_compatibility => 'true', + sasl_mech => 'gssapi', + sasl_realm => 'TEST.REALM', + sasl_authcid => 'dn:uid=test,cn=mech,cn=authzid', + sasl_secprops => ['noplain','noactive'], + sasl_nocanon => true, + gssapi_sign => false, + gssapi_encrypt => true, + gssapi_allow_remote_principal => 'on', + sudoers_base => 'ou=sudoers,dc=example,dc=com', + } + PP + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('openldap::client::config') } + it { is_expected.to contain_file(ldap_conf_path).with(content: <<~LDAP_CONF) } + # This file is managed by Puppet + + BASE dc=example,dc=com + BIND_POLICY soft + BIND_TIMELIMIT 10 + BINDDN cn=admin,dc=example,dc=com + BINDPW secret + LDAP_VERSION 3 + NETWORK_TIMEOUT 1 + SCOPE one + SSL on + SUFFIX dc=example,dc=com + TIMELIMIT 10 + TIMEOUT 10 + URI ldap://ldap.example.com + NSS_BASE_GROUP ou=group,dc=example,dc=com + NSS_BASE_HOSTS ou=hosts,dc=example,dc=com + NSS_BASE_PASSWD ou=passwd,dc=example,dc=com + NSS_BASE_SHADOW ou=shadow,dc=example,dc=com + NSS_INITGROUPS_IGNOREUSERS ovahi,backup,games + PAM_FILTER type=FILTER + PAM_LOGIN_ATTRIBUTE uid + PAM_MEMBER_ATTRIBUTE memberUid + PAM_PASSWORD md5 + TLS_CACERT /etc/ssl/certs/ca-certificates.crt + TLS_CACERTDIR /etc/ssl/certs/ + TLS_CHECKPEER no + TLS_REQCERT never + TLS_MOZNSS_COMPATIBILITY true + SASL_MECH gssapi + SASL_REALM TEST.REALM + SASL_AUTHCID dn:uid=test,cn=mech,cn=authzid + SASL_SECPROPS noplain,noactive + SASL_NOCANON true + GSSAPI_SIGN false + GSSAPI_ENCRYPT true + GSSAPI_ALLOW_REMOTE_PRINCIPAL on + SUDOERS_BASE ou=sudoers,dc=example,dc=com + LDAP_CONF + end + + context 'with multiple uri' do + let :pre_condition do + <<~PP + class { 'openldap::client': + uri => ['ldap://ldap1.example.com', 'ldap://ldap2.example.com'], + } + PP + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('openldap::client::config') } + it { is_expected.to contain_file(ldap_conf_path).with(content: <<~LDAP_CONF) } + # This file is managed by Puppet + + URI ldap://ldap1.example.com ldap://ldap2.example.com + LDAP_CONF end end end diff --git a/templates/ldap.conf.epp b/templates/ldap.conf.epp new file mode 100644 index 00000000..07f3d1ca --- /dev/null +++ b/templates/ldap.conf.epp @@ -0,0 +1,59 @@ +# This file is managed by Puppet + +<%- [ + 'base', + 'bind_policy', + 'bind_timelimit', + 'binddn', + 'bindpw', + 'ldap_version', + 'network_timeout', + 'scope', + 'ssl', + 'suffix', + 'timelimit', + 'timeout', + 'uri', + + 'nss_base_group', + 'nss_base_hosts', + 'nss_base_passwd', + 'nss_base_shadow', + 'nss_initgroups_ignoreusers', + + 'pam_filter', + 'pam_login_attribute', + 'pam_member_attribute', + 'pam_password', + + 'tls_cacert', + 'tls_cacertdir', + 'tls_checkpeer', + 'tls_reqcert', + 'tls_moznss_compatibility', + + 'sasl_mech', + 'sasl_realm', + 'sasl_authcid', + 'sasl_secprops', + 'sasl_nocanon', + + 'gssapi_sign', + 'gssapi_encrypt', + 'gssapi_allow_remote_principal', + + 'sudoers_base', +].each |$setting| { -%> + <%- $value = getvar("openldap::client::${setting}") -%> + <%- if $value !~ Undef and $value != 'absent' { -%> + <%- if $value =~ Array { -%> + <%- if $setting == 'sasl_secprops' { -%> +<%= $setting.upcase %> <%= $value.join(',') %> + <%- } else { -%> +<%= $setting.upcase %> <%= $value.join(' ') %> + <%- } -%> + <%- } else { -%> +<%= $setting.upcase %> <%= $value %> + <%- } -%> + <%- } -%> +<%- } -%>