From 862fb063e47336964651f5a7438ac0daa5e7d421 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Tarti=C3=A8re?= Date: Tue, 9 Dec 2025 08:42:35 -1000 Subject: [PATCH] Strip module dependency on Augeas Instead of managing each setting with one augeas resource, only manage a single file resource with a template. Similarly when testing, instead of testing each setting in isolation, test the whole generated configuration file. Testing the augeas invocations gave no clue about the validity of the generated configuration file, and it greatly helps with performance as running the client configuration test suite took 1 minute 8.82 seconds to run 2248 examples, and now take less than 6 seconds to run 163 examples with a better coverage on my development manchine with: ``` bundle exec rspec spec/classes/openldap_client_config_spec.rb ``` --- .fixtures.yml | 3 - manifests/client/config.pp | 224 +---- metadata.json | 12 - spec/classes/openldap_client_config_spec.rb | 923 +++----------------- templates/ldap.conf.epp | 59 ++ 5 files changed, 193 insertions(+), 1028 deletions(-) create mode 100644 templates/ldap.conf.epp diff --git a/.fixtures.yml b/.fixtures.yml index eaa8bfd9..5103c76f 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,9 +1,6 @@ --- fixtures: repositories: - augeas_core: https://github.com/puppetlabs/puppetlabs-augeas_core.git - augeasproviders_core: https://github.com/voxpupuli/puppet-augeasproviders_core.git - augeasproviders_shellvar: https://github.com/voxpupuli/puppet-augeasproviders_shellvar.git epel: https://github.com/voxpupuli/puppet-epel.git facts: https://github.com/puppetlabs/puppetlabs-facts.git provision: https://github.com/puppetlabs/provision.git diff --git a/manifests/client/config.pp b/manifests/client/config.pp index 91ffce43..b6661244 100644 --- a/manifests/client/config.pp +++ b/manifests/client/config.pp @@ -1,225 +1,7 @@ # See README.md for details. class openldap::client::config { - $base = $openldap::client::base ? { - undef => undef, - 'absent' => 'rm BASE', - default => "set BASE ${openldap::client::base}", - } - $bind_policy = $openldap::client::bind_policy ? { - undef => undef, - 'absent' => 'rm BIND_POLICY', - default => "set BIND_POLICY ${openldap::client::bind_policy}", - } - $bind_timelimit = $openldap::client::bind_timelimit ? { - undef => undef, - 'absent' => 'rm BIND_TIMELIMIT', - default => "set BIND_TIMELIMIT ${openldap::client::bind_timelimit}", - } - $binddn = $openldap::client::binddn ? { - undef => undef, - 'absent' => 'rm BINDDN', - default => "set BINDDN ${openldap::client::binddn}", - } - $bindpw = $openldap::client::bindpw ? { - undef => undef, - 'absent' => 'rm BINDPW', - default => "set BINDPW ${openldap::client::bindpw}", - } - $ldap_version = $openldap::client::ldap_version ? { - undef => undef, - 'absent' => 'rm LDAP_VERSION', - default => "set LDAP_VERSION ${openldap::client::ldap_version}", - } - $network_timeout = $openldap::client::network_timeout ? { - undef => undef, - 'absent' => 'rm NETWORK_TIMEOUT', - default => "set NETWORK_TIMEOUT ${openldap::client::network_timeout}", - } - $scope = $openldap::client::scope ? { - undef => undef, - 'absent' => 'rm SCOPE', - default => "set SCOPE ${openldap::client::scope}", - } - $ssl = $openldap::client::ssl ? { - undef => undef, - 'absent' => 'rm SSL', - default => "set SSL ${openldap::client::ssl}", - } - $suffix = $openldap::client::suffix ? { - undef => undef, - 'absent' => 'rm SUFFIX', - default => "set SUFFIX ${openldap::client::suffix}", - } - $timelimit = $openldap::client::timelimit ? { - undef => undef, - 'absent' => 'rm TIMELIMIT', - default => "set TIMELIMIT ${openldap::client::timelimit}", - } - $timeout = $openldap::client::timeout ? { - undef => undef, - 'absent' => 'rm TIMEOUT', - default => "set TIMEOUT ${openldap::client::timeout}", - } - $_uri = $openldap::client::uri ? { - undef => undef, - default => join(flatten([$openldap::client::uri]), ' '), - } - $uri = $_uri ? { - undef => undef, - 'absent' => 'rm URI', - default => "set URI '${_uri}'", - } - $nss_base_group = $openldap::client::nss_base_group ? { - undef => undef, - 'absent' => 'rm NSS_BASE_GROUP', - default => "set NSS_BASE_GROUP ${openldap::client::nss_base_group}", - } - $nss_base_hosts = $openldap::client::nss_base_hosts ? { - undef => undef, - 'absent' => 'rm NSS_BASE_HOSTS', - default => "set NSS_BASE_HOSTS ${openldap::client::nss_base_hosts}", - } - $nss_base_passwd = $openldap::client::nss_base_passwd ? { - undef => undef, - 'absent' => 'rm NSS_BASE_PASSWD', - default => "set NSS_BASE_PASSWD ${openldap::client::nss_base_passwd}", - } - $nss_base_shadow = $openldap::client::nss_base_shadow ? { - undef => undef, - 'absent' => 'rm NSS_BASE_SHADOW', - default => "set NSS_BASE_SHADOW ${openldap::client::nss_base_shadow}", - } - $nss_initgroups_ignoreusers = $openldap::client::nss_initgroups_ignoreusers ? { - undef => undef, - default => "set NSS_INITGROUPS_IGNOREUSERS ${openldap::client::nss_initgroups_ignoreusers}", - } - $pam_filter = $openldap::client::pam_filter ? { - undef => undef, - 'absent' => 'rm PAM_FILTER', - default => "set PAM_FILTER ${openldap::client::pam_filter}", - } - $pam_login_attribute = $openldap::client::pam_login_attribute ? { - undef => undef, - 'absent' => 'rm PAM_LOGIN_ATTRIBUTE', - default => "set PAM_LOGIN_ATTRIBUTE ${openldap::client::pam_login_attribute}", - } - $pam_member_attribute = $openldap::client::pam_member_attribute ? { - undef => undef, - 'absent' => 'rm PAM_MEMBER_ATTRIBUTE', - default => "set PAM_MEMBER_ATTRIBUTE ${openldap::client::pam_member_attribute}", - } - $pam_password = $openldap::client::pam_password ? { - undef => undef, - 'absent' => 'rm PAM_PASSWORD', - default => "set PAM_PASSWORD ${openldap::client::pam_password}", - } - $tls_checkpeer = $openldap::client::tls_checkpeer ? { - undef => undef, - 'absent' => 'rm TLS_CHECKPEER', - default => "set TLS_CHECKPEER ${openldap::client::tls_checkpeer}", - } - $tls_cacert = $openldap::client::tls_cacert ? { - undef => undef, - 'absent' => 'rm TLS_CACERT', - default => "set TLS_CACERT ${openldap::client::tls_cacert}", - } - $tls_cacertdir = $openldap::client::tls_cacertdir ? { - undef => undef, - 'absent' => 'rm TLS_CACERTDIR', - default => "set TLS_CACERTDIR ${openldap::client::tls_cacertdir}", - } - $tls_reqcert = $openldap::client::tls_reqcert ? { - undef => undef, - 'absent' => 'rm TLS_REQCERT', - default => "set TLS_REQCERT ${openldap::client::tls_reqcert}", - } - $tls_moznss_compatibility = $openldap::client::tls_moznss_compatibility ? { - undef => undef, - 'absent' => 'rm TLS_MOZNSS_COMPATIBILITY', - default => "set TLS_MOZNSS_COMPATIBILITY ${openldap::client::tls_moznss_compatibility}", - } - $sasl_mech = $openldap::client::sasl_mech ? { - undef => undef, - default => "set SASL_MECH ${openldap::client::sasl_mech}", - } - $sasl_realm = $openldap::client::sasl_realm ? { - undef => undef, - default => "set SASL_REALM ${openldap::client::sasl_realm}", - } - $sasl_authcid = $openldap::client::sasl_authcid ? { - undef => undef, - default => "set SASL_AUTHCID ${openldap::client::sasl_authcid}", - } - $_sasl_secprops = $openldap::client::sasl_secprops ? { - undef => undef, - default => join(flatten([$openldap::client::sasl_secprops]), ','), - } - $sasl_secprops = $_sasl_secprops ? { - undef => undef, - default => "set SASL_SECPROPS ${_sasl_secprops}", - } - $sasl_nocanon = $openldap::client::sasl_nocanon ? { - undef => undef, - default => "set SASL_NOCANON ${openldap::client::sasl_nocanon}", - } - $gssapi_sign = $openldap::client::gssapi_sign ? { - undef => undef, - default => "set GSSAPI_SIGN ${openldap::client::gssapi_sign}", - } - $gssapi_encrypt = $openldap::client::gssapi_encrypt ? { - undef => undef, - default => "set GSSAPI_ENCRYPT ${openldap::client::gssapi_encrypt}", - } - $gssapi_allow_remote_principal = $openldap::client::gssapi_allow_remote_principal ? { - undef => undef, - default => "set GSSAPI_ALLOW_REMOTE_PRINCIPAL ${openldap::client::gssapi_allow_remote_principal}", - } - $sudoers_base = $openldap::client::sudoers_base ? { - undef => undef, - 'absent' => 'rm SUDOERS_BASE', - default => "set SUDOERS_BASE ${openldap::client::sudoers_base}", - } - $changes = delete_undef_values([ - $base, - $bind_policy, - $bind_timelimit, - $binddn, - $bindpw, - $ldap_version, - $network_timeout, - $scope, - $ssl, - $suffix, - $timelimit, - $timeout, - $uri, - $nss_base_group, - $nss_base_hosts, - $nss_base_passwd, - $nss_base_shadow, - $nss_initgroups_ignoreusers, - $pam_filter, - $pam_login_attribute, - $pam_member_attribute, - $pam_password, - $tls_checkpeer, - $tls_cacert, - $tls_cacertdir, - $tls_reqcert, - $tls_moznss_compatibility, - $sasl_mech, - $sasl_realm, - $sasl_authcid, - $sasl_secprops, - $sasl_nocanon, - $gssapi_sign, - $gssapi_encrypt, - $gssapi_allow_remote_principal, - $sudoers_base, - ]) - augeas { 'ldap.conf': - incl => $openldap::client::file, - lens => 'Spacevars.lns', - changes => $changes, + file { $openldap::client::file: + ensure => file, + content => epp('openldap/ldap.conf.epp'), } } diff --git a/metadata.json b/metadata.json index 5d42f7cb..10fcd538 100644 --- a/metadata.json +++ b/metadata.json @@ -12,18 +12,6 @@ "name": "puppetlabs/stdlib", "version_requirement": ">= 4.13.1 < 10.0.0" }, - { - "name": "puppetlabs/augeas_core", - "version_requirement": ">= 1.0.0 < 2.0.0" - }, - { - "name": "puppet/augeasproviders_core", - "version_requirement": ">= 2.0.0 < 5.0.0" - }, - { - "name": "puppet/augeasproviders_shellvar", - "version_requirement": ">= 2.0.0 < 7.0.0" - }, { "name": "puppet/systemd", "version_requirement": ">= 3.0.0 < 10.0.0" diff --git a/spec/classes/openldap_client_config_spec.rb b/spec/classes/openldap_client_config_spec.rb index 942721f4..4516dfe0 100644 --- a/spec/classes/openldap_client_config_spec.rb +++ b/spec/classes/openldap_client_config_spec.rb @@ -9,798 +9,137 @@ facts end - context 'with no parameters' do - let :pre_condition do - "class {'openldap::client':}" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - end - - context 'with base set' do - let :pre_condition do - "class {'openldap::client': base => 'dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BASE dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BASE dc=example,dc=com']) - } - end - end - - context 'with base set to absent' do - let :pre_condition do - "class {'openldap::client': base => 'absent', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['rm BASE']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['rm BASE']) - } - end - end - - context 'with bind_policy set' do - let :pre_condition do - "class {'openldap::client': bind_policy => 'soft', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BIND_POLICY soft']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BIND_POLICY soft']) - } - end - end - - context 'with bind_timelimit set' do - let :pre_condition do - "class {'openldap::client': bind_timelimit => '10', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BIND_TIMELIMIT 10']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BIND_TIMELIMIT 10']) - } - end - end - - context 'with binddn set' do - let :pre_condition do - "class {'openldap::client': binddn => 'cn=admin,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BINDDN cn=admin,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BINDDN cn=admin,dc=example,dc=com']) - } - end - end - - context 'with bindpw set' do - let :pre_condition do - "class {'openldap::client': bindpw => 'secret', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set BINDPW secret']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set BINDPW secret']) - } - end - end - - context 'with ldap_version set' do - let :pre_condition do - "class {'openldap::client': ldap_version => '3', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set LDAP_VERSION 3']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set LDAP_VERSION 3']) - } - end - end - - context 'with network_timeout set' do - let :pre_condition do - "class {'openldap::client': network_timeout => '1', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NETWORK_TIMEOUT 1']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NETWORK_TIMEOUT 1']) - } - end - end - - context 'with scope set' do - let :pre_condition do - "class {'openldap::client': scope => 'one', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SCOPE one']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SCOPE one']) - } - end - end - - context 'with ssl set' do - let :pre_condition do - "class {'openldap::client': ssl => 'on', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SSL on']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SSL on']) - } - end - end - - context 'with suffix set' do - let :pre_condition do - "class {'openldap::client': suffix => 'dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SUFFIX dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SUFFIX dc=example,dc=com']) - } - end - end - - context 'with timelimit set' do - let :pre_condition do - "class {'openldap::client': timelimit => '10', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TIMELIMIT 10']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TIMELIMIT 10']) - } - end - end - - context 'with timeout set' do - let :pre_condition do - "class {'openldap::client': timeout => '10', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TIMEOUT 10']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TIMEOUT 10']) - } - end - end - - context 'with uri set' do - let :pre_condition do - "class {'openldap::client': uri => 'ldap://ldap.example.com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ["set URI 'ldap://ldap.example.com'"]) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ["set URI 'ldap://ldap.example.com'"]) - } - end - end - - context 'with multiple uri set' do - let :pre_condition do - "class {'openldap::client': uri => ['ldap://ldap1.example.com', 'ldap://ldap2.example.com'] }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ["set URI 'ldap://ldap1.example.com ldap://ldap2.example.com'"]) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ["set URI 'ldap://ldap1.example.com ldap://ldap2.example.com'"]) - } - end - end - - context 'with nss_base_group set' do - let :pre_condition do - "class {'openldap::client': nss_base_group => 'ou=group,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_GROUP ou=group,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_GROUP ou=group,dc=example,dc=com']) - } - end - end - - context 'with nss_base_hosts set' do - let :pre_condition do - "class {'openldap::client': nss_base_hosts => 'ou=hosts,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_HOSTS ou=hosts,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_HOSTS ou=hosts,dc=example,dc=com']) - } - end - end - - context 'with nss_base_passwd set' do - let :pre_condition do - "class {'openldap::client': nss_base_passwd => 'ou=passwd,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_PASSWD ou=passwd,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_PASSWD ou=passwd,dc=example,dc=com']) - } - end - end - - context 'with nss_base_shadow set' do - let :pre_condition do - "class {'openldap::client': nss_base_shadow => 'ou=shadow,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_BASE_SHADOW ou=shadow,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_BASE_SHADOW ou=shadow,dc=example,dc=com']) - } - end - end - - context 'with nss_initgroups_ignoreusers set' do - let :pre_condition do - "class {'openldap::client': nss_initgroups_ignoreusers => 'ovahi,backup,games', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with({ - incl: '/etc/ldap/ldap.conf', - changes: ['set NSS_INITGROUPS_IGNOREUSERS ovahi,backup,games'], - }) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with({ - incl: '/etc/openldap/ldap.conf', - changes: ['set NSS_INITGROUPS_IGNOREUSERS ovahi,backup,games'], - }) - } - end - end - - context 'with pam_filter set' do - let :pre_condition do - "class {'openldap::client': pam_filter => 'type=FILTER', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_FILTER type=FILTER']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_FILTER type=FILTER']) - } - end - end - - context 'with pam_login_attribute set' do - let :pre_condition do - "class {'openldap::client': pam_login_attribute => 'uid', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_LOGIN_ATTRIBUTE uid']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_LOGIN_ATTRIBUTE uid']) - } - end - end - - context 'with pam_member_attribute set' do - let :pre_condition do - "class {'openldap::client': pam_member_attribute => 'memberUid', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_MEMBER_ATTRIBUTE memberUid']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_MEMBER_ATTRIBUTE memberUid']) - } - end - end - - context 'with pam_password set' do - let :pre_condition do - "class {'openldap::client': pam_password => 'md5', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set PAM_PASSWORD md5']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set PAM_PASSWORD md5']) - } - end - end - - context 'with a valid tls_cacert set' do - let :pre_condition do - "class {'openldap::client': tls_cacert => '/etc/ssl/certs/ca-certificates.crt', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_CACERT /etc/ssl/certs/ca-certificates.crt']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_CACERT /etc/ssl/certs/ca-certificates.crt']) - } - end - end - - context 'with a valid tls_cacertdir set' do - let :pre_condition do - "class {'openldap::client': tls_cacertdir => '/etc/ssl/certs/', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_CACERTDIR /etc/ssl/certs/']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_CACERTDIR /etc/ssl/certs/']) - } - end - end - - context 'with tls_checkpeer set' do - let :pre_condition do - "class {'openldap::client': tls_checkpeer => 'no', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_CHECKPEER no']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_CHECKPEER no']) - } - end - end - - context 'with tls_reqcert set' do - let :pre_condition do - "class {'openldap::client': tls_reqcert => 'never', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_REQCERT never']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_REQCERT never']) - } - end - end - - context 'with a valid tls_moznss_compatibility set' do - let :pre_condition do - "class {'openldap::client': tls_moznss_compatibility => 'true', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set TLS_MOZNSS_COMPATIBILITY true']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set TLS_MOZNSS_COMPATIBILITY true']) - } - end - end - - context 'with tls_moznss_compatibility being removed' do - let :pre_condition do - "class {'openldap::client': tls_moznss_compatibility => 'absent', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['rm TLS_MOZNSS_COMPATIBILITY']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['rm TLS_MOZNSS_COMPATIBILITY']) - } - end - end - - context 'with sasl options set' do - let :pre_condition do - "class {'openldap::client': - sasl_mech => 'gssapi', - sasl_realm => 'TEST.REALM', - sasl_authcid => 'dn:uid=test,cn=mech,cn=authzid', - sasl_secprops => ['noplain','noactive'], - sasl_nocanon => true, - }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SASL_MECH gssapi', - 'set SASL_REALM TEST.REALM', - 'set SASL_AUTHCID dn:uid=test,cn=mech,cn=authzid', - 'set SASL_SECPROPS noplain,noactive', - 'set SASL_NOCANON true']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SASL_MECH gssapi', - 'set SASL_REALM TEST.REALM', - 'set SASL_AUTHCID dn:uid=test,cn=mech,cn=authzid', - 'set SASL_SECPROPS noplain,noactive', - 'set SASL_NOCANON true']) - } - end - end - - context 'with gssapi options set' do - let :pre_condition do - "class {'openldap::client': - gssapi_sign => false, - gssapi_encrypt => true, - gssapi_allow_remote_principal => 'on' - }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set GSSAPI_SIGN false', - 'set GSSAPI_ENCRYPT true', - 'set GSSAPI_ALLOW_REMOTE_PRINCIPAL on']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set GSSAPI_SIGN false', - 'set GSSAPI_ENCRYPT true', - 'set GSSAPI_ALLOW_REMOTE_PRINCIPAL on']) - } - end - end - - context 'with sudoers_base set' do - let :pre_condition do - "class {'openldap::client': sudoers_base => 'ou=sudoers,dc=example,dc=com', }" - end - - it { is_expected.to compile.with_all_deps } - it { is_expected.to contain_class('openldap::client::config') } - it { is_expected.to contain_augeas('ldap.conf') } - - case facts[:os]['family'] - when 'Debian' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/ldap/ldap.conf', - changes: ['set SUDOERS_BASE ou=sudoers,dc=example,dc=com']) - } - when 'RedHat' - it { - is_expected.to contain_augeas('ldap.conf').with(incl: '/etc/openldap/ldap.conf', - changes: ['set SUDOERS_BASE ou=sudoers,dc=example,dc=com']) - } - end + let(:ldap_conf_path) do + case facts[:os]['family'] + when 'Debian' + '/etc/ldap/ldap.conf' + when 'FreeBSD' + '/usr/local/etc/openldap/ldap.conf' + when 'RedHat', 'Suse' + '/etc/openldap/ldap.conf' + end + end + + context 'with no parameters set' do + let :pre_condition do + <<~PP + class { 'openldap::client': + } + PP + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('openldap::client::config') } + it { is_expected.to contain_file(ldap_conf_path).with(content: <<~LDAP_CONF) } + # This file is managed by Puppet + + LDAP_CONF + end + + context 'with all parameters set' do + let :pre_condition do + <<~PP + class { 'openldap::client': + base => 'dc=example,dc=com', + bind_policy => 'soft', + bind_timelimit => '10', + binddn => 'cn=admin,dc=example,dc=com', + bindpw => 'secret', + ldap_version => '3', + network_timeout => '1', + scope => 'one', + ssl => 'on', + suffix => 'dc=example,dc=com', + timelimit => '10', + timeout => '10', + uri => 'ldap://ldap.example.com', + nss_base_group => 'ou=group,dc=example,dc=com', + nss_base_hosts => 'ou=hosts,dc=example,dc=com', + nss_base_passwd => 'ou=passwd,dc=example,dc=com', + nss_base_shadow => 'ou=shadow,dc=example,dc=com', + nss_initgroups_ignoreusers => 'ovahi,backup,games', + pam_filter => 'type=FILTER', + pam_login_attribute => 'uid', + pam_member_attribute => 'memberUid', + pam_password => 'md5', + tls_cacert => '/etc/ssl/certs/ca-certificates.crt', + tls_cacertdir => '/etc/ssl/certs/', + tls_checkpeer => 'no', + tls_reqcert => 'never', + tls_moznss_compatibility => 'true', + sasl_mech => 'gssapi', + sasl_realm => 'TEST.REALM', + sasl_authcid => 'dn:uid=test,cn=mech,cn=authzid', + sasl_secprops => ['noplain','noactive'], + sasl_nocanon => true, + gssapi_sign => false, + gssapi_encrypt => true, + gssapi_allow_remote_principal => 'on', + sudoers_base => 'ou=sudoers,dc=example,dc=com', + } + PP + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('openldap::client::config') } + it { is_expected.to contain_file(ldap_conf_path).with(content: <<~LDAP_CONF) } + # This file is managed by Puppet + + BASE dc=example,dc=com + BIND_POLICY soft + BIND_TIMELIMIT 10 + BINDDN cn=admin,dc=example,dc=com + BINDPW secret + LDAP_VERSION 3 + NETWORK_TIMEOUT 1 + SCOPE one + SSL on + SUFFIX dc=example,dc=com + TIMELIMIT 10 + TIMEOUT 10 + URI ldap://ldap.example.com + NSS_BASE_GROUP ou=group,dc=example,dc=com + NSS_BASE_HOSTS ou=hosts,dc=example,dc=com + NSS_BASE_PASSWD ou=passwd,dc=example,dc=com + NSS_BASE_SHADOW ou=shadow,dc=example,dc=com + NSS_INITGROUPS_IGNOREUSERS ovahi,backup,games + PAM_FILTER type=FILTER + PAM_LOGIN_ATTRIBUTE uid + PAM_MEMBER_ATTRIBUTE memberUid + PAM_PASSWORD md5 + TLS_CACERT /etc/ssl/certs/ca-certificates.crt + TLS_CACERTDIR /etc/ssl/certs/ + TLS_CHECKPEER no + TLS_REQCERT never + TLS_MOZNSS_COMPATIBILITY true + SASL_MECH gssapi + SASL_REALM TEST.REALM + SASL_AUTHCID dn:uid=test,cn=mech,cn=authzid + SASL_SECPROPS noplain,noactive + SASL_NOCANON true + GSSAPI_SIGN false + GSSAPI_ENCRYPT true + GSSAPI_ALLOW_REMOTE_PRINCIPAL on + SUDOERS_BASE ou=sudoers,dc=example,dc=com + LDAP_CONF + end + + context 'with multiple uri' do + let :pre_condition do + <<~PP + class { 'openldap::client': + uri => ['ldap://ldap1.example.com', 'ldap://ldap2.example.com'], + } + PP + end + + it { is_expected.to compile.with_all_deps } + it { is_expected.to contain_class('openldap::client::config') } + it { is_expected.to contain_file(ldap_conf_path).with(content: <<~LDAP_CONF) } + # This file is managed by Puppet + + URI ldap://ldap1.example.com ldap://ldap2.example.com + LDAP_CONF end end end diff --git a/templates/ldap.conf.epp b/templates/ldap.conf.epp new file mode 100644 index 00000000..07f3d1ca --- /dev/null +++ b/templates/ldap.conf.epp @@ -0,0 +1,59 @@ +# This file is managed by Puppet + +<%- [ + 'base', + 'bind_policy', + 'bind_timelimit', + 'binddn', + 'bindpw', + 'ldap_version', + 'network_timeout', + 'scope', + 'ssl', + 'suffix', + 'timelimit', + 'timeout', + 'uri', + + 'nss_base_group', + 'nss_base_hosts', + 'nss_base_passwd', + 'nss_base_shadow', + 'nss_initgroups_ignoreusers', + + 'pam_filter', + 'pam_login_attribute', + 'pam_member_attribute', + 'pam_password', + + 'tls_cacert', + 'tls_cacertdir', + 'tls_checkpeer', + 'tls_reqcert', + 'tls_moznss_compatibility', + + 'sasl_mech', + 'sasl_realm', + 'sasl_authcid', + 'sasl_secprops', + 'sasl_nocanon', + + 'gssapi_sign', + 'gssapi_encrypt', + 'gssapi_allow_remote_principal', + + 'sudoers_base', +].each |$setting| { -%> + <%- $value = getvar("openldap::client::${setting}") -%> + <%- if $value !~ Undef and $value != 'absent' { -%> + <%- if $value =~ Array { -%> + <%- if $setting == 'sasl_secprops' { -%> +<%= $setting.upcase %> <%= $value.join(',') %> + <%- } else { -%> +<%= $setting.upcase %> <%= $value.join(' ') %> + <%- } -%> + <%- } else { -%> +<%= $setting.upcase %> <%= $value %> + <%- } -%> + <%- } -%> +<%- } -%>