1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
# @summary Concourse LDAP authentication
# Most attributes maps directly to concourse's options, but with
# `CONCOURSE_LDAP_` prefixed.
#
# @param host
# LDAP host to bind to, e.x. ldap.example.com
# @param bind_dn
# Distinguished name used when binding to the ldap server.
# e.x. `cn=read-only-admin,dc=example,dc=com`
# @param bind_pw
# Password used when binding to the ldap server.
# @param user_search_base_dn
# Base distinguished name when searching for user, together with
# `user_search_username` creates the query:
# `${user_search_username}=%,${user_search_base_dn}`.
#
# Should be something along the lines of `cn=users,dc=example,dc=com`.
# @param user_search_username
# See `user_search_base_dn`.
#
# Should probably be `uid` or `cn`.
# @param display_name
# Fancy name to display for this authentication method.
# @param user_search_filter
# LDAP filter to limit which users are queried
# @param user_search_id_attr
# LDAP attribute used to specify the users id
# @param user_search_email_attr
# LDAP attribute used to specify the users email address
# @param user_search_name_attr
# LDAP attribute used to specify the users name.
# @param ca_cert
# Path to a CA CERT used when connecting to the LDAP server.
# Probably mutually exclusive with `insecure_no_ssl`.
# @param insecure_no_ssl
# Allow unencrypted connections to the ldap server.
# @param group_search_base_dn
# Base for LDAP search for groups. If this is set then LDAP groups
# are mapped to teams in Concourse.
#
# e.x. `cn=group,dc=example,dc=com`
# @param group_search_name_attr
# LDAP attribute to use as key when searching for groups under
# `group_search_base_dn`.
# @param group_search_user_attr
# LDAP attribute used to get the "name" of a given user.
# Should match with what is used in `group_search_group_attr`.
# @param group_search_group_attr
# LDAP attribute used to determine which users are part of which group.
# Should match with what is used in `group_search_user_attr`
# @param group_search_filter
# LDAP filter to limit which users are returned when searching
# for who is part of which group
# @param main_team_user
# @param main_team_group
# @param ensure
class concourse::auth::ldap (
String $host,
String $bind_dn,
Variant[String, Sensitive[String]] $bind_pw,
String $user_search_base_dn,
String $user_search_username = 'uid',
Optional[String] $display_name = undef,
Optional[String] $user_search_filter = undef,
Optional[String] $user_search_id_attr = undef,
Optional[String] $user_search_email_attr = undef,
Optional[String] $user_search_name_attr = undef,
Optional[Stdlib::Absolutepath] $ca_cert = undef,
Boolean $insecure_no_ssl = false,
Optional[String] $group_search_base_dn = undef,
String $group_search_name_attr = 'ou',
String $group_search_user_attr = 'uid',
String $group_search_group_attr = 'members',
Optional[String] $group_search_filter = undef,
Optional[Array[String]] $main_team_user = undef,
Optional[Array[String]] $main_team_group = undef,
Enum['absent', 'present'] $ensure = 'present',
) {
$env_file = "${concourse::web::conf_dir}/auth-ldap"
$environment = {
'CONCOURSE_LDAP_HOST' => $host,
'CONCOURSE_LDAP_BIND_DN' => $bind_dn,
'CONCOURSE_LDAP_BIND_PW' => $bind_pw,
'CONCOURSE_LDAP_USER_SEARCH_BASE_DN' => $user_search_base_dn,
'CONCOURSE_LDAP_USER_SEARCH_USERNAME' => $user_search_username,
'CONCOURSE_LDAP_DISPLAY_NAME' => $display_name,
'CONCOURSE_LDAP_USER_SEARCH_FILTER' => $user_search_filter,
'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR' => $user_search_id_attr,
'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR' => $user_search_email_attr,
'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR' => $user_search_name_attr,
'CONCOURSE_LDAP_CA_CERT' => $ca_cert,
'CONCOURSE_LDAP_INSECURE_NO_SSL' => $insecure_no_ssl,
'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN' => $group_search_base_dn,
'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR' => $group_search_name_attr,
'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR' => $group_search_user_attr,
'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr,
'CONCOURSE_LDAP_GROUP_SEARCH_FILTER' => $group_search_filter,
'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER' => $main_team_user ? {
Array => $main_team_user.join(','),
default => undef,
},
'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP' => $main_team_group ? {
Array => $main_team_user.join(','),
default => undef,
},
}
file { $env_file:
ensure => $ensure,
content => epp("${module_name}/env.epp", { 'entries' => $environment }),
# To not show new password
show_diff => false,
mode => '0600',
}
$dropin_content = @("EOF")
[Service]
EnvironmentFile=${env_file}
| EOF
systemd::dropin_file { 'concourse-ldap-auth.conf':
ensure => $ensure,
unit => $concourse::web::service_unit,
content => $dropin_content,
}
}
|