1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# @summary Concourse LDAP authentication
# Most attributes maps directly to concourse's options, but with
# `CONCOURSE_LDAP_` prefixed.
class concourse::auth::ldap (
String $host,
String $bind_dn,
Variant[String, Sensitive[String]] $bind_pw,
String $user_search_base_dn,
String $user_search_username = 'uid',
Optional[String] $display_name = undef,
Optional[String] $user_search_filter = undef,
Optioal[String] $user_search_id_attr = undef,
Optional[String] $user_search_email_attr = undef,
Optional[String] $user_search_name_attr = undef,
Optional[Stdlib::Absolutepath] $ca_cert = undef,
Boolean $insecure_no_ssl = false,
Optional[String] $group_search_base_dn = undef,
String $group_search_name_attr = 'ou',
String $group_search_user_attr = 'uid',
String $group_search_group_attr = 'members',
Optional[String] $group_search_filter = undef,
Optional[Array[String]] $main_team_user,
Optional[Array[String]] $main_team_group,
Enum['absent', 'present'] $ensure = 'present',
) {
$env_file = "${concourse::web::conf_dir}/auth-ldap"
$environment = {
'CONCOURSE_LDAP_HOST' => $host,
'CONCOURSE_LDAP_BIND_DN' => $bind_dn,
'CONCOURSE_LDAP_BIND_PW' => $bind_pw,
'CONCOURSE_LDAP_USER_SEARCH_BASE_DN' => $user_search_base_dn,
'CONCOURSE_LDAP_USER_SEARCH_USERNAME' => $user_search_username,
'CONCOURSE_LDAP_DISPLAY_NAME' => $display_name,
'CONCOURSE_LDAP_USER_SEARCH_FILTER' => $user_search_filter,
'CONCOURSE_LDAP_USER_SEARCH_ID_ATTR' => $user_search_id_attr,
'CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR' => $user_search_email_attr,
'CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR' => $user_search_name_attr,
'CONCOURSE_LDAP_CA_CERT' => $ca_cert,
'CONCOURSE_LDAP_INSECURE_NO_SSL' => $insecure_no_ssl,
'CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN' => $group_search_base_dn,
'CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR' => $group_search_name_attr,
'CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR' => $group_search_user_attr,
'CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR' => $group_search_group_attr,
'CONCOURSE_LDAP_GROUP_SEARCH_FILTER' => $group_search_filter,
'CONCOURSE_LDAP_MAIN_TEAM_LDAP_USER' => $main_team_user ? {
Array => $main_team_user.join(','),
default => undef,
},
'CONCOURSE_LDAP_MAIN_TEAM_LDAP_GROUP' => $main_team_group ? {
Array => $main_team_user.join(','),
default => undef,
},
}
file { $env_file:
ensure => $ensure,
content => epp("${module_name}/env.epp", $environment),
# To not show new password
show_diff => false,
mode => '0600',
}
systemd::manage_dropin { 'concourse-ldap-auth':
ensure => $ensure,
unit => $concourse::web::service,
service_entry => {
'EnvironmentFile' => $env_file,
},
}
}
|
