From a02332f46086050f903ea52bc72378583f404ac2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 20 Jun 2023 19:39:08 +0200 Subject: Major work. --- files/head.php | 12 ++++ files/tail.php | 1 + manifests/auto_number/search.pp | 32 ++++++++++ manifests/auto_number/uidpool.pp | 13 ++++ manifests/init.pp | 68 +++++++++++++++++++- metadata.json | 4 ++ templates/auto_number/search.epp | 29 +++++++++ templates/auto_number/uidpool.epp | 11 ++++ templates/config.php.epp | 128 +++++++++----------------------------- 9 files changed, 199 insertions(+), 99 deletions(-) create mode 100644 files/head.php create mode 100644 files/tail.php create mode 100644 manifests/auto_number/search.pp create mode 100644 manifests/auto_number/uidpool.pp create mode 100644 templates/auto_number/search.epp create mode 100644 templates/auto_number/uidpool.epp diff --git a/files/head.php b/files/head.php new file mode 100644 index 0000000..1644b01 --- /dev/null +++ b/files/head.php @@ -0,0 +1,12 @@ + diff --git a/manifests/auto_number/search.pp b/manifests/auto_number/search.pp new file mode 100644 index 0000000..2bb5ce8 --- /dev/null +++ b/manifests/auto_number/search.pp @@ -0,0 +1,32 @@ +# @summary Enable automatic uid and gid numbers by searching. +# +# @param search_base +# ou=People,dc=example,dc=com +# +# @param uid +# Minimum value for user id when searching for next available. +# +# @param gid +# Minimum value for group id when searching for next available. +# +# @param dn +# If you set this, then phpldapadmin will bind to LDAP with this user ID when +# searching for the uidnumber. The idea is, this user id would have full +# (readonly) access to uidnumber in your ldap directory (the logged in user +# may not), so that you can be guaranteed to get a unique uidnumber for your +# directory. +# @param pass +# The password for the dn above. +class phpldapadmin::auto_number::search ( + String $search_base, + Integer $uid = 10000, + Integer $gid = 10000, + Optional[String] $dn = undef, + Optional[Variant[String, Sensitive[String]]] $pass = undef, +) { + concat::fragment { 'phpLDAPadmin Auto Number': + content => epp("${module_name}/auto_number/search.epp"), + target => $phpldapadmin::config_file, + order => $phpldapadmin::base_config_order + 10, + } +} diff --git a/manifests/auto_number/uidpool.pp b/manifests/auto_number/uidpool.pp new file mode 100644 index 0000000..813afd0 --- /dev/null +++ b/manifests/auto_number/uidpool.pp @@ -0,0 +1,13 @@ +# @summary Enable automatic uid and gid number through a pool. +# +# It's unclear if this module works. the documentation mentions a +# pre-defined uid pool, but no information about how to set it up. +# +class phpldapadmin::auto_number::uidpool ( +) { + concat::fragment { 'phpLDAPadmin Auto Number': + content => epp("${module_name}/auto_number/uidpool.epp"), + target => $phpldapadmin::config_file, + order => $phpldapadmin::base_config_order + 10, + } +} diff --git a/manifests/init.pp b/manifests/init.pp index b8be630..736ed79 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,19 +1,52 @@ # @summary Configures PHPLDAPAdmin # @param servername # Pretty name for the server +# +# Only used if `$ldap_servers` is unset. # @param server_uri # Address of ldap server to connect to +# /* Examples: +# 'ldap.example.com', +# 'ldaps://ldap.example.com/', +# 'ldapi://%2fusr%local%2fvar%2frun%2fldapi' +# (Unix socket at /usr/local/var/run/ldap) */ +# +# Only used if `$ldap_servers` is unset. # @param port # Port of ldap server to connect to +# +# Only used if `$ldap_servers` is unset. # @param debug_mode # @param tmpdir # @param timezone # @param friendly_attrs # @param auth_type +# @param blowfish_secret +# phpLDAPadmin can encrypt the content of sensitive cookies if you +# set this to a big random string. +# @param base_dn +# Optional list of base DNs of the ldap server. If left blank +# then phpLDAPadmin auto-detect it for you +# @param bind_dn_template +# If login_attr was set to 'dn', it is possible to specify a template string to +# build the DN from. Use '%s' where user input should be inserted. A user may +# still enter the complete DN. In this case the template will not be used. +# +# Example: "cn=%s,ou=people,dc=example,dc=com" +# @param config_file +# Path to the configuration file. +# TODO manage the symlink from the webroot to the configuration file. +# @param ldap_servers +# List of configured ldap servers. Defaults to a single server +# consisting of $server_uri, $servername, and $port. +# +# @param open_tree +# @param base_config_order class phpldapadmin ( String $servername = 'My LDAP Server', String $server_uri = '127.0.0.1', - Integer[0, 65535] $port = 389, + Optional[Integer[0, 65535]] $port = undef, + String $config_file = '/etc/webapps/phpldapadmin/config.php', Boolean $debug_mode = false, String $tmpdir = '/tmp', Optional[String] $timezone = undef, @@ -26,9 +59,24 @@ class phpldapadmin ( 'userPassword' => 'Password', }, Enum['cookie', 'session', 'http', 'config', 'sasl', 'sasl_external'] $auth_type = 'session', + Array[Struct[{ + name => Optional[String], + host => String, + port => Optional[Stdlib::Port], + }]] $ldap_servers = [{ + name => $servername, + host => $server_uri, + port => $port, + }], + Optional[Sensitive[String]] $blowfish_secret = undef, + Optional[Array[String]] $base_dn = undef, + Optional[String] $bind_dn_template = undef, + Boolean $open_tree = false, + Integer $base_config_order = 10, ) { ensure_packages(['phpldapadmin']) + # TODO # /etc/php7/php.ini # extension=ldap # exteniosn @@ -38,7 +86,23 @@ class phpldapadmin ( ensure => directory, } - file { '/etc/webapps/phpldapadmin/config.php': + concat { $config_file: + order => 'numeric', + } + + concat::fragment { 'phpLDAPadmin header': + order => 0, + source => "puppet:///modules/${module_name}/head.php", + } + + concat::fragment { 'phpLDAPadmin trailer': + order => 99, + source => "puppet:///modules/${module_name}/tail.php", + } + + concat::fragment { 'Base phpLDAPadmin configuration': content => epp("${module_name}/config.php.epp"), + target => $config_file, + order => $base_config_order, } } diff --git a/metadata.json b/metadata.json index 2c21089..0e5bb6f 100644 --- a/metadata.json +++ b/metadata.json @@ -9,6 +9,10 @@ { "name": "puppetlabs/stdlib", "version_requirement": ">= 8.1.0 < 9.0.0" + }, + { + "name": "puppetlabs/concat", + "version_requirement": ">= 8.0.0 < 9.0.0" } ], "operatingsystem_support": [ diff --git a/templates/auto_number/search.epp b/templates/auto_number/search.epp new file mode 100644 index 0000000..5817c76 --- /dev/null +++ b/templates/auto_number/search.epp @@ -0,0 +1,29 @@ +/* This feature allows phpLDAPadmin to automatically determine the next + available uidNumber for a new entry. */ +$servers->setValue('auto_number','enable',true); + +/* The mechanism to use when finding the next available uidNumber. Two possible + values: 'uidpool' or 'search'. + The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to + blindly lookup the next available uidNumber. The 'search' mechanism searches + for entries with a uidNumber value and finds the first available uidNumber + (slower). */ +$servers->setValue('auto_number', 'mechanism', 'search'); + +/* The DN of the search base when the 'search' mechanism is used above. */ + +$servers->setValue('auto_number','search_base','<%= $phpldapadmin::auto_number::search::search_base %>'); + +/* The minimum number to use when searching for the next available number + (only when 'search' is used for auto_number. */ +$servers->setValue('auto_number','min',array( + 'uidNumber' => <%= $phpldapadmin::auto_number::search::uid %>, + 'gidNumber' => <%= $phpldapadmin::auto_number::serach::gid %>)); + +<% if $phpldapadmin::auto_number::search::dn { %> +$servers->setValue('auto_number', 'dn', '<%= $phpldapadmin::auto_number::search::dn %>'); +<% } %> + +<% if $phpldapadmin::auto_number::search::pass { %> +$servers->setValue('auto_number', 'pass', '<%= $phpldapadmin::auto_number::search::pass %>'); +<% } %> diff --git a/templates/auto_number/uidpool.epp b/templates/auto_number/uidpool.epp new file mode 100644 index 0000000..7d608bb --- /dev/null +++ b/templates/auto_number/uidpool.epp @@ -0,0 +1,11 @@ +/* This feature allows phpLDAPadmin to automatically determine the next + available uidNumber for a new entry. */ +$servers->setValue('auto_number','enable',true); + +/* The mechanism to use when finding the next available uidNumber. Two possible + values: 'uidpool' or 'search'. + The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to + blindly lookup the next available uidNumber. The 'search' mechanism searches + for entries with a uidNumber value and finds the first available uidNumber + (slower). */ +$servers->setValue('auto_number','mechanism','uidpool'); diff --git a/templates/config.php.epp b/templates/config.php.epp index fe09a00..2031945 100644 --- a/templates/config.php.epp +++ b/templates/config.php.epp @@ -1,36 +1,3 @@ -custom variable to do so. - * For example, the default for defining the language in config_default.php - * - * $this->default->appearance['language'] = array( - * 'desc'=>'Language', - * 'default'=>'auto'); - * - * to override this, use $config->custom->appearance['language'] = 'en_EN'; - * - * This file is also used to configure your LDAP server connections. - * - * You must specify at least one LDAP server there. You may add - * as many as you like. You can also specify your language, and - * many other options. - * - * NOTE: Commented out values in this file prefixed by //, represent the - * defaults that have been defined in config_default.php. - * Commented out values prefixed by #, dont reflect their default value, you can - * check config_default.php if you want to see what the default is. - * - * DONT change config_default.php, you changes will be lost by the next release - * of PLA. Instead change this file - as it will NOT be replaced by a new - * version of phpLDAPadmin. - */ - /********************************************* * Useful important configuration overrides * *********************************************/ @@ -42,9 +9,11 @@ $config->custom->debug['syslog'] = true; $config->custom->debug['file'] = '/tmp/pla_debug.log'; <%- } -%> -/* phpLDAPadmin can encrypt the content of sensitive cookies if you set this - to a big random string. */ -// $config->custom->session['blowfish'] = null; +$config->custom->session['blowfish'] = <% if $phpldapadmin::blowfish_secret { -%> +"<%= $phpldapadmin::blowfish_secret %>" +<%- } else { -%> +null +<%- } -%>; /* If your auth_type is http, you can override your HTTP Authentication Realm. */ // $config->custom->session['http_realm'] = sprintf('%s %s',app_name(),'login'); @@ -259,7 +228,7 @@ $config->custom->appearance['friendly_attrs'] = array( *********************************************/ /* Add "modify group members" link to the attribute. */ -// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser'); +$config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser'); /* Configure filter for member search. This only applies to "modify group members" feature */ // $config->custom->modify_member['filter'] = '(objectclass=Person)'; @@ -268,9 +237,9 @@ $config->custom->appearance['friendly_attrs'] = array( // $config->custom->modify_member['attr'] = 'dn'; /* For Posix attributes */ -// $config->custom->modify_member['posixattr'] = 'uid'; -// $config->custom->modify_member['posixfilter'] = '(uid=*)'; -// $config->custom->modify_member['posixgroupattr'] = 'memberUid'; +$config->custom->modify_member['posixattr'] = 'uid'; +$config->custom->modify_member['posixfilter'] = '(uid=*)'; +$config->custom->modify_member['posixgroupattr'] = 'memberUid'; /********************************************* * Support for attrs display order * @@ -301,28 +270,26 @@ $config->custom->appearance['friendly_attrs'] = array( $servers = new Datastore(); -/* $servers->NewServer('ldap_pla') must be called before each new LDAP server - declaration. */ +<%- $phpldapadmin::ldap_servers.each |$server| { -%> $servers->newServer('ldap_pla'); + <%- if $server['name'] { -%> + $servers->setValue('server','name','<%= $server['name'] %>'); + <%- } -%> + $servers->setValue('server','host','<%= $server['server'] %>'); + <%- if $server['port'] { -%> + $servers->setValue('server','name','<%= $server['port'] %>'); + <%- } -%> +<%- } -%> -/* A convenient name that will appear in the tree viewer and throughout - phpLDAPadmin to identify this LDAP server to users. */ -$servers->setValue('server','name','<%= $phpldapadmin::servername %>'); - -/* Examples: - 'ldap.example.com', - 'ldaps://ldap.example.com/', - 'ldapi://%2fusr%local%2fvar%2frun%2fldapi' - (Unix socket at /usr/local/var/run/ldap) */ -$servers->setValue('server','host','<%= $phpldapadmin::server_uri %>'); -/* The port your LDAP server listens on (no quotes). 389 is standard. */ -$servers->setValue('server','port',<%= $phpldapadmin::port %>); +<% unless $phpldapadmin::base_dn =~ Undef { -%> +$servers->setValue('server','base',array( + <%- $phpldapadmin::base_dn.each |$dn| { -%> + '<%= $dn %>', + <%- } -%> +)); +<% } -%> -/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin - auto-detect it for you. */ -// TODO -// $servers->setValue('server','base',array('')); /* Five options for auth_type: 1. 'cookie': you will login via a web form, and a client-side cookie will @@ -450,11 +417,9 @@ $servers->setValue('login','auth_type','<%= $phpldapadmin::auth_type %>'); setup. */ // $servers->setValue('login','class',array()); -/* If login_attr was set to 'dn', it is possible to specify a template string to - build the DN from. Use '%s' where user input should be inserted. A user may - still enter the complete DN. In this case the template will not be used. */ -// $servers->setValue('login','bind_dn_template',null); -# $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com'); +<% if $phpldapadmin::bind_dn_template { -%> +$servers->setValue('login','bind_dn_template', '<%= $phpldapadmin::bind_dn_template %>'); +<% } %> /* If you specified something different from 'dn', for example 'uid', as the login_attr above, you can optionally specify here to fall back to @@ -474,40 +439,11 @@ $servers->setValue('login','auth_type','<%= $phpldapadmin::auth_type %>'); // $servers->setValue('appearance','show_create',true); /* Set to true if you would like to initially open the first level of each tree. */ -// $servers->setValue('appearance','open_tree',false); +$servers->setValue('appearance','open_tree',<%= $phpldapadmin::open_tree %>); /* Set to true to display authorization ID in place of login dn (PHP 7.2+) */ // $servers->setValue('appearance','show_authz',false); -/* This feature allows phpLDAPadmin to automatically determine the next - available uidNumber for a new entry. */ -// $servers->setValue('auto_number','enable',true); - -/* The mechanism to use when finding the next available uidNumber. Two possible - values: 'uidpool' or 'search'. - The 'uidpool' mechanism uses an existing uidPool entry in your LDAP server to - blindly lookup the next available uidNumber. The 'search' mechanism searches - for entries with a uidNumber value and finds the first available uidNumber - (slower). */ -// $servers->setValue('auto_number','mechanism','search'); - -/* The DN of the search base when the 'search' mechanism is used above. */ -# $servers->setValue('auto_number','search_base','ou=People,dc=example,dc=com'); - -/* The minimum number to use when searching for the next available number - (only when 'search' is used for auto_number. */ -// $servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500)); - -/* If you set this, then phpldapadmin will bind to LDAP with this user ID when - searching for the uidnumber. The idea is, this user id would have full - (readonly) access to uidnumber in your ldap directory (the logged in user - may not), so that you can be guaranteed to get a unique uidnumber for your - directory. */ -// $servers->setValue('auto_number','dn',null); - -/* The password for the dn above. */ -// $servers->setValue('auto_number','pass',null); - /* Enable anonymous bind login. */ // $servers->setValue('login','anon_bind',true); @@ -644,7 +580,5 @@ $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID' $config->custom->session['reCAPTCHA-enable'] = false; -$config->custom->session['reCAPTCHA-key-site'] = ''; -$config->custom->session['reCAPTCHA-key-server'] = ''; - -?> +$config->custom->session['reCAPTCHA-key-site'] = 'put-here-key-site'; +$config->custom->session['reCAPTCHA-key-server'] = 'put-here-key-server'; -- cgit v1.2.3