Permalink
Browse files

Prototyping out the desired interface.

  Now that all the the pieces have been discovered that need to occur to
  make a functional apacheds implementation the module is to be rewriten
  to accomplish a cleaner interface for one to interact with.

  Prototype and brainstorm all the needed classes and type/providers to
  be written.
  • Loading branch information...
1 parent 09bde4b commit 8129eace687583f98c20487d27f941303907b8f6 @ody ody committed May 17, 2012
Showing with 175 additions and 129 deletions.
  1. +66 −128 manifests/init.pp
  2. +1 −1 tests/init.pp
  3. +75 −0 tests/puppetlabs/master.pp
  4. +33 −0 tests/puppetlabs/slave.pp
View
@@ -1,154 +1,92 @@
-# == Class: apacheds
-#
-# Full description of class apacheds here.
-#
-# === Parameters
-#
-# Document parameters here.
-#
-# [*sample_parameter*]
-# Explanation of what this parameter affects and what it defaults to.
-# e.g. "Specify one or more upstream ntp servers as an array."
-#
-# === Variables
-#
-# Here you should define a list of variables that this module would require.
-#
-# [*sample_variable*]
-# Explanation of how this variable affects the funtion of this class and if it
-# has a default. e.g. "The parameter enc_ntp_servers must be set by the
-# External Node Classifier as a comma separated list of hostnames." (Note,
-# global variables should not be used in preference to class parameters as of
-# Puppet 2.6.)
-#
-# === Examples
-#
-# class { apacheds:
-# servers => [ 'pool.ntp.org', 'ntp.local.company.com' ]
-# }
-#
-# === Authors
-#
-# Author Name <author@domain.com>
-#
-# === Copyright
-#
-# Copyright 2011 Your name here, unless otherwise noted.
-#
+# What I want the interface to this module to actually look like.
class apacheds(
- $rootpw = 'foobar',
- $server = 'ldap-module.vm.vmware',
- $port = '10389',
- $version = '2.0.0-M6'
+ $rootpw = hiera('apacheds::rootpw'),
+ $master_host = hiera('apacheds::master_host'),
+ $port = '10389',
+ $ssl_port = '10636',
+ $parition_dn = hiera('apacheds::partition_dn'),
+ $jks_pw = hiera('apacheds::jks_pw'),
+ $version,
+ $master
) {
class { 'java': distribution => 'jre' }
package { 'apacheds':
ensure => $version,
+ before => File['/etc/apacheds'],
require => Class['java'],
}
- Exec { logoutput => on_failure }
+ File { mode => '0644', owner => 'apacheds', group => 'root', }
- # Config file needs to me managed in some for or another to be able to add
- # our partition and turn on SSL. Production module will use java_ks for
- # certificates and a more thoroughly templatized config...unless it get a
- # little crazy and write something to generalize the management of xml files...
- file { 'server_config':
- path => "/var/lib/apacheds-${version}/default/conf/server.xml",
- ensure => present,
- content => template("${module_name}/server_xml.erb"),
- mode => '0644',
- owner => 'apacheds',
- group => 'apacheds',
- notify => Service['apacheds'],
- require => Package['apacheds'],
+ file { '/etc/apacheds':
+ ensure => directory,
}
- # The service exits as up before the LDAP backend it full up. Giving it a
- # little extra time to come up...Yet another reason for a type to do the LDIF
- # modifications, clean retries.
- service { 'apacheds':
- name => "apacheds-${version}-default",
- ensure => running,
- enable => true,
- restart => "/etc/init.d/apacheds-${version}-default restart && sleep 5",
- require => Package['apacheds'],
- }
-
- # All our templates that need to be loaded into our new LDAP server. None
- # are actually currently "templates"...The template function just works best
- # when interacting with Exec resources.
- $rootpw_ldif = template("${module_name}/rootpw_ldif.erb")
- $schema_ldif = template("${module_name}/schemas_ldif.erb")
- $pl_context_ldif = template("${module_name}/pl_context_ldif.erb")
- $ou_ldif = template("${module_name}/ou_ldif.erb")
- $entries_ldif = template("${module_name}/entries_ldif.erb")
- $initial_subentry_ldif = template("${module_name}/initial_subentry_ldif.erb")
- $self_access_ldif = template("${module_name}/self_access_ldif.erb")
- $dir_managers_ldif = template("${module_name}/dir_managers_ldif.erb")
-
- # Now to change the default password. Have to wait a little while for the
- # password to expire from the cache so we can do the later operations.
- exec { 'update password':
- command => "echo '${rootpw_ldif}' | ldapmodify -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w secret && sleep 5",
- onlyif => "ldapsearch -ZZ -D uid=admin,ou=system -LLL -H ldap://${server}:${port} -x -w secret -b ou=system ou=system",
- path => [ '/bin', '/usr/bin' ],
- require => Service['apacheds'],
+ file { '/etc/apacheds/certs':
+ ensure => directory,
+ mode => '0750',
+ before => Java_ks[$::fqdn],
}
- # Turn on specific schemas for doing posix account management.
- exec { 'turn on schemas':
- command => "echo '${schema_ldif}' | ldapmodify -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
- onlyif => "ldapsearch -ZZ -LLL -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw} -b ou=schema cn=nis m-disabled | grep TRUE",
- path => [ '/bin', '/usr/bin' ],
- require => Exec['update password'],
+ java_ks { 'ca':
+ ensure => latest,
+ password => $jks_pw,
+ certificate => "/etc/apacheds/certs/${::fqdn}.pem",
+ pirvate_key => "/etc/apacheds/certs/${::fqdn}.key",
+ target => "/var/lib/${version}/default/apacheds.jks",
+ before => Class['apacheds::config'],
+ require => Package['apacheds'],
}
- # Adds the base context for our dc=puppetlabs,dc=net parition.
- exec { 'add context':
- command => "echo '${pl_context_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
- onlyif => "test `ldapsearch -ZZ -D uid=admin,ou=system -LLL -H ldap://${server}:${port} -x -w ${rootpw} -b dc=puppetlabs,dc=net '(ObjectClass=*)' dc=puppetlabs,dc=net | wc -l` = 0",
- path => [ '/bin', '/usr/bin' ],
- require => Exec['update password'],
+ java_ks { $::fqdn:
+ ensure => latest,
+ password => $jks_pw,
+ certificate => '/etc/apacheds/certs/ca.pem',
+ target => "/var/lib/${version}/default/apacheds.jks",
+ trustcacerts => true,
+ before => Class['apacheds::config'],
+ require => Package['apacheds'],
}
- # Add a set of precanned organizational units that work well for us.
- exec { 'add ou':
- command => "echo '${ou_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
- unless => "test `ldapsearch -D uid=admin,ou=system -ZZ -H ldap://${server}:${port} -w ${rootpw} -x -b dc=puppetlabs,dc=net -LLL '(|(ou=people)(ou=group)(ou=autofs))' ou | grep ou: | wc -l` = 3",
- path => [ '/bin', '/usr/bin' ],
- require => Exec[[ 'add context', 'turn on schemas' ] ],
- }
+ if $master {
- # Adds a few default entries that people can use at templates for creating
- # new users, groups, or automounts.
- exec { 'add entries':
- command => "echo '${entries_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
- unless => "test `ldapsearch -D uid=admin,ou=system -ZZ -H ldap://${server}:${port} -w ${rootpw} -x -b dc=puppetlabs,dc=net -LLL uid=zero uid | grep uid: | wc -l` = 1",
- path => [ '/bin', '/usr/bin' ],
- require => Exec[ [ 'add ou', 'turn on schemas' ] ],
- }
+ # Master config
+ class { 'apacheds::config':
+ master => true, # Would be default
+ port => $port,
+ ssl_port => $ssl_port,
+ use_ldaps => true,
+ jks => 'apacheds.jks',
+ jks_pw => $jks_pw,
+ partition_dn => $parition_dn,
+ allow_hashed_pw => true, # Would be default
+ version => $version, # Yes this sucks but I don't want to repackage it.
+ require => Package['apacheds'],
+ }
- exec { 'intial subentry and aci':
- command => "echo '${initial_subentry_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
- unless => "ldapsearch -ZZ -H ldap://${server}:${port} -D uid=admin,ou=system -w ${rootpw} -x -b dc=puppetlabs,dc=net -E subentries=true -LLL cn=puppetlabsACISubentry | grep 'cn: puppetlabsACISubentry'",
- path => [ '/bin', '/usr/bin' ],
- require => Exec['add context'],
- }
+ } else {
- exec { 'self access':
- command => "echo '${self_access_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
- unless => "ldapsearch -ZZ -H ldap://${server}:${port} -D uid=admin,ou=system -w ${rootpw} -x -b dc=puppetlabs,dc=net -E subentries=true -LLL cn=puppetlabsACISubentry prescriptiveACI | grep allowSelfAccessAndModification",
- path => [ '/bin', '/usr/bin' ],
- require => Exec['intial subentry and aci'],
+ # Slave config
+ class { 'apacheds::config':
+ master => false,
+ master_host => $master_host,
+ port => $port,
+ ssl_port => $ssl_port,
+ use_ldaps => true,
+ jks => 'apacheds.jks',
+ partition_dn => $parition_dn,
+ allow_hashed_pw => true,
+ version => $version, # Yes this sucks but I don't want to repackage it.
+ require => Package['apacheds'],
+ }
}
- exec { 'directory managers':
- command => "echo '${dir_managers_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
- unless => "ldapsearch -ZZ -H ldap://${server}:${port} -D uid=admin,ou=system -w ${rootpw} -x -b dc=puppetlabs,dc=net -E subentries=true -LLL cn=puppetlabsACISubentry prescriptiveACI | grep directoryManagerFullAccessACI",
- path => [ '/bin', '/usr/bin' ],
- require => Exec['intial subentry and aci'],
+ service { 'apacheds':
+ name => "apacheds-${version}-default",
+ ensure => running,
+ enable => true,
+ subscribe => [ Package['apacheds'], Class['apacheds::config'], ],
}
}
View
@@ -1 +1 @@
-include apacheds
+class { 'apacheds': master => true' }
@@ -0,0 +1,75 @@
+# What I want the interface to this module to actually look like.
+class service::ldap::master(
+ $admin_dn = 'uid=admin,ou=system',
+ $admin_default_pw = 'secret',
+ $admin_pw = hiera('service::ldap::admin_pw'),
+ $server = $apacheds::master,
+ $port = $apacheds::port,
+ $directory_managers = hiera('service::ldap::directory_managers'),
+) {
+
+ class { 'apacheds': master => true, version => '2.0.0-M6' }
+
+ Ads_entry {
+ admin_dn => $admin_dn,
+ admin_pw => $admin_pw,
+ admin_default_pw => $admin_default_pw,
+ server => $server,
+ port => $port,
+ }
+
+ ads_entry { 'uid=admin':
+ ensure => present,
+ attributes => { 'userPassword' => $admin_pw },
+ require => Class['apacheds'],
+ }
+
+ ads_entry { 'dc=puppetlabs,dc=net':
+ ensure => present,
+ objectclass => [ 'dcObject', 'top', 'organization', 'administrativeRole' ],
+ attributes => { 'o' => 'Puppet Labs', 'administrativeRole' => 'accessControlSpecificArea' },
+ require => Ads_entry['uid=admin'],
+ }
+
+ ads_entry { 'ou=people':
+ ensure => present,
+ base => 'dc=puppetlabs,dc=net',
+ objectclass => [ 'dcObject', 'top', 'organizationalUnit' ],
+ attributes => { 'ou' => 'people', },
+ require => Ads_entry['dc=puppetlabs,dc=net'],
+ }
+
+ ads_entry { 'ou=group':
+ ensure => present,
+ base => 'dc=puppetlabs,dc=net',
+ objectclass => [ 'top', 'organizationalUnit' ],
+ attributes => { 'ou' => 'group', },
+ require => Ads_entry['dc=puppetlabs,dc=net'],
+ }
+
+ ads_entry { 'ou=automount':
+ ensure => present,
+ base => 'dc=puppetlabs,dc=net',
+ objectclass => [ 'top', 'organizationalUnit' ],
+ attributes => { 'ou' => 'automount', },
+ require => Ads_entry['dc=puppetlabs,dc=net'],
+ }
+
+ $dir_manager = template("${module_name}/dir_managers_ldif.erb")
+ $default_all_users = template("${module_name}/default_all_users_ldif.erb")
+ $self_access = template("${module_name}/self_acces_ldif.erb")
+
+ ads_entry { 'cn=puppetlabsACISubentry':
+ ensure => present,
+ base => 'dc=puppetlabs,dc=net',
+ objectclass => [ 'accessControlSubentry', 'top', 'subentry' ],
+ attributes => {
+ 'cn' => 'puppetlabsACISubentry',
+ 'prescriptiveACI' => $dir_managers,
+ 'prescriptiveACI' => $default_all_users,
+ 'prescriptiveACI' => $self_access,
+ },
+ require => Ads_entry['dc=puppetlabs,dc=net'],
+ }
+}
+
@@ -0,0 +1,33 @@
+# What I want the interface to this module to actually look like.
+
+class service::ldap::slave(
+ $admin_dn = 'uid=admin,ou=system',
+ $admin_default_pw = 'secret',
+ $admin_pw = hiera('service::ldap::admin_pw'),
+ $server = $apacheds::master,
+ $port = $apacheds::port
+) {
+
+ class { 'apacheds': master => false, version => '2.0.0-M6' }
+
+ Ads_entry {
+ admin_dn => $admin_dn,
+ admin_pw => $admin_pw,
+ admin_default_pw => $admin_default_pw,
+ server => $server,
+ port => $port,
+ }
+
+ ads_entry { 'uid=admin':
+ ensure => present,
+ attributes => { 'userPassword' => $admin_pw },
+ require => Class['apacheds'],
+ }
+
+ ads_entry { 'dc=puppetlabs,dc=net':
+ ensure => present,
+ objectclass => [ 'dcObject', 'top', 'organization', 'administrativeRole' ],
+ attributes => { 'o' => 'Puppet Labs', 'administrativeRole' => 'accessControlSpecificArea' },
+ require => Ads_entry['uid=admin'],
+ }
+}

0 comments on commit 8129eac

Please sign in to comment.