Prototyping out the desired interface.

Now that all the the pieces have been discovered that need to occur to make a functional apacheds implementation the module is to be rewriten to accomplish a cleaner interface for one to interact with. Prototype and brainstorm all the needed classes and type/providers to be written.
puppetlabs-toy-chest · Jun 13, 2012 · 8129eac · 8129eac
1 parent 09bde4b
commit 8129eac
Show file tree

Hide file tree

Showing 4 changed files with 175 additions and 129 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -1,154 +1,92 @@
-# == Class: apacheds
-#
-# Full description of class apacheds here.
-#
-# === Parameters
-#
-# Document parameters here.
-#
-# [*sample_parameter*]
-#   Explanation of what this parameter affects and what it defaults to.
-#   e.g. "Specify one or more upstream ntp servers as an array."
-#
-# === Variables
-#
-# Here you should define a list of variables that this module would require.
-#
-# [*sample_variable*]
-#   Explanation of how this variable affects the funtion of this class and if it
-#   has a default. e.g. "The parameter enc_ntp_servers must be set by the
-#   External Node Classifier as a comma separated list of hostnames." (Note,
-#   global variables should not be used in preference to class parameters  as of
-#   Puppet 2.6.)
-#
-# === Examples
-#
-#  class { apacheds:
-#    servers => [ 'pool.ntp.org', 'ntp.local.company.com' ]
-#  }
-#
-# === Authors
-#
-# Author Name <author@domain.com>
-#
-# === Copyright
-#
-# Copyright 2011 Your name here, unless otherwise noted.
-#
+# What I want the interface to this module to actually look like.
 class apacheds(
-  $rootpw = 'foobar',
-  $server = 'ldap-module.vm.vmware',
-  $port   = '10389',
-  $version = '2.0.0-M6'
+  $rootpw      = hiera('apacheds::rootpw'),
+  $master_host = hiera('apacheds::master_host'),
+  $port        = '10389',
+  $ssl_port    = '10636',
+  $parition_dn = hiera('apacheds::partition_dn'),
+  $jks_pw      = hiera('apacheds::jks_pw'),
+  $version,
+  $master
 ) {
 
   class { 'java': distribution => 'jre' }
 
   package { 'apacheds':
     ensure  => $version,
+    before  => File['/etc/apacheds'],
     require => Class['java'],
   }
 
-  Exec { logoutput => on_failure }
+  File { mode => '0644', owner => 'apacheds', group => 'root', }
 
-  # Config file needs to me managed in some for or another to be able to add
-  # our partition and turn on SSL.  Production module will use java_ks for
-  # certificates and a more thoroughly templatized config...unless it get a
-  # little crazy and write something to generalize the management of xml files...
-  file { 'server_config':
-    path    => "/var/lib/apacheds-${version}/default/conf/server.xml",
-    ensure  => present,
-    content => template("${module_name}/server_xml.erb"),
-    mode    => '0644',
-    owner   => 'apacheds',
-    group   => 'apacheds',
-    notify  => Service['apacheds'],
-    require => Package['apacheds'],
+  file { '/etc/apacheds':
+    ensure => directory,
   }
 
-  # The service exits as up before the LDAP backend it full up.  Giving it a
-  # little extra time to come up...Yet another reason for a type to do the LDIF
-  # modifications, clean retries.
-  service { 'apacheds':
-    name    => "apacheds-${version}-default",
-    ensure  => running,
-    enable  => true,
-    restart => "/etc/init.d/apacheds-${version}-default restart && sleep 5",
-    require => Package['apacheds'],
-  }
-
-  # All our templates that need to be loaded into our new LDAP server.  None
-  # are actually currently "templates"...The template function just works best
-  # when interacting with Exec resources.
-  $rootpw_ldif = template("${module_name}/rootpw_ldif.erb")
-  $schema_ldif = template("${module_name}/schemas_ldif.erb")
-  $pl_context_ldif = template("${module_name}/pl_context_ldif.erb")
-  $ou_ldif = template("${module_name}/ou_ldif.erb")
-  $entries_ldif = template("${module_name}/entries_ldif.erb")
-  $initial_subentry_ldif = template("${module_name}/initial_subentry_ldif.erb")
-  $self_access_ldif = template("${module_name}/self_access_ldif.erb")
-  $dir_managers_ldif = template("${module_name}/dir_managers_ldif.erb")
-
-  # Now to change the default password.  Have to wait a little while for the
-  # password to expire from the cache so we can do the later operations.
-  exec { 'update password':
-    command => "echo '${rootpw_ldif}' | ldapmodify -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w secret && sleep 5",
-    onlyif  => "ldapsearch -ZZ -D uid=admin,ou=system -LLL -H ldap://${server}:${port} -x -w secret -b ou=system ou=system",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Service['apacheds'],
+  file { '/etc/apacheds/certs':
+    ensure => directory,
+    mode   => '0750',
+    before => Java_ks[$::fqdn],
   }
 
-  # Turn on specific schemas for doing posix account management.
-  exec { 'turn on schemas':
-    command => "echo '${schema_ldif}' | ldapmodify -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
-    onlyif  => "ldapsearch -ZZ -LLL -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw} -b ou=schema cn=nis m-disabled | grep TRUE",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Exec['update password'],
+  java_ks { 'ca':
+    ensure      => latest,
+    password    => $jks_pw,
+    certificate => "/etc/apacheds/certs/${::fqdn}.pem",
+    pirvate_key => "/etc/apacheds/certs/${::fqdn}.key",
+    target      => "/var/lib/${version}/default/apacheds.jks",
+    before      => Class['apacheds::config'],
+    require     => Package['apacheds'],
   }
 
-  # Adds the base context for our dc=puppetlabs,dc=net parition.
-  exec { 'add context':
-    command => "echo '${pl_context_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
-    onlyif  => "test `ldapsearch -ZZ -D uid=admin,ou=system -LLL -H ldap://${server}:${port} -x -w ${rootpw} -b dc=puppetlabs,dc=net '(ObjectClass=*)' dc=puppetlabs,dc=net | wc -l` = 0",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Exec['update password'],
+  java_ks { $::fqdn:
+    ensure       => latest,
+    password     => $jks_pw,
+    certificate  => '/etc/apacheds/certs/ca.pem',
+    target       => "/var/lib/${version}/default/apacheds.jks",
+    trustcacerts => true,
+    before       => Class['apacheds::config'],
+    require      => Package['apacheds'],
   }
 
-  # Add a set of precanned organizational units that work well for us.
-  exec { 'add ou':
-    command => "echo '${ou_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
-    unless  => "test `ldapsearch -D uid=admin,ou=system -ZZ -H ldap://${server}:${port} -w ${rootpw} -x -b dc=puppetlabs,dc=net -LLL '(|(ou=people)(ou=group)(ou=autofs))' ou | grep ou: | wc -l` = 3",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Exec[[ 'add context', 'turn on schemas' ] ],
-  }
+  if $master {
 
-  # Adds a few default entries that people can use at templates for creating
-  # new users, groups, or automounts.
-  exec { 'add entries':
-    command => "echo '${entries_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
-    unless  => "test `ldapsearch -D uid=admin,ou=system -ZZ -H ldap://${server}:${port} -w ${rootpw} -x -b dc=puppetlabs,dc=net -LLL uid=zero uid | grep uid: | wc -l` = 1",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Exec[ [ 'add ou', 'turn on schemas' ] ],
-  }
+    # Master config
+    class { 'apacheds::config':
+      master          => true,  # Would be default
+      port            => $port,
+      ssl_port        => $ssl_port,
+      use_ldaps       => true,
+      jks             => 'apacheds.jks',
+      jks_pw          => $jks_pw,
+      partition_dn    => $parition_dn,
+      allow_hashed_pw => true,  # Would be default
+      version         => $version, # Yes this sucks but I don't want to repackage it.
+      require         => Package['apacheds'],
+    }
 
-  exec { 'intial subentry and aci':
-    command => "echo '${initial_subentry_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
-    unless  => "ldapsearch -ZZ -H ldap://${server}:${port} -D uid=admin,ou=system -w ${rootpw} -x -b dc=puppetlabs,dc=net -E subentries=true -LLL cn=puppetlabsACISubentry | grep 'cn: puppetlabsACISubentry'",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Exec['add context'],
-  }
+  } else {
 
-  exec { 'self access':
-    command => "echo '${self_access_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
-    unless  => "ldapsearch -ZZ -H ldap://${server}:${port} -D uid=admin,ou=system -w ${rootpw} -x -b dc=puppetlabs,dc=net -E subentries=true -LLL cn=puppetlabsACISubentry prescriptiveACI | grep allowSelfAccessAndModification",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Exec['intial subentry and aci'],
+    # Slave config
+    class { 'apacheds::config':
+      master          => false,
+      master_host     => $master_host,
+      port            => $port,
+      ssl_port        => $ssl_port,
+      use_ldaps       => true,
+      jks             => 'apacheds.jks',
+      partition_dn    => $parition_dn,
+      allow_hashed_pw => true,
+      version         => $version, # Yes this sucks but I don't want to repackage it.
+      require         => Package['apacheds'],
+    }
   }
 
-  exec { 'directory managers':
-    command => "echo '${dir_managers_ldif}' | ldapadd -ZZ -D uid=admin,ou=system -H ldap://${server}:${port} -x -w ${rootpw}",
-    unless  => "ldapsearch -ZZ -H ldap://${server}:${port} -D uid=admin,ou=system -w ${rootpw} -x -b dc=puppetlabs,dc=net -E subentries=true -LLL cn=puppetlabsACISubentry prescriptiveACI | grep directoryManagerFullAccessACI",
-    path    => [ '/bin', '/usr/bin' ],
-    require => Exec['intial subentry and aci'],
+  service { 'apacheds':
+    name      => "apacheds-${version}-default",
+    ensure    => running,
+    enable    => true,
+    subscribe => [ Package['apacheds'], Class['apacheds::config'], ],
   }
 }
diff --git a/tests/init.pp b/tests/init.pp
@@ -1 +1 @@
-include apacheds
+class { 'apacheds': master => true' }
diff --git a/tests/puppetlabs/master.pp b/tests/puppetlabs/master.pp
@@ -0,0 +1,75 @@
+# What I want the interface to this module to actually look like.
+class service::ldap::master(
+  $admin_dn           = 'uid=admin,ou=system',
+  $admin_default_pw   = 'secret',
+  $admin_pw           = hiera('service::ldap::admin_pw'),
+  $server             = $apacheds::master,
+  $port               = $apacheds::port,
+  $directory_managers = hiera('service::ldap::directory_managers'),
+) {
+
+  class { 'apacheds': master => true, version => '2.0.0-M6' }
+
+  Ads_entry {
+    admin_dn         => $admin_dn,
+    admin_pw         => $admin_pw,
+    admin_default_pw => $admin_default_pw,
+    server           => $server,
+    port             => $port,
+  }
+
+  ads_entry { 'uid=admin':
+    ensure     => present,
+    attributes => { 'userPassword' => $admin_pw },
+    require    => Class['apacheds'],
+  }
+
+  ads_entry { 'dc=puppetlabs,dc=net':
+    ensure       => present,
+    objectclass  => [ 'dcObject', 'top', 'organization', 'administrativeRole' ],
+    attributes   => { 'o' => 'Puppet Labs', 'administrativeRole' => 'accessControlSpecificArea' },
+    require      => Ads_entry['uid=admin'],
+  }
+
+  ads_entry { 'ou=people':
+    ensure       => present,
+    base         => 'dc=puppetlabs,dc=net',
+    objectclass  => [ 'dcObject', 'top', 'organizationalUnit' ],
+    attributes   => { 'ou' => 'people',  },
+    require      => Ads_entry['dc=puppetlabs,dc=net'],
+  }
+
+  ads_entry { 'ou=group':
+    ensure       => present,
+    base         => 'dc=puppetlabs,dc=net',
+    objectclass  => [ 'top', 'organizationalUnit' ],
+    attributes   => { 'ou' => 'group', },
+    require      => Ads_entry['dc=puppetlabs,dc=net'],
+  }
+
+  ads_entry { 'ou=automount':
+    ensure       => present,
+    base         => 'dc=puppetlabs,dc=net',
+    objectclass  => [ 'top', 'organizationalUnit' ],
+    attributes   => { 'ou' => 'automount', },
+    require      => Ads_entry['dc=puppetlabs,dc=net'],
+  }
+
+  $dir_manager = template("${module_name}/dir_managers_ldif.erb")
+  $default_all_users = template("${module_name}/default_all_users_ldif.erb")
+  $self_access = template("${module_name}/self_acces_ldif.erb")
+
+  ads_entry { 'cn=puppetlabsACISubentry':
+    ensure      => present,
+    base        => 'dc=puppetlabs,dc=net',
+    objectclass => [ 'accessControlSubentry', 'top', 'subentry' ],
+    attributes  => {
+      'cn'              => 'puppetlabsACISubentry',
+      'prescriptiveACI' => $dir_managers,
+      'prescriptiveACI' => $default_all_users,
+      'prescriptiveACI' => $self_access,
+    },
+    require      => Ads_entry['dc=puppetlabs,dc=net'],
+  }
+}
+
diff --git a/tests/puppetlabs/slave.pp b/tests/puppetlabs/slave.pp
@@ -0,0 +1,33 @@
+# What I want the interface to this module to actually look like.
+
+class service::ldap::slave(
+  $admin_dn         = 'uid=admin,ou=system',
+  $admin_default_pw = 'secret',
+  $admin_pw         = hiera('service::ldap::admin_pw'),
+  $server           = $apacheds::master,
+  $port             = $apacheds::port
+) {
+
+  class { 'apacheds': master => false, version => '2.0.0-M6' }
+
+  Ads_entry {
+    admin_dn         => $admin_dn,
+    admin_pw         => $admin_pw,
+    admin_default_pw => $admin_default_pw,
+    server           => $server,
+    port             => $port,
+  }
+
+  ads_entry { 'uid=admin':
+    ensure     => present,
+    attributes => { 'userPassword' => $admin_pw },
+    require    => Class['apacheds'],
+  }
+
+  ads_entry { 'dc=puppetlabs,dc=net':
+    ensure      => present,
+    objectclass => [ 'dcObject', 'top', 'organization', 'administrativeRole' ],
+    attributes  => { 'o' => 'Puppet Labs', 'administrativeRole' => 'accessControlSpecificArea' },
+    require     => Ads_entry['uid=admin'],
+  }
+}