add some mod_ldap SSL-related directives, and populate README.md with…

… new LDAP things
sous-chefs · Nov 16, 2015 · 0706422 · 0706422
1 parent db5bb6e
commit 0706422
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -99,6 +99,11 @@ Example: `default['nagios']['conf']['cfg_dir'] = [ '/etc/nagios/conf.d' , '/usr/
 * `node['nagios']['ldap_bind_password']` - bind password used with the DN provided for searching ldap.
 * `node['nagios']['ldap_url']` - ldap url and search parameters.
 * `node['nagios']['ldap_authoritative']` - accepts "on" or "off". controls other authentication modules from authenticating the user if this one fails.
+* `node['nagios']['ldap_group_attribute']` - Set the Apache AuthLDAPGroupAttribute directive to a non-default value.
+* `node['nagios']['ldap_group_attribute_is_dn']` - accepts "on" or "off". Set the Apache AuthLDAPGroupAttributeIsDN directive. Apache's default behavior is currently "on."
+* `node['nagios']['ldap_verify_cert']` - accepts "on" or "off". Set the Apache mod_ldap LDAPVerifyServerCert directive. Apache's default behavior is currently "on."
+* `node['nagios']['ldap_trusted_mode']` - Set the Apache mod_ldap LDAPTrustedMode directive.
+* `node['nagios']['ldap_trusted_global_cert']` - Set the Apache mod_ldap LDAPTrustedGlobalCert directive.
 * `node['nagios']['users_databag']` - the databag containing users to search for. defaults to users
 * `node['nagios']['users_databag_group']` - users databag group considered Nagios admins.  defaults to sysadmin
 * `node['nagios']['services_databag']` - the databag containing services to search for. defaults to nagios_services

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -167,6 +167,9 @@
 default['nagios']['ldap_authoritative'] = nil
 default['nagios']['ldap_group_attribute'] = nil
 default['nagios']['ldap_group_attribute_is_dn'] = nil
+default['nagios']['ldap_verify_cert'] = nil
+default['nagios']['ldap_trusted_mode'] = nil
+default['nagios']['ldap_trusted_global_cert'] = nil
 
 default['nagios']['templates'] = Mash.new
 

diff --git a/templates/default/apache2.conf.erb b/templates/default/apache2.conf.erb
@@ -1,5 +1,9 @@
 # Autogenerated by Chef.
 
+<% unless node['nagios']['ldap_verify_cert'].nil? %>ldap_verify_cert <%= node['nagios']['ldap_verify_cert'] %><% end %>
+<% unless node['nagios']['ldap_trusted_mode'].nil? -%>LDAPTrustedMode "<%= node['nagios']['ldap_trusted_mode'] %>" <% end -%>
+<% unless node['nagios']['ldap_trusted_global_cert'].nil? -%>LDAPTrustedGlobalCert "<%= node['nagios']['ldap_trusted_global_cert'] %>" <% end -%>
+
 <VirtualHost *:<%= node['nagios']['http_port'] %>>
   ServerAdmin     <%= node['nagios']['sysadmin_email'] %>
 <% if @nagios_url %>
@@ -64,12 +68,12 @@
     AuthName "Nagios Server"
     AuthType Basic
     AuthBasicProvider ldap
-    <% unless node['nagios']['ldap_group_attribute_is_dn'] or node['nagios']['ldap_group_attribute_is_dn'].nil? -%>AuthLDAPGroupAttributeIsDN Off <% end -%>
+    <% unless node['nagios']['ldap_group_attribute_is_dn'].nil? %>AuthLDAPGroupAttributeIsDN <%= node['nagios']['ldap_authoritative'] %><% end %>
     <% unless node['nagios']['ldap_group_attribute'].nil? -%>AuthLDAPGroupAttribute "<%= node['nagios']['ldap_group_attribute'] %>" <% end -%>
     <% unless node['nagios']['ldap_bind_dn'].nil? -%>AuthLDAPBindDN "<%= node['nagios']['ldap_bind_dn'] %>" <% end -%>
     <% unless node['nagios']['ldap_bind_password'].nil? -%>AuthLDAPBindPassword "<%= node['nagios']['ldap_bind_password'] %>"<% end -%>
     AuthLDAPURL "<%= node['nagios']['ldap_url'] %>"
-    <% if node['apache']['version'] < "2.4" %>AuthzLDAPAuthoritative <%= node['nagios']['ldap_authoritative'] %><% end %>
+    <% if node['apache']['version'] < "2.4" and !node['nagios']['ldap_authoritative'].nil? %>AuthzLDAPAuthoritative <%= node['nagios']['ldap_authoritative'] %><% end %>
     require <%= node['nagios']['server_auth_require'] %>
   </Location>
 <% else -%>