From 0706422d5529a1b289199c5172a0e9479d6bf3d2 Mon Sep 17 00:00:00 2001 From: John Stange Date: Mon, 16 Nov 2015 10:53:49 -0500 Subject: [PATCH] add some mod_ldap SSL-related directives, and populate README.md with new LDAP things --- README.md | 5 +++++ attributes/default.rb | 3 +++ templates/default/apache2.conf.erb | 8 ++++++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index efa332c87..19dc45bb5 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,11 @@ Example: `default['nagios']['conf']['cfg_dir'] = [ '/etc/nagios/conf.d' , '/usr/ * `node['nagios']['ldap_bind_password']` - bind password used with the DN provided for searching ldap. * `node['nagios']['ldap_url']` - ldap url and search parameters. * `node['nagios']['ldap_authoritative']` - accepts "on" or "off". controls other authentication modules from authenticating the user if this one fails. +* `node['nagios']['ldap_group_attribute']` - Set the Apache AuthLDAPGroupAttribute directive to a non-default value. +* `node['nagios']['ldap_group_attribute_is_dn']` - accepts "on" or "off". Set the Apache AuthLDAPGroupAttributeIsDN directive. Apache's default behavior is currently "on." +* `node['nagios']['ldap_verify_cert']` - accepts "on" or "off". Set the Apache mod_ldap LDAPVerifyServerCert directive. Apache's default behavior is currently "on." +* `node['nagios']['ldap_trusted_mode']` - Set the Apache mod_ldap LDAPTrustedMode directive. +* `node['nagios']['ldap_trusted_global_cert']` - Set the Apache mod_ldap LDAPTrustedGlobalCert directive. * `node['nagios']['users_databag']` - the databag containing users to search for. defaults to users * `node['nagios']['users_databag_group']` - users databag group considered Nagios admins. defaults to sysadmin * `node['nagios']['services_databag']` - the databag containing services to search for. defaults to nagios_services diff --git a/attributes/default.rb b/attributes/default.rb index 244bbcb33..ac5f4dd26 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -167,6 +167,9 @@ default['nagios']['ldap_authoritative'] = nil default['nagios']['ldap_group_attribute'] = nil default['nagios']['ldap_group_attribute_is_dn'] = nil +default['nagios']['ldap_verify_cert'] = nil +default['nagios']['ldap_trusted_mode'] = nil +default['nagios']['ldap_trusted_global_cert'] = nil default['nagios']['templates'] = Mash.new diff --git a/templates/default/apache2.conf.erb b/templates/default/apache2.conf.erb index e4684d999..49c05a081 100644 --- a/templates/default/apache2.conf.erb +++ b/templates/default/apache2.conf.erb @@ -1,5 +1,9 @@ # Autogenerated by Chef. +<% unless node['nagios']['ldap_verify_cert'].nil? %>ldap_verify_cert <%= node['nagios']['ldap_verify_cert'] %><% end %> +<% unless node['nagios']['ldap_trusted_mode'].nil? -%>LDAPTrustedMode "<%= node['nagios']['ldap_trusted_mode'] %>" <% end -%> +<% unless node['nagios']['ldap_trusted_global_cert'].nil? -%>LDAPTrustedGlobalCert "<%= node['nagios']['ldap_trusted_global_cert'] %>" <% end -%> + > ServerAdmin <%= node['nagios']['sysadmin_email'] %> <% if @nagios_url %> @@ -64,12 +68,12 @@ AuthName "Nagios Server" AuthType Basic AuthBasicProvider ldap - <% unless node['nagios']['ldap_group_attribute_is_dn'] or node['nagios']['ldap_group_attribute_is_dn'].nil? -%>AuthLDAPGroupAttributeIsDN Off <% end -%> + <% unless node['nagios']['ldap_group_attribute_is_dn'].nil? %>AuthLDAPGroupAttributeIsDN <%= node['nagios']['ldap_authoritative'] %><% end %> <% unless node['nagios']['ldap_group_attribute'].nil? -%>AuthLDAPGroupAttribute "<%= node['nagios']['ldap_group_attribute'] %>" <% end -%> <% unless node['nagios']['ldap_bind_dn'].nil? -%>AuthLDAPBindDN "<%= node['nagios']['ldap_bind_dn'] %>" <% end -%> <% unless node['nagios']['ldap_bind_password'].nil? -%>AuthLDAPBindPassword "<%= node['nagios']['ldap_bind_password'] %>"<% end -%> AuthLDAPURL "<%= node['nagios']['ldap_url'] %>" - <% if node['apache']['version'] < "2.4" %>AuthzLDAPAuthoritative <%= node['nagios']['ldap_authoritative'] %><% end %> + <% if node['apache']['version'] < "2.4" and !node['nagios']['ldap_authoritative'].nil? %>AuthzLDAPAuthoritative <%= node['nagios']['ldap_authoritative'] %><% end %> require <%= node['nagios']['server_auth_require'] %> <% else -%>