LDAP Client NSSwitch recipe
End Result
A client with LDAP tools and access to users/groups via nsswitch.
Implementation
This was developed for Ubuntu servers but should also work with Debian.
It uses the following files:
- ldap.$hostname.conf: config for ldap-utils programs (ldapsearch, etc.). defines search base
- libnss-ldap.preseed: preseed for libnss-ldap package
- libnss-ldap.conf: config for libnss-ldap
- libnss-ldap.secret: root dn password for libnss-ldap
- nsswitch.conf: the complete copy of what your clients' nsswitch.conf should be
class ldap-client {
package { ldap-utils:
ensure => installed
}
file { etc-ldap-dir:
path => "/etc/ldap",
ensure => directory,
owner => root, group => root, mode => 755
}
file { ldap-conf:
path => "/etc/ldap/ldap.conf",
owner => root, group => root, mode => 444,
source => "puppet://puppet/files/ldap.$hostname.conf",
require => file[etc-ldap-dir]
}
file { libnss-ldap-preseed:
path => "/var/cache/debconf/libnss-ldap.preseed",
owner => root, group => root, mode => 400,
source => "puppet://puppet/files/libnss-ldap.preseed"
}
package { libnss-ldap:
ensure => installed,
responsefile => "/var/cache/debconf/libnss-ldap.preseed",
require => file[libnss-ldap-preseed]
}
file { libnss-ldap-conf:
path => "/etc/libnss-ldap.conf",
mode => 444,
require => package[libnss-ldap],
source => "puppet://puppet/files/libnss-ldap.conf"
}
file { libnss-ldap-secret:
path => "/etc/libnss-ldap.secret",
mode => 400,
require => package[libnss-ldap],
source => "puppet://puppet/files/libnss-ldap.secret"
}
file { nsswitch-conf:
path => "/etc/nsswitch.conf",
source => "puppet://puppet/files/nsswitch.conf"
}
}
Discussion
The preseeding isn't really necessary since the configs are managed. However, due to a faulty pre/postinst script I was having trouble installing the package without it.
Possible improvements:
- PAM integration
- Less hardcoding
