Defined Type: bsdauth::ldap::class

Defined in:
manifests/ldap/class.pp

Overview

Define an LDAP login class.

Examples:

Declaring an LDAP login class

include ::bsdauth
include ::bsdauth::ldap
::bsdauth::ldap::class { 'ldap':
  base_dn => 'dc=example,dc=com',
  servers => [
    {
      hostname => '192.0.2.1',
    },
  ],
}

Parameters:

  • base_dn (Bodgitlib::LDAP::DN)

    The base DN from which to perform all LDAP queries.

  • servers (Array[BSDAuth::LDAP::Server, 1])

    A list of LDAP servers to use.

  • attributes (Array[String]) (defaults to: [ 'tc=default', ])

    A list of additional capabilities to append to the class definition.

  • bind_dn (Optional[Bodgitlib::LDAP::DN]) (defaults to: undef)

    The Distinguished Name to use to bind to the LDAP servers.

  • bind_pw (Optional[String]) (defaults to: undef)

    The password to use when binding to the LDAP servers.

  • group_dn (Optional[Bodgitlib::LDAP::DN]) (defaults to: undef)

    The base DN from which to perform group LDAP queries, if different from base_dn.

  • group_filter (Optional[Bodgitlib::LDAP::Filter]) (defaults to: undef)

    The LDAP search filter to use when testing for group membership.

  • group_scope (Optional[Bodgitlib::LDAP::Scope]) (defaults to: undef)
  • keep_credentials (Optional[Boolean]) (defaults to: undef)
  • login_class (String) (defaults to: $title)

    The name of the login class.

  • order (Variant[String, Integer[0]]) (defaults to: '10')

    The order of the class within login.conf.

  • referrals (Optional[Boolean]) (defaults to: undef)
  • styles (Array[String, 1]) (defaults to: [ '-ldap', ])

    The authentication styles to use.

  • timeout (Optional[Integer[0, 300]]) (defaults to: undef)
  • tls_cacert_dir (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • tls_cacert_file (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • tls_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • tls_key (Optional[Stdlib::Absolutepath]) (defaults to: undef)
  • user_filter (Optional[Bodgitlib::LDAP::Filter]) (defaults to: undef)

    The LDAP search filter to use when searching for users.

  • user_scope (Optional[Bodgitlib::LDAP::Scope]) (defaults to: undef)

See Also:

Since:

  • 2.0.0



43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
# File 'manifests/ldap/class.pp', line 43

define bsdauth::ldap::class (
  Bodgitlib::LDAP::DN               $base_dn,
  Array[BSDAuth::LDAP::Server, 1]   $servers,
  Array[String]                     $attributes       = [
    'tc=default',
  ],
  Optional[Bodgitlib::LDAP::DN]     $bind_dn          = undef,
  Optional[String]                  $bind_pw          = undef,
  Optional[Bodgitlib::LDAP::DN]     $group_dn         = undef,
  Optional[Bodgitlib::LDAP::Filter] $group_filter     = undef,
  Optional[Bodgitlib::LDAP::Scope]  $group_scope      = undef,
  Optional[Boolean]                 $keep_credentials = undef,
  String                            $login_class      = $title,
  Variant[String, Integer[0]]       $order            = '10',
  Optional[Boolean]                 $referrals        = undef,
  Array[String, 1]                  $styles           = [
    '-ldap',
  ],
  Optional[Integer[0, 300]]         $timeout          = undef,
  Optional[Stdlib::Absolutepath]    $tls_cacert_dir   = undef,
  Optional[Stdlib::Absolutepath]    $tls_cacert_file  = undef,
  Optional[Stdlib::Absolutepath]    $tls_cert         = undef,
  Optional[Stdlib::Absolutepath]    $tls_key          = undef,
  Optional[Bodgitlib::LDAP::Filter] $user_filter      = undef,
  Optional[Bodgitlib::LDAP::Scope]  $user_scope       = undef,
) {

  if ! defined(Class['::bsdauth::ldap']) {
    fail('You must include the bsdauth::ldap base class before using any bsdauth::ldap defined resources')
  }

  $_servers = bsdauth::flatten_servers($servers)

  $capabilities = flatten([join_keys_to_values(delete_undef_values({
    'auth'               => join($styles, ','),
    'x-ldap-basedn'      => $base_dn,
    'x-ldap-binddn'      => $bind_dn,
    'x-ldap-bindpw'      => $bind_pw,
    'x-ldap-cacertdir'   => $tls_cacert_dir,
    'x-ldap-cacert'      => $tls_cacert_file,
    'x-ldap-groupdn'     => $group_dn,
    'x-ldap-groupfilter' => $group_filter,
    'x-ldap-gscope'      => $group_scope,
    'x-ldap-filter'      => $user_filter,
    'x-ldap-timeout'     => $timeout,
    'x-ldap-uscope'      => $user_scope,
    'x-ldap-usercert'    => $tls_cert,
    'x-ldap-userkey'     => $tls_key,
  }), '='), delete_undef_values([
    $referrals ? {
      false   => 'x-ldap-noreferrals',
      default => undef,
    },
    $keep_credentials ? {
      true    => 'x-ldap-refkeepcreds',
      default => undef,
    },
  ]), $_servers, $attributes])

  ::bsdauth::class { $login_class:
    capabilities => $capabilities,
    order        => $order,
  }
}