Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jetty combined ldap #98

Merged
merged 1 commit into from
Sep 11, 2015
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 26 additions & 1 deletion manifests/config.pp
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,20 @@

ensure_resource('file', $properties_dir, {'ensure' => 'directory', 'owner' => $user, 'group' => $group} )

#
# Checking if we need to deploy realm file
# ugly, I know. Fix it if you know better way to do that
#
if 'file' in $auth_types {

$_deploy_realm = true
}
if 'ldap_shared' in $auth_types {
$_deploy_realm = true
}
if 'active_directory_shared' in $auth_types {
$_deploy_realm = true
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do all of these conditions have to be met for it to become true?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@igalic sorry, I'm afraid I don't understand your question. We need to deploy realm file when "file" or/and "ldap_shared" or/and "active_directory_shared" in use . In case of "shared" approach, we still use realm file for authorization procedure.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's exactly what i was asking, @rooty0.

i was just trying to think of a more puppety way of structuring that logic.

if $_deploy_realm {
file { "${properties_dir}/realm.properties":
owner => $user,
group => $group,
Expand All @@ -54,16 +66,29 @@
require => File[$properties_dir],
notify => Service[$service_name],
}
}

if 'file' in $auth_types {
$active_directory_auth_flag = 'sufficient'
$ldap_auth_flag = 'sufficient'
}
elsif 'active_directory' in $auth_types {
$active_directory_auth_flag = 'required'
$ldap_auth_flag = 'sufficient'
$ldap_login_module = 'JettyCachingLdapLoginModule'
}
elsif 'active_directory_shared' in $auth_types {
$active_directory_auth_flag = 'requisite'
$ldap_auth_flag = 'sufficient'
$ldap_login_module = 'JettyCombinedLdapLoginModule'
}
elsif 'ldap_shared' in $auth_types {
$ldap_auth_flag = 'requisite'
$ldap_login_module = 'JettyCombinedLdapLoginModule'
}
else {
$ldap_auth_flag = 'required'
$ldap_login_module = 'JettyCachingLdapLoginModule'
}

file { "${properties_dir}/jaas-auth.conf":
Expand Down
1 change: 1 addition & 0 deletions manifests/params.pp
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,7 @@
}
}


$mail_config = {}

$security_config = {
Expand Down
16 changes: 15 additions & 1 deletion templates/_auth_ad.erb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule <%= @active_directory_auth_flag %>
com.dtolabs.rundeck.jetty.jaas.<%= @ldap_login_module %> <%= @active_directory_auth_flag %>
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
providerUrl="ldap://<%= @auth_config['active_directory']['server'] %>:<%= @auth_config['active_directory']['port'] %>"
Expand All @@ -25,4 +25,18 @@ com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule <%= @active_directory
<%- end -%>
cacheDurationMillis="300000"
reportStatistics="true"
<%- if @ldap_login_module == 'JettyCombinedLdapLoginModule' -%>
ignoreRoles="true"
storePass="true"
clearPass="true"
useFirstPass="false"
tryFirstPass="false"
<%- end -%>
nestedGroups="<%= @auth_config['active_directory']['nested_groups'] %>";

<%- if @ldap_login_module == 'JettyCombinedLdapLoginModule' -%>
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="<%= @auth_config['file']['file'] %>";
<%- end -%>
16 changes: 15 additions & 1 deletion templates/_auth_ldap.erb
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule <%= @ldap_auth_flag %>
com.dtolabs.rundeck.jetty.jaas.<%= @ldap_login_module %> <%= @ldap_auth_flag %>
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
<%-
Expand Down Expand Up @@ -36,4 +36,18 @@ provider_url = if @auth_config['ldap']['url']
<%- end -%>
cacheDurationMillis="300000"
reportStatistics="true"
<%- if @ldap_login_module == 'JettyCombinedLdapLoginModule' -%>
ignoreRoles="true"
storePass="true"
clearPass="true"
useFirstPass="false"
tryFirstPass="false"
<%- end -%>
nestedGroups="<%= @auth_config['ldap']['nested_groups'] %>";

<%- if @ldap_login_module == 'JettyCombinedLdapLoginModule' -%>
org.rundeck.jaas.jetty.JettyRolePropertyFileLoginModule required
debug="true"
useFirstPass="true"
file="<%= @auth_config['file']['file'] %>";
<%- end -%>
4 changes: 2 additions & 2 deletions templates/jaas-auth.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ authentication {

<%- @auth_types.each do |type|
case type
when 'ldap' -%>
when 'ldap', 'ldap_shared' -%>
<%= scope.function_template(['rundeck/_auth_ldap.erb']) %>
<%- when 'active_directory' -%>
<%- when 'active_directory', 'active_directory_shared' -%>
<%= scope.function_template(['rundeck/_auth_ad.erb']) %>
<%- when 'pam' -%>
<%= scope.function_template(['rundeck/_auth_pam.erb']) %>
Expand Down
2 changes: 1 addition & 1 deletion templates/realm.properties.erb
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<%- if @auth_config['file']['auth_users'] -%>
<%- if @auth_config['file']['auth_users'].kind_of?(Array) -%>
<%- @auth_config['file']['auth_users'].each do |x| -%>
<%= x['username'] -%>:<%= x['password'] -%>
<%= x['username'] -%>:<%= x.fetch('password', '-') -%>
<%- if x['roles'] -%>
<%- x['roles'].each do |v| -%>,<%= v -%><%- end %>
<%- end -%>
Expand Down