Merge pull request #171 from fasrc/ldap_mapping_support

ldap mapping support

manifests/init.pp

@@ -334,6 +334,12 @@
             $oned_ldap_user_field           = $one::params::oned_ldap_user_field,
             $oned_ldap_group_field          = $one::params::oned_ldap_group_field,
             $oned_ldap_user_group_field     = $one::params::oned_ldap_user_group_field,
+            $oned_ldap_mapping_generate     = $one::params::oned_ldap_mapping_generate,
+            $oned_ldap_mapping_timeout      = $one::params::oned_ldap_mapping_timeout,
+            $oned_ldap_mapping_filename     = $one::params::oned_ldap_mapping_filename,
+            $oned_ldap_mappings             = $one::params::oned_ldap_mappings,
+            $oned_ldap_mapping_key          = $one::params::oned_ldap_mapping_key,
+            $oned_ldap_mapping_default      = $one::params::oned_ldap_mapping_default,
             $one_repo_enable                = $one::params::one_repo_enable,
             $ssh_priv_key_param             = $one::params::ssh_priv_key_param,
             $ssh_pub_key                    = $one::params::ssh_pub_key,

manifests/oned/sunstone/ldap.pp

@@ -17,7 +17,9 @@
 # http://www.apache.org/licenses/LICENSE-2.0.html
 #
 class one::oned::sunstone::ldap (
-  $oned_sunstone_ldap_pkg = $one::oned_sunstone_ldap_pkg
+  $oned_sunstone_ldap_pkg = $one::oned_sunstone_ldap_pkg,
+  $oned_ldap_mappings = $one::oned_ldap_mappings,
+  $oned_ldap_mapping_filename = $one::oned_ldap_mapping_filename,
 ) {
   package { $oned_sunstone_ldap_pkg:
     ensure => 'latest',
@@ -36,4 +38,14 @@
     content => template('one/ldap_auth.conf.erb'),
     notify  => Service['opennebula'],
   }
+  if $oned_ldap_mappings != undef {
+    validate_hash($oned_ldap_mappings)
+    file { "/var/lib/one/${oned_ldap_mapping_filename}":
+      ensure  => file,
+      owner   => 'oneadmin',
+      group   => 'oneadmin',
+      mode    => '0644',
+      content => template('one/ldap_mappings.yaml.erb'),
+    }
+  }
 }

manifests/params.pp

@@ -41,6 +41,13 @@
   $oned_ldap_group_field = hiera('one::oned::ldap_group_field', 'undef')
   # $oned_ldap_user_group_field: default to dn, can be set to the user field that is in the group group_field
   $oned_ldap_user_group_field = hiera('one::oned::ldap_user_group_field','undef')
+  # ldap mapping options
+  $oned_ldap_mapping_generate = hiera('one::oned::ldap_mapping_generate','undef')
+  $oned_ldap_mapping_timeout = hiera('one::oned::ldap_mapping_timeout','undef')
+  $oned_ldap_mapping_filename = hiera('one::oned::ldap_mapping_filename',"${::hostname}.yaml")
+  $oned_ldap_mapping_key = hiera('one::oned::ldap_mapping_key','undef')
+  $oned_ldap_mapping_default = hiera('one::oned::ldap_mapping_default','undef')
+  $oned_ldap_mappings = hiera('one::oned::ldap_mappings',undef)
   # should we enable opennebula repos?
   $one_repo_enable = hiera('one::enable_opennebula_repo', 'true' )
   # Which version

templates/ldap_auth.conf.erb

@@ -62,6 +62,36 @@ server 1:
     :user_group_field: '<%= scope.lookupvar('one::oned_ldap_user_group_field') %>'
 <% end -%>
 
+    # Generate mapping file from group template info
+    #:mapping_generate: true
+<% if scope.lookupvar('one::oned_ldap_mapping_generate') != 'undef' -%>
+    :mapping_generate: <%= scope.lookupvar('one::oned_ldap_mapping_generate') %>
+<% end -%>
+
+    # Seconds a mapping file remain untouched until the next regeneration
+    #:mapping_timeout: 300
+<% if scope.lookupvar('one::oned_ldap_mapping_timeout') != 'undef' -%>
+    :mapping_timeout: <%= scope.lookupvar('one::oned_ldap_mapping_timeout') %>
+<% end -%>
+
+    # Name of the mapping file in OpenNebula var diretory
+    #:mapping_filename: server1.yaml
+<% if scope.lookupvar('one::oned_ldap_mapping_filename') != 'undef' -%>
+    :mapping_filename: <%= scope.lookupvar('one::oned_ldap_mapping_filename') %>
+<% end -%>
+
+    # Key from the OpenNebula template to map to an AD group
+    #:mapping_key: GROUP_DN
+<% if scope.lookupvar('one::oned_ldap_mapping_key') != 'undef' -%>
+    :mapping_key: <%= scope.lookupvar('one::oned_ldap_mapping_key') %>
+<% end -%>
+
+    # Default group ID used for users in an AD group not mapped
+    #:mapping_default: 1
+<% if scope.lookupvar('one::oned_ldap_mapping_default') != 'undef' -%>
+    :mapping_default: <%= scope.lookupvar('one::oned_ldap_mapping_default') %>
+<% end -%>
+
 
 # this example server wont be called as it is not in the :order list
 server 2:

templates/ldap_mappings.yaml.erb

@@ -0,0 +1,6 @@
+<%
+# The gsub below is required because of a bug in puppet:
+# https://tickets.puppetlabs.com/browse/PUP-3120
+# Basically it indents the yaml which breaks the whole doc.
+%>
+<%= @oned_ldap_mappings.to_yaml.gsub(/^\s{2}/, '') %>