Grid環境構築用のChefリポジトリです。
Révision | 18f518eaa0375ef5e000156286bffe6e37ff1a0c (tree) |
---|---|
l'heure | 2017-01-01 22:41:48 |
Auteur | whitestar <whitestar@gaea...> |
Commiter | whitestar |
adds the samba-grid::smbldap-tools recipe.
@@ -1,5 +1,10 @@ | ||
1 | 1 | # samba-grid CHANGELOG |
2 | 2 | |
3 | +0.1.1 | |
4 | +----- | |
5 | +- adds the `samba-grid::smbldap-tools` recipe. | |
6 | +- updates documents. | |
7 | + | |
3 | 8 | 0.1.0 |
4 | 9 | ----- |
5 | 10 | - Initial release of samba-grid |
@@ -5,6 +5,18 @@ This cookbook sets up a Samba server. | ||
5 | 5 | |
6 | 6 | ## Contents |
7 | 7 | |
8 | +- [Requirements](#requirements) | |
9 | + - [platforms](#platforms) | |
10 | + - [packages](#packages) | |
11 | +- [Attributes](#attributes) | |
12 | +- [Usage](#usage) | |
13 | + - [Recipes](#recipes) | |
14 | + - [samba-grid::default](#samba-griddefault) | |
15 | + - [samba-grid::server](#samba-gridserver) | |
16 | + - [samba-grid::smbldap-tools](#samba-gridsmbldap-tools) | |
17 | + - [Role Examples](#role-examples) | |
18 | + - [Password management by the Chef Vault](#password-management-by-the-chef-vault) | |
19 | +- [License and Authors](#license-and-authors) | |
8 | 20 | |
9 | 21 | ## Requirements |
10 | 22 |
@@ -25,6 +37,17 @@ This cookbook sets up a Samba server. | ||
25 | 37 | |`['samba-grid']['smb.conf']['homes']`|Hash|`[homes]` section configurations in the `smb.conf`.|`{}`| |
26 | 38 | |`['samba-grid']['smb.conf']['printers']`|Hash|`[printers]` section configurations in the `smb.conf`.|`{}`| |
27 | 39 | |`['samba-grid']['smb.conf']['printD']`|Hash|`[print$]` section configurations in the `smb.conf`.|`{}`| |
40 | +|`['samba-grid']['smbldap-tools']['smbldap.conf']['SID']`|String|Required.|`''`| | |
41 | +|`['samba-grid']['smbldap-tools']['smbldap.conf']['sambaDomain']`|String||`'DOMSMB'`| | |
42 | +|`['samba-grid']['smbldap-tools']['smbldap.conf']['slaveLDAP']`|String||`'ldap://ldap.example.com/'`| | |
43 | +|`['samba-grid']['smbldap-tools']['smbldap.conf']['masterLDAP']`|String||`'ldap://ldap.example.com/'`| | |
44 | +|`['samba-grid']['smbldap-tools']['smbldap.conf']['ldapTLS']`|String||`'1'`| | |
45 | +|`['samba-grid']['smbldap-tools']['smbldap.conf']['suffix']`|String||`'dc=example,dc=com'`| | |
46 | +|`['samba-grid']['smbldap-tools']['smbldap.conf']['mailDomain']`|String||`'example.com'`| | |
47 | +|`['samba-grid']['smbldap-tools']['smbldap_bind.conf']['slaveDN']`|String||`'cn=Manager,dc=example,dc=com'`| | |
48 | +|`['samba-grid']['smbldap-tools']['smbldap_bind.conf']['slavePw_vault_item']`|String|See the following _Password management by the Chef Vault_|`{}`| | |
49 | +|`['samba-grid']['smbldap-tools']['smbldap_bind.conf']['masterDN']`|String||`'cn=Manager,dc=example,dc=com'`| | |
50 | +|`['samba-grid']['smbldap-tools']['smbldap_bind.conf']['masterPw_vault_item']`|String|See the following _Password management by the Chef Vault_|`{}`| | |
28 | 51 | |
29 | 52 | ## Usage |
30 | 53 |
@@ -38,6 +61,10 @@ This recipe does nothing. | ||
38 | 61 | |
39 | 62 | This recipe installs Samba server. |
40 | 63 | |
64 | +#### samba-grid::smbldap-tools | |
65 | + | |
66 | +This recipe installs the smbldap-tools. | |
67 | + | |
41 | 68 | ### Role Examples |
42 | 69 | |
43 | 70 | - `roles/samba.rb` |
@@ -104,8 +131,51 @@ override_attributes( | ||
104 | 131 | ) |
105 | 132 | ``` |
106 | 133 | |
107 | -License and Authors | |
108 | -------------------- | |
134 | +### Password management by the Chef Vault | |
135 | + | |
136 | +- Generate a password JSON file. | |
137 | + | |
138 | +```bash | |
139 | +$ ruby -rjson -e 'puts JSON.generate({"password" => File.read("masterPw.txt")})' \ | |
140 | +> > ~/tmp/masterPw.txt.json | |
141 | +``` | |
142 | + | |
143 | +- Create a Chef Vault item. | |
144 | + | |
145 | +```bash | |
146 | +$ knife vault create smbldap_bind_pws masterPw --json ~/tmp/masterPw.txt.json | |
147 | + | |
148 | +$ knife vault show smbldap_bind_pws masterPw -F json | |
149 | +``` | |
150 | + | |
151 | +- Grant read permission to the server. | |
152 | + | |
153 | +```bash | |
154 | +$ knife vault update smbldap_bind_pws masterPw -S 'name:ldap*.grid.example.com' | |
155 | +``` | |
156 | + | |
157 | +- Set attributes. | |
158 | + | |
159 | +```ruby | |
160 | +override_attributes( | |
161 | + 'samba-grid' => { | |
162 | + 'smbldap-tools' => { | |
163 | + 'smbldap_bind.conf' => { | |
164 | + 'masterDN' => 'cn=Manager,dc=example,dc=com', | |
165 | + 'masterPw_vault_item' => { | |
166 | + 'vault' => 'smbldap_bind_pws', | |
167 | + 'name' => 'masterPw', | |
168 | + 'env_context' => false, | |
169 | + 'key' => 'password', | |
170 | + }, | |
171 | + }, | |
172 | + }, | |
173 | + }, | |
174 | +) | |
175 | +``` | |
176 | + | |
177 | +## License and Authors | |
178 | + | |
109 | 179 | - Author:: whitestar at osdn.jp |
110 | 180 | |
111 | 181 | ```text |
@@ -35,5 +35,36 @@ default['samba-grid']['smb.conf'] = { | ||
35 | 35 | # Share Definitions |
36 | 36 | # ... |
37 | 37 | } |
38 | -default['samba-grid']['smbldap.conf'] = { | |
38 | +default['samba-grid']['smbldap-tools']['smbldap.conf'] = { | |
39 | + 'SID' => '', | |
40 | + 'sambaDomain' => 'DOMSMB', | |
41 | + 'slaveLDAP' => 'ldap://ldap.example.com/', | |
42 | + 'masterLDAP' => 'ldap://ldap.example.com/', | |
43 | + 'ldapTLS' => '1', | |
44 | + 'suffix' => 'dc=example,dc=com', | |
45 | + 'mailDomain' => 'example.com', | |
46 | +} | |
47 | +default['samba-grid']['smbldap-tools']['smbldap_bind.conf'] = { | |
48 | + 'slaveDN' => 'cn=Manager,dc=example,dc=com', | |
49 | + 'slavePw_vault_item' => { | |
50 | +=begin | |
51 | + 'vault' => 'smbldap_bind_pws', | |
52 | + 'name' => 'slavePw', | |
53 | + # single password or nested hash password path delimited by slash | |
54 | + 'env_context' => false, | |
55 | + 'key' => 'password', # real hash path: "/password" | |
56 | + # or nested hash password path delimited by slash | |
57 | + #'env_context' => true, | |
58 | + #'key' => 'hash/path/to/password', # real hash path: "/#{node.chef_environment}/hash/path/to/password" | |
59 | +=end | |
60 | + }, | |
61 | + 'masterDN' => 'cn=Manager,dc=example,dc=com', | |
62 | + 'masterPw_vault_item' => { | |
63 | +=begin | |
64 | + #'vault' => 'smbldap_bind_pws', | |
65 | + #'name' => 'masterPw', | |
66 | + #'env_context' => false, | |
67 | + #'key' => 'password', | |
68 | +=end | |
69 | + }, | |
39 | 70 | } |
@@ -5,10 +5,12 @@ maintainer_email '' | ||
5 | 5 | license 'Apache 2.0' |
6 | 6 | description 'Installs/Configures Samba' |
7 | 7 | long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) |
8 | -version '0.1.0' | |
8 | +version '0.1.1' | |
9 | 9 | source_url 'http://scm.osdn.jp/gitroot/metasearch/grid-chef-repo.git' |
10 | 10 | issues_url 'https://osdn.jp/projects/metasearch/ticket' |
11 | 11 | |
12 | 12 | %w( debian ubuntu ).each do |os| |
13 | 13 | supports os |
14 | 14 | end |
15 | + | |
16 | +depends 'chef_utils', '>= 0.8.0' |
@@ -0,0 +1,71 @@ | ||
1 | +# | |
2 | +# Cookbook Name:: samba-grid | |
3 | +# Recipe:: smbldap-tools | |
4 | +# | |
5 | +# Copyright 2016, whitestar | |
6 | +# | |
7 | +# Licensed under the Apache License, Version 2.0 (the "License"); | |
8 | +# you may not use this file except in compliance with the License. | |
9 | +# You may obtain a copy of the License at | |
10 | +# | |
11 | +# http://www.apache.org/licenses/LICENSE-2.0 | |
12 | +# | |
13 | +# Unless required by applicable law or agreed to in writing, software | |
14 | +# distributed under the License is distributed on an "AS IS" BASIS, | |
15 | +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
16 | +# See the License for the specific language governing permissions and | |
17 | +# limitations under the License. | |
18 | +# | |
19 | + | |
20 | +::Chef::Recipe.send(:include, ChefUtils::Helper) | |
21 | + | |
22 | +chef_gem_package('chef-vault') | |
23 | + | |
24 | +%w( | |
25 | + smbldap-tools | |
26 | +).each {|pkg| | |
27 | + resources(package: pkg) rescue package pkg do | |
28 | + action :install | |
29 | + end | |
30 | +} | |
31 | + | |
32 | +template '/etc/smbldap-tools/smbldap.conf' do | |
33 | + source 'etc/smbldap-tools/smbldap.conf' | |
34 | + owner 'root' | |
35 | + group 'root' | |
36 | + mode '0644' | |
37 | +end | |
38 | + | |
39 | +bind_conf = node['samba-grid']['smbldap-tools']['smbldap_bind.conf'] | |
40 | +pws = { | |
41 | + 'slave' => 'secret', | |
42 | + 'master' => 'secret', | |
43 | +} | |
44 | + | |
45 | +require 'chef-vault' | |
46 | +pws.each_key {|role| | |
47 | + item_conf = bind_conf["#{role}Pw_vault_item"] | |
48 | + next if item_conf.empty? | |
49 | + | |
50 | + secret = ChefVault::Item.load(item_conf['vault'], item_conf['name']) | |
51 | + if item_conf.key?('env_context') && item_conf['env_context'] == true | |
52 | + secret = secret[node.chef_environment] | |
53 | + end | |
54 | + if !item_conf['key'].nil? && !item_conf['key'].empty? | |
55 | + item_conf['key'].split('/').each {|elm| | |
56 | + secret = secret[elm] | |
57 | + } | |
58 | + end | |
59 | + pws[role] = secret | |
60 | +} | |
61 | + | |
62 | +template '/etc/smbldap-tools/smbldap_bind.conf' do | |
63 | + source 'etc/smbldap-tools/smbldap_bind.conf' | |
64 | + owner 'root' | |
65 | + group 'root' | |
66 | + mode '0600' | |
67 | + variables( | |
68 | + pws: pws | |
69 | + ) | |
70 | + sensitive true | |
71 | +end |
@@ -0,0 +1,224 @@ | ||
1 | +<% | |
2 | +conf = node['samba-grid']['smbldap-tools']['smbldap.conf'] | |
3 | +-%> | |
4 | +# $Id: smbldap.conf 139 2012-08-07 11:11:37Z fumiyas $ | |
5 | +# | |
6 | +# smbldap-tools.conf : Q & D configuration file for smbldap-tools | |
7 | + | |
8 | +# This code was developped by IDEALX (http://IDEALX.org/) and | |
9 | +# contributors (their names can be found in the CONTRIBUTORS file). | |
10 | +# | |
11 | +# Copyright (C) 2001-2002 IDEALX | |
12 | +# | |
13 | +# This program is free software; you can redistribute it and/or | |
14 | +# modify it under the terms of the GNU General Public License | |
15 | +# as published by the Free Software Foundation; either version 2 | |
16 | +# of the License, or (at your option) any later version. | |
17 | +# | |
18 | +# This program is distributed in the hope that it will be useful, | |
19 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
20 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
21 | +# GNU General Public License for more details. | |
22 | +# | |
23 | +# You should have received a copy of the GNU General Public License | |
24 | +# along with this program; if not, write to the Free Software | |
25 | +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | |
26 | +# USA. | |
27 | + | |
28 | +# Purpose : | |
29 | +# . be the configuration file for all smbldap-tools scripts | |
30 | + | |
31 | +############################################################################## | |
32 | +# | |
33 | +# General Configuration | |
34 | +# | |
35 | +############################################################################## | |
36 | + | |
37 | +# Put your own SID. To obtain this number do: "net getlocalsid". | |
38 | +# If not defined, parameter is taking from "net getlocalsid" return | |
39 | +SID="<%= conf['SID'] %>" | |
40 | + | |
41 | +# Domain name the Samba server is in charged. | |
42 | +# If not defined, parameter is taking from smb.conf configuration file | |
43 | +# Ex: sambaDomain="IDEALX-NT" | |
44 | +sambaDomain="<%= conf['sambaDomain'] %>" | |
45 | + | |
46 | +############################################################################## | |
47 | +# | |
48 | +# LDAP Configuration | |
49 | +# | |
50 | +############################################################################## | |
51 | + | |
52 | +# Notes: to use to dual ldap servers backend for Samba, you must patch | |
53 | +# Samba with the dual-head patch from IDEALX. If not using this patch | |
54 | +# just use the same server for slaveLDAP and masterLDAP. | |
55 | +# Those two servers declarations can also be used when you have | |
56 | +# . one master LDAP server where all writing operations must be done | |
57 | +# . one slave LDAP server where all reading operations must be done | |
58 | +# (typically a replication directory) | |
59 | + | |
60 | +# Slave LDAP server URI | |
61 | +# Ex: slaveLDAP=ldap://slave.ldap.example.com/ | |
62 | +# If not defined, parameter is set to "ldap://127.0.0.1/" | |
63 | +slaveLDAP="<%= conf['slaveLDAP'] %>" | |
64 | + | |
65 | +# Master LDAP server URI: needed for write operations | |
66 | +# Ex: masterLDAP=ldap://master.ldap.example.com/ | |
67 | +# If not defined, parameter is set to "ldap://127.0.0.1/" | |
68 | +masterLDAP="<%= conf['masterLDAP'] %>" | |
69 | + | |
70 | +# Use TLS for LDAP | |
71 | +# If set to 1, this option will use start_tls for connection | |
72 | +# (you must also used the LDAP URI "ldap://...", not "ldaps://...") | |
73 | +# If not defined, parameter is set to "0" | |
74 | +ldapTLS="<%= conf['ldapTLS'] %>" | |
75 | + | |
76 | +# How to verify the server's certificate (none, optional or require) | |
77 | +# see "man Net::LDAP" in start_tls section for more details | |
78 | +verify="require" | |
79 | + | |
80 | +# CA certificate | |
81 | +# see "man Net::LDAP" in start_tls section for more details | |
82 | +cafile="/etc/smbldap-tools/ca.pem" | |
83 | + | |
84 | +# certificate to use to connect to the ldap server | |
85 | +# see "man Net::LDAP" in start_tls section for more details | |
86 | +clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem" | |
87 | + | |
88 | +# key certificate to use to connect to the ldap server | |
89 | +# see "man Net::LDAP" in start_tls section for more details | |
90 | +clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key" | |
91 | + | |
92 | +# LDAP Suffix | |
93 | +# Ex: suffix=dc=IDEALX,dc=ORG | |
94 | +suffix="<%= conf['suffix'] %>" | |
95 | + | |
96 | +# Where are stored Users | |
97 | +# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" | |
98 | +# Warning: if 'suffix' is not set here, you must set the full dn for usersdn | |
99 | +usersdn="ou=Users,${suffix}" | |
100 | + | |
101 | +# Where are stored Computers | |
102 | +# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" | |
103 | +# Warning: if 'suffix' is not set here, you must set the full dn for computersdn | |
104 | +computersdn="ou=Computers,${suffix}" | |
105 | + | |
106 | +# Where are stored Groups | |
107 | +# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" | |
108 | +# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn | |
109 | +groupsdn="ou=Groups,${suffix}" | |
110 | + | |
111 | +# Where are stored Idmap entries (used if samba is a domain member server) | |
112 | +# Ex: idmapdn="ou=Idmap,dc=IDEALX,dc=ORG" | |
113 | +# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn | |
114 | +idmapdn="ou=Idmap,${suffix}" | |
115 | + | |
116 | +# Where to store next uidNumber and gidNumber available for new users and groups | |
117 | +# If not defined, entries are stored in sambaDomainName object. | |
118 | +# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" | |
119 | +# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" | |
120 | +sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" | |
121 | + | |
122 | +# Default scope Used | |
123 | +scope="sub" | |
124 | + | |
125 | +# Unix password hash scheme (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) | |
126 | +# If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation. | |
127 | +password_hash="SSHA" | |
128 | + | |
129 | +# if password_hash is set to CRYPT, you may set a salt format. | |
130 | +# default is "%s", but many systems will generate MD5 hashed | |
131 | +# passwords if you use "$1$%.8s". This parameter is optional! | |
132 | +password_crypt_salt_format="%s" | |
133 | + | |
134 | +############################################################################## | |
135 | +# | |
136 | +# Unix Accounts Configuration | |
137 | +# | |
138 | +############################################################################## | |
139 | + | |
140 | +# Login defs | |
141 | +# Default Login Shell | |
142 | +# Ex: userLoginShell="/bin/bash" | |
143 | +userLoginShell="/bin/bash" | |
144 | + | |
145 | +# Home directory | |
146 | +# Ex: userHome="/home/%U" | |
147 | +userHome="/home/%U" | |
148 | + | |
149 | +# Default mode used for user homeDirectory | |
150 | +userHomeDirectoryMode="700" | |
151 | + | |
152 | +# Gecos | |
153 | +userGecos="System User" | |
154 | + | |
155 | +# Default User (POSIX and Samba) GID | |
156 | +defaultUserGid="513" | |
157 | + | |
158 | +# Default Computer (Samba) GID | |
159 | +defaultComputerGid="515" | |
160 | + | |
161 | +# Skel dir | |
162 | +skeletonDir="/etc/skel" | |
163 | + | |
164 | +# Treat shadowAccount object or not | |
165 | +shadowAccount="1" | |
166 | + | |
167 | +# Default password validation time (time in days) Comment the next line if | |
168 | +# you don't want password to be enable for defaultMaxPasswordAge days (be | |
169 | +# careful to the sambaPwdMustChange attribute's value) | |
170 | +defaultMaxPasswordAge="45" | |
171 | + | |
172 | +############################################################################## | |
173 | +# | |
174 | +# SAMBA Configuration | |
175 | +# | |
176 | +############################################################################## | |
177 | + | |
178 | +# The UNC path to home drives location (%U username substitution) | |
179 | +# Just set it to a null string if you want to use the smb.conf 'logon home' | |
180 | +# directive and/or disable roaming profiles | |
181 | +# Ex: userSmbHome="\\PDC-SMB3\%U" | |
182 | +userSmbHome="\\PDC-SRV\%U" | |
183 | + | |
184 | +# The UNC path to profiles locations (%U username substitution) | |
185 | +# Just set it to a null string if you want to use the smb.conf 'logon path' | |
186 | +# directive and/or disable roaming profiles | |
187 | +# Ex: userProfile="\\PDC-SMB3\profiles\%U" | |
188 | +userProfile="\\PDC-SRV\profiles\%U" | |
189 | + | |
190 | +# The default Home Drive Letter mapping | |
191 | +# (will be automatically mapped at logon time if home directory exist) | |
192 | +# Ex: userHomeDrive="H:" | |
193 | +userHomeDrive="H:" | |
194 | + | |
195 | +# The default user netlogon script name (%U username substitution) | |
196 | +# if not used, will be automatically username.cmd | |
197 | +# make sure script file is edited under dos | |
198 | +# Ex: userScript="startup.cmd" # make sure script file is edited under dos | |
199 | +userScript="logon.bat" | |
200 | + | |
201 | +# Domain appended to the users "mail"-attribute | |
202 | +# when smbldap-useradd -M is used | |
203 | +# Ex: mailDomain="idealx.com" | |
204 | +mailDomain="<%= conf['mailDomain'] %>" | |
205 | + | |
206 | +############################################################################## | |
207 | +# | |
208 | +# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) | |
209 | +# | |
210 | +############################################################################## | |
211 | + | |
212 | +# Allows not to use smbpasswd (if with_smbpasswd="0" in smbldap.conf) but | |
213 | +# prefer Crypt::SmbHash library | |
214 | +with_smbpasswd="0" | |
215 | +smbpasswd="/usr/bin/smbpasswd" | |
216 | + | |
217 | +# Allows not to use slappasswd (if with_slappasswd="0" in smbldap.conf) | |
218 | +# but prefer Crypt:: libraries | |
219 | +with_slappasswd="0" | |
220 | +slappasswd="/usr/sbin/slappasswd" | |
221 | + | |
222 | +# comment out the following line to get rid of the default banner | |
223 | +# no_banner="1" | |
224 | + |
@@ -0,0 +1,16 @@ | ||
1 | +<% | |
2 | +conf = node['samba-grid']['smbldap-tools']['smbldap_bind.conf'] | |
3 | +-%> | |
4 | +# $Id: smbldap_bind.conf 35 2011-02-23 09:07:36Z fumiyas $ | |
5 | +# | |
6 | +############################ | |
7 | +# Credential Configuration # | |
8 | +############################ | |
9 | +# Notes: you can specify two differents configuration if you use a | |
10 | +# master ldap for writing access and a slave ldap server for reading access | |
11 | +# By default, we will use the same DN (so it will work for standard Samba | |
12 | +# release) | |
13 | +slaveDN="<%= conf['slaveDN'] %>" | |
14 | +slavePw="<%= @pws['slave'] %>" | |
15 | +masterDN="<%= conf['masterDN'] %>" | |
16 | +masterPw="<%= @pws['master'] %>" |
@@ -0,0 +1,224 @@ | ||
1 | +<% | |
2 | +conf = node['samba-grid']['smbldap-tools']['smbldap.conf'] | |
3 | +-%> | |
4 | +# $Id: smbldap.conf 139 2012-08-07 11:11:37Z fumiyas $ | |
5 | +# | |
6 | +# smbldap-tools.conf : Q & D configuration file for smbldap-tools | |
7 | + | |
8 | +# This code was developped by IDEALX (http://IDEALX.org/) and | |
9 | +# contributors (their names can be found in the CONTRIBUTORS file). | |
10 | +# | |
11 | +# Copyright (C) 2001-2002 IDEALX | |
12 | +# | |
13 | +# This program is free software; you can redistribute it and/or | |
14 | +# modify it under the terms of the GNU General Public License | |
15 | +# as published by the Free Software Foundation; either version 2 | |
16 | +# of the License, or (at your option) any later version. | |
17 | +# | |
18 | +# This program is distributed in the hope that it will be useful, | |
19 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
20 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
21 | +# GNU General Public License for more details. | |
22 | +# | |
23 | +# You should have received a copy of the GNU General Public License | |
24 | +# along with this program; if not, write to the Free Software | |
25 | +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, | |
26 | +# USA. | |
27 | + | |
28 | +# Purpose : | |
29 | +# . be the configuration file for all smbldap-tools scripts | |
30 | + | |
31 | +############################################################################## | |
32 | +# | |
33 | +# General Configuration | |
34 | +# | |
35 | +############################################################################## | |
36 | + | |
37 | +# Put your own SID. To obtain this number do: "net getlocalsid". | |
38 | +# If not defined, parameter is taking from "net getlocalsid" return | |
39 | +SID="<%= conf['SID'] %>" | |
40 | + | |
41 | +# Domain name the Samba server is in charged. | |
42 | +# If not defined, parameter is taking from smb.conf configuration file | |
43 | +# Ex: sambaDomain="IDEALX-NT" | |
44 | +sambaDomain="<%= conf['sambaDomain'] %>" | |
45 | + | |
46 | +############################################################################## | |
47 | +# | |
48 | +# LDAP Configuration | |
49 | +# | |
50 | +############################################################################## | |
51 | + | |
52 | +# Notes: to use to dual ldap servers backend for Samba, you must patch | |
53 | +# Samba with the dual-head patch from IDEALX. If not using this patch | |
54 | +# just use the same server for slaveLDAP and masterLDAP. | |
55 | +# Those two servers declarations can also be used when you have | |
56 | +# . one master LDAP server where all writing operations must be done | |
57 | +# . one slave LDAP server where all reading operations must be done | |
58 | +# (typically a replication directory) | |
59 | + | |
60 | +# Slave LDAP server URI | |
61 | +# Ex: slaveLDAP=ldap://slave.ldap.example.com/ | |
62 | +# If not defined, parameter is set to "ldap://127.0.0.1/" | |
63 | +slaveLDAP="<%= conf['slaveLDAP'] %>" | |
64 | + | |
65 | +# Master LDAP server URI: needed for write operations | |
66 | +# Ex: masterLDAP=ldap://master.ldap.example.com/ | |
67 | +# If not defined, parameter is set to "ldap://127.0.0.1/" | |
68 | +masterLDAP="<%= conf['masterLDAP'] %>" | |
69 | + | |
70 | +# Use TLS for LDAP | |
71 | +# If set to 1, this option will use start_tls for connection | |
72 | +# (you must also used the LDAP URI "ldap://...", not "ldaps://...") | |
73 | +# If not defined, parameter is set to "0" | |
74 | +ldapTLS="<%= conf['ldapTLS'] %>" | |
75 | + | |
76 | +# How to verify the server's certificate (none, optional or require) | |
77 | +# see "man Net::LDAP" in start_tls section for more details | |
78 | +verify="require" | |
79 | + | |
80 | +# CA certificate | |
81 | +# see "man Net::LDAP" in start_tls section for more details | |
82 | +cafile="/etc/smbldap-tools/ca.pem" | |
83 | + | |
84 | +# certificate to use to connect to the ldap server | |
85 | +# see "man Net::LDAP" in start_tls section for more details | |
86 | +clientcert="/etc/smbldap-tools/smbldap-tools.example.com.pem" | |
87 | + | |
88 | +# key certificate to use to connect to the ldap server | |
89 | +# see "man Net::LDAP" in start_tls section for more details | |
90 | +clientkey="/etc/smbldap-tools/smbldap-tools.example.com.key" | |
91 | + | |
92 | +# LDAP Suffix | |
93 | +# Ex: suffix=dc=IDEALX,dc=ORG | |
94 | +suffix="<%= conf['suffix'] %>" | |
95 | + | |
96 | +# Where are stored Users | |
97 | +# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" | |
98 | +# Warning: if 'suffix' is not set here, you must set the full dn for usersdn | |
99 | +usersdn="ou=Users,${suffix}" | |
100 | + | |
101 | +# Where are stored Computers | |
102 | +# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" | |
103 | +# Warning: if 'suffix' is not set here, you must set the full dn for computersdn | |
104 | +computersdn="ou=Computers,${suffix}" | |
105 | + | |
106 | +# Where are stored Groups | |
107 | +# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" | |
108 | +# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn | |
109 | +groupsdn="ou=Groups,${suffix}" | |
110 | + | |
111 | +# Where are stored Idmap entries (used if samba is a domain member server) | |
112 | +# Ex: idmapdn="ou=Idmap,dc=IDEALX,dc=ORG" | |
113 | +# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn | |
114 | +idmapdn="ou=Idmap,${suffix}" | |
115 | + | |
116 | +# Where to store next uidNumber and gidNumber available for new users and groups | |
117 | +# If not defined, entries are stored in sambaDomainName object. | |
118 | +# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" | |
119 | +# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" | |
120 | +sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" | |
121 | + | |
122 | +# Default scope Used | |
123 | +scope="sub" | |
124 | + | |
125 | +# Unix password hash scheme (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) | |
126 | +# If set to "exop", use LDAPv3 Password Modify (RFC 3062) extended operation. | |
127 | +password_hash="SSHA" | |
128 | + | |
129 | +# if password_hash is set to CRYPT, you may set a salt format. | |
130 | +# default is "%s", but many systems will generate MD5 hashed | |
131 | +# passwords if you use "$1$%.8s". This parameter is optional! | |
132 | +password_crypt_salt_format="%s" | |
133 | + | |
134 | +############################################################################## | |
135 | +# | |
136 | +# Unix Accounts Configuration | |
137 | +# | |
138 | +############################################################################## | |
139 | + | |
140 | +# Login defs | |
141 | +# Default Login Shell | |
142 | +# Ex: userLoginShell="/bin/bash" | |
143 | +userLoginShell="/bin/bash" | |
144 | + | |
145 | +# Home directory | |
146 | +# Ex: userHome="/home/%U" | |
147 | +userHome="/home/%U" | |
148 | + | |
149 | +# Default mode used for user homeDirectory | |
150 | +userHomeDirectoryMode="700" | |
151 | + | |
152 | +# Gecos | |
153 | +userGecos="System User" | |
154 | + | |
155 | +# Default User (POSIX and Samba) GID | |
156 | +defaultUserGid="513" | |
157 | + | |
158 | +# Default Computer (Samba) GID | |
159 | +defaultComputerGid="515" | |
160 | + | |
161 | +# Skel dir | |
162 | +skeletonDir="/etc/skel" | |
163 | + | |
164 | +# Treat shadowAccount object or not | |
165 | +shadowAccount="1" | |
166 | + | |
167 | +# Default password validation time (time in days) Comment the next line if | |
168 | +# you don't want password to be enable for defaultMaxPasswordAge days (be | |
169 | +# careful to the sambaPwdMustChange attribute's value) | |
170 | +defaultMaxPasswordAge="45" | |
171 | + | |
172 | +############################################################################## | |
173 | +# | |
174 | +# SAMBA Configuration | |
175 | +# | |
176 | +############################################################################## | |
177 | + | |
178 | +# The UNC path to home drives location (%U username substitution) | |
179 | +# Just set it to a null string if you want to use the smb.conf 'logon home' | |
180 | +# directive and/or disable roaming profiles | |
181 | +# Ex: userSmbHome="\\PDC-SMB3\%U" | |
182 | +userSmbHome="\\PDC-SRV\%U" | |
183 | + | |
184 | +# The UNC path to profiles locations (%U username substitution) | |
185 | +# Just set it to a null string if you want to use the smb.conf 'logon path' | |
186 | +# directive and/or disable roaming profiles | |
187 | +# Ex: userProfile="\\PDC-SMB3\profiles\%U" | |
188 | +userProfile="\\PDC-SRV\profiles\%U" | |
189 | + | |
190 | +# The default Home Drive Letter mapping | |
191 | +# (will be automatically mapped at logon time if home directory exist) | |
192 | +# Ex: userHomeDrive="H:" | |
193 | +userHomeDrive="H:" | |
194 | + | |
195 | +# The default user netlogon script name (%U username substitution) | |
196 | +# if not used, will be automatically username.cmd | |
197 | +# make sure script file is edited under dos | |
198 | +# Ex: userScript="startup.cmd" # make sure script file is edited under dos | |
199 | +userScript="logon.bat" | |
200 | + | |
201 | +# Domain appended to the users "mail"-attribute | |
202 | +# when smbldap-useradd -M is used | |
203 | +# Ex: mailDomain="idealx.com" | |
204 | +mailDomain="<%= conf['mailDomain'] %>" | |
205 | + | |
206 | +############################################################################## | |
207 | +# | |
208 | +# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) | |
209 | +# | |
210 | +############################################################################## | |
211 | + | |
212 | +# Allows not to use smbpasswd (if with_smbpasswd="0" in smbldap.conf) but | |
213 | +# prefer Crypt::SmbHash library | |
214 | +with_smbpasswd="0" | |
215 | +smbpasswd="/usr/bin/smbpasswd" | |
216 | + | |
217 | +# Allows not to use slappasswd (if with_slappasswd="0" in smbldap.conf) | |
218 | +# but prefer Crypt:: libraries | |
219 | +with_slappasswd="0" | |
220 | +slappasswd="/usr/sbin/slappasswd" | |
221 | + | |
222 | +# comment out the following line to get rid of the default banner | |
223 | +# no_banner="1" | |
224 | + |
@@ -0,0 +1,16 @@ | ||
1 | +<% | |
2 | +conf = node['samba-grid']['smbldap-tools']['smbldap_bind.conf'] | |
3 | +-%> | |
4 | +# $Id: smbldap_bind.conf 35 2011-02-23 09:07:36Z fumiyas $ | |
5 | +# | |
6 | +############################ | |
7 | +# Credential Configuration # | |
8 | +############################ | |
9 | +# Notes: you can specify two differents configuration if you use a | |
10 | +# master ldap for writing access and a slave ldap server for reading access | |
11 | +# By default, we will use the same DN (so it will work for standard Samba | |
12 | +# release) | |
13 | +slaveDN="<%= conf['slaveDN'] %>" | |
14 | +slavePw="<%= @pws['slave'] %>" | |
15 | +masterDN="<%= conf['masterDN'] %>" | |
16 | +masterPw="<%= @pws['master'] %>" |