History

LDAP Client NSSwitch recipe

End Result

A client with LDAP tools and access to users/groups via nsswitch.

Implementation

This was developed for Ubuntu servers but should also work with Debian.

It uses the following files:

  • ldap.$hostname.conf: config for ldap-utils programs (ldapsearch, etc.). defines search base
  • libnss-ldap.preseed: preseed for libnss-ldap package
  • libnss-ldap.conf: config for libnss-ldap
  • libnss-ldap.secret: root dn password for libnss-ldap

  • nsswitch.conf: the complete copy of what your clients' nsswitch.conf should be

    class ldap-client { package { ldap-utils:

    ensure => installed

    }

    file { etc-ldap-dir:

    path => "/etc/ldap",
ensure => directory,
owner => root, group => root, mode => 755

    }

    file { ldap-conf:

    path => "/etc/ldap/ldap.conf",
owner => root, group => root, mode => 444,
source => "puppet://puppet/files/ldap.$hostname.conf",
require => file[etc-ldap-dir]

    }

    file { libnss-ldap-preseed:

    path => "/var/cache/debconf/libnss-ldap.preseed",
owner => root, group => root, mode => 400,
source => "puppet://puppet/files/libnss-ldap.preseed"

    }

    package { libnss-ldap:

    ensure => installed,
responsefile => "/var/cache/debconf/libnss-ldap.preseed",
require => file[libnss-ldap-preseed]

    }

    file { libnss-ldap-conf:

    path => "/etc/libnss-ldap.conf",
mode => 444,
require => package[libnss-ldap],
source => "puppet://puppet/files/libnss-ldap.conf"

    }

    file { libnss-ldap-secret:

    path => "/etc/libnss-ldap.secret",
mode => 400,
require => package[libnss-ldap],
source => "puppet://puppet/files/libnss-ldap.secret"

    }

    file { nsswitch-conf:

    path => "/etc/nsswitch.conf",
source => "puppet://puppet/files/nsswitch.conf"

    } }

Discussion

The preseeding isn’t really necessary since the configs are managed. However, due to a faulty pre/postinst script I was having trouble installing the package without it.

Possible improvements:

  • PAM integration
  • Less hardcoding

For what it’s worth, augeas 0.7.4 added a lens for nsswitch.conf. Also, the spacevars (space-separated variables) lens seems to work well with libnss-ldap.conf once you add /etc/libnss-ldap.conf to the lens' config file filter so it won’t ignore libnss-ldap.conf.