Adding ldap providers for the user and group type.

These providers use posixAccount and posixGroup.

This is a collapsed merge, fwiw.

7 files changed, 677 insertions, 0 deletions

diff --git a/lib/puppet/provider/group/ldap.rb b/lib/puppet/provider/group/ldap.rb
new file mode 100644
index 000000000..632358ff1
--- /dev/null
+++ b/lib/puppet/provider/group/ldap.rb
@@ -0,0 +1,37 @@
+require 'puppet/provider/ldap'
+
+Puppet::Type.type(:group).provide :ldap, :parent => Puppet::Provider::Ldap do
+    desc "Group management via ``ldap``.  This provider requires that you
+        have valid values for all of the ldap-related settings,
+        including ``ldapbase``.  You will also almost definitely need settings
+        for ``ldapuser`` and ``ldappassword``, so that your clients can write
+        to ldap.
+        
+        Note that this provider will automatically generate a GID for you if
+        you do not specify one, but it is a potentially expensive operation,
+        as it iterates across all existing groups to pick the appropriate next
+        one."
+
+    confine :true => Puppet.features.ldap?
+
+    # We're mapping 'members' here because we want to make it
+    # easy for the ldap user provider to manage groups.  This
+    # way it can just use the 'update' method in the group manager,
+    # whereas otherwise it would need to replicate that code.
+    manages(:posixGroup).at("ou=Groups").and.maps :name => :cn, :gid => :gidNumber, :members => :memberUid
+
+    # Find the next gid after the current largest gid.
+    provider = self
+    manager.generates(:gidNumber).with do 
+        largest = 0
+        provider.manager.search.each do |hash|
+            next unless value = hash[:gid]
+            num = value[0].to_i
+            if num > largest
+                largest = num
+            end
+        end
+        largest + 1
+    end
+
+end
diff --git a/lib/puppet/provider/ldap.rb b/lib/puppet/provider/ldap.rb
new file mode 100644
index 000000000..76834f94d
--- /dev/null
+++ b/lib/puppet/provider/ldap.rb
@@ -0,0 +1,137 @@
+require 'puppet/provider'
+
+# The base class for LDAP providers.
+class Puppet::Provider::Ldap < Puppet::Provider
+    require 'puppet/util/ldap/manager'
+
+    class << self
+        attr_reader :manager
+    end
+
+    # Look up all instances at our location.  Yay.
+    def self.instances
+        return [] unless list = manager.search
+
+        list.collect { |entry| new(entry) }
+    end
+
+    # Specify the ldap manager for this provider, which is
+    # used to figure out how we actually interact with ldap.
+    def self.manages(*args)
+        @manager = Puppet::Util::Ldap::Manager.new
+        @manager.manages(*args)
+
+        # Set up our getter/setter methods.
+        mk_resource_methods
+        return @manager
+    end
+
+    # Query all of our resources from ldap.
+    def self.prefetch(resources)
+        resources.each do |name, resource|
+            if result = manager.find(name)
+                result[:ensure] = :present
+                resource.provider = new(result)
+            else
+                resource.provider = new(:ensure => :absent)
+            end
+        end
+    end
+
+    attr_reader :ldap_properties
+
+    def manager
+        self.class.manager
+    end
+
+    def create
+        @property_hash[:ensure] = :present
+        self.class.resource_type.validproperties.each do |property|
+            if val = resource.should(property)
+                @property_hash[property] = val
+            end
+        end
+    end
+
+    def delete
+        @property_hash[:ensure] = :absent
+    end
+
+    def exists?
+        @property_hash[:ensure] != :absent
+    end
+
+    # Apply our changes to ldap, yo.
+    def flush
+        # Just call the manager's update() method.
+        @property_hash.delete(:groups)
+        @ldap_properties.delete(:groups)
+        manager.update(name, ldap_properties, properties)
+        @property_hash.clear
+        @ldap_properties.clear
+    end
+
+    def initialize(*args)
+        raise(Puppet::DevError, "No LDAP Configuration defined for %s" % self.class) unless self.class.manager
+        raise(Puppet::DevError, "Invalid LDAP Configuration defined for %s" % self.class) unless self.class.manager.valid?
+        super
+
+        @property_hash = @property_hash.inject({}) do |result, ary|
+            param, values = ary
+
+            # Skip any attributes we don't manage.
+            next result unless self.class.resource_type.validattr?(param)
+
+            paramclass = self.class.resource_type.attrclass(param)
+
+            unless values.is_a?(Array)
+                result[param] = values
+                next result
+            end
+
+            # Only use the first value if the attribute class doesn't manage
+            # arrays of values.
+            if paramclass.superclass == Puppet::Parameter or paramclass.array_matching == :first
+                result[param] = values[0]
+            else
+                result[param] = values
+            end
+            result
+        end
+
+        # Make a duplicate, so that we have a copy for comparison 
+        # at the end.
+        @ldap_properties = @property_hash.dup
+    end
+
+    # Return the current state of ldap.
+    def ldap_properties
+        @ldap_properties.dup
+    end
+
+    # Return (and look up if necessary) the desired state.
+    def properties
+        if @property_hash.empty?
+            @property_hash = query || {:ensure => :absent}
+            if @property_hash.empty?
+                @property_hash[:ensure] = :absent
+            end
+        end
+        @property_hash.dup
+    end
+
+    # Collect the current attributes from ldap.  Returns
+    # the results, but also stores the attributes locally,
+    # so we have something to compare against when we update.
+    # LAK:NOTE This is normally not used, because we rely on prefetching.
+    def query
+        # Use the module function.
+        unless attributes = manager.find(name)
+            @ldap_properties = {}
+            return nil
+        end
+
+        @ldap_properties = attributes
+        return @ldap_properties.dup
+    end
+end
diff --git a/lib/puppet/provider/user/ldap.rb b/lib/puppet/provider/user/ldap.rb
new file mode 100644
index 000000000..ba91a871e
--- /dev/null
+++ b/lib/puppet/provider/user/ldap.rb
@@ -0,0 +1,115 @@
+require 'puppet/provider/ldap'
+
+Puppet::Type.type(:user).provide :ldap, :parent => Puppet::Provider::Ldap do
+    desc "User management via ``ldap``.  This provider requires that you
+        have valid values for all of the ldap-related settings,
+        including ``ldapbase``.  You will also almost definitely need settings
+        for ``ldapuser`` and ``ldappassword``, so that your clients can write
+        to ldap.
+        
+        Note that this provider will automatically generate a UID for you if
+        you do not specify one, but it is a potentially expensive operation,
+        as it iterates across all existing users to pick the appropriate next
+        one."
+
+    confine :true => Puppet.features.ldap?
+
+    manages(:posixAccount, :person).at("ou=People").named_by(:uid).and.maps :name => :uid,
+        :password => :userPassword,
+        :comment => :cn,
+        :uid => :uidNumber,
+        :gid => :gidNumber,
+        :home => :homeDirectory,
+        :shell => :loginShell
+
+    # Use the last field of a space-separated array as
+    # the sn.  LDAP requires a surname, for some stupid reason.
+    manager.generates(:sn).from(:cn).with do |cn|
+        x = 1
+        cn[0].split(/\s+/)[-1]
+    end
+
+    # Find the next uid after the current largest uid.
+    provider = self
+    manager.generates(:uidNumber).with do 
+        largest = 0
+        provider.manager.search.each do |hash|
+            next unless value = hash[:uid]
+            num = value[0].to_i
+            if num > largest
+                largest = num
+            end
+        end
+        largest + 1
+    end
+
+    # Find all groups this user is a member of in ldap.
+    def groups
+        # We want to cache the current result, so we know if we
+        # have to remove old values.
+        unless @property_hash[:groups]
+            unless result = group_manager.search("memberUid=%s" % name)
+                return @property_hash[:groups] = :absent
+            end
+
+            return @property_hash[:groups] = result.collect { |r| r[:name] }.join(",")
+        end
+        return @property_hash[:groups]
+    end
+
+    # Manage the list of groups this user is a member of.
+    def groups=(values)
+        should = values.split(",")
+
+        if groups() == :absent
+            is = []
+        else
+            is = groups().split(",")
+        end
+
+        modes = {}
+        [is, should].flatten.uniq.each do |group|
+            # Skip it when they're in both
+            next if is.include?(group) and should.include?(group)
+
+            # We're adding a group.
+            modes[group] = :add and next unless is.include?(group)
+
+            # We're removing a group.
+            modes[group] = :remove and next unless should.include?(group)
+        end
+
+        modes.each do |group, form|
+            self.fail "Could not find ldap group %s" % group unless ldap_group = group_manager.find(group)
+
+            current = ldap_group[:members]
+
+            if form == :add
+                if current.is_a?(Array) and ! current.empty?
+                    new = current + [name]
+                else
+                    new = [name]
+                end
+            else
+                new = current - [name]
+                new = :absent if new.empty?
+            end
+
+            group_manager.update(group, {:ensure => :present, :members => current}, {:ensure => :present, :members => new})
+        end
+    end
+
+    private
+
+    def group_manager
+        Puppet::Type.type(:group).provider(:ldap).manager
+    end
+
+    def group_properties(values)
+        if values.empty? or values == :absent
+            {:ensure => :present}
+        else
+            {:ensure => :present, :members => values}
+        end
+    end
+end
diff --git a/lib/puppet/util/ldap.rb b/lib/puppet/util/ldap.rb
new file mode 100644
index 000000000..33f01f789
--- /dev/null
+++ b/lib/puppet/util/ldap.rb
@@ -0,0 +1,5 @@
+#
+#  Created by Luke Kanies on 2008-3-23.
+#  Copyright (c) 2008. All rights reserved.
+module Puppet::Util::Ldap
+end
diff --git a/lib/puppet/util/ldap/connection.rb b/lib/puppet/util/ldap/connection.rb
new file mode 100644
index 000000000..abcc07ecb
--- /dev/null
+++ b/lib/puppet/util/ldap/connection.rb
@@ -0,0 +1,57 @@
+#
+#  Created by Luke Kanies on 2008-3-23.
+#  Copyright (c) 2008. All rights reserved.
+require 'puppet/util/ldap'
+
+class Puppet::Util::Ldap::Connection
+    attr_accessor :host, :port, :user, :password, :reset, :ssl
+
+    attr_reader :connection
+
+    def close
+        connection.unbind if connection.bound?
+    end
+
+    def initialize(host, port, options = {})
+        raise Puppet::Error, "Could not set up LDAP Connection: Missing ruby/ldap libraries" unless Puppet.features.ldap?
+
+        @host, @port = host, port
+
+        options.each do |param, value|
+            begin
+                send(param.to_s + "=", value)
+            rescue
+                raise ArgumentError, "LDAP connections do not support %s parameters" % param
+            end
+        end
+    end
+
+    # Create a per-connection unique name.
+    def name
+        [host, port, user, password, ssl].collect { |p| p.to_s }.join("/")
+    end
+
+    # Should we reset the connection?
+    def reset?
+        reset
+    end
+
+    # Start our ldap connection.
+    def start
+        begin
+            case ssl
+            when :tls:
+                @connection = LDAP::SSLConn.new(host, port, true)
+            when true:
+                @connection = LDAP::SSLConn.new(host, port)
+            else
+                @connection = LDAP::Conn.new(host, port)
+            end
+            @connection.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
+            @connection.set_option(LDAP::LDAP_OPT_REFERRALS, LDAP::LDAP_OPT_ON)
+            @connection.simple_bind(user, password)
+        rescue => detail
+            raise Puppet::Error, "Could not connect to LDAP: %s" % detail
+        end
+    end
+end
diff --git a/lib/puppet/util/ldap/generator.rb b/lib/puppet/util/ldap/generator.rb
new file mode 100644
index 000000000..2a868b0d9
--- /dev/null
+++ b/lib/puppet/util/ldap/generator.rb
@@ -0,0 +1,45 @@
+#
+#  Created by Luke Kanies on 2008-3-28.
+#  Copyright (c) 2008. All rights reserved.
+require 'puppet/util/ldap'
+
+class Puppet::Util::Ldap::Generator
+    # Declare the attribute we'll use to generate the value.
+    def from(source)
+        @source = source
+        return self
+    end
+
+    # Actually do the generation.
+    def generate(value = nil)
+        if value.nil?
+            @generator.call
+        else
+            @generator.call(value)
+        end
+    end
+
+    # Initialize our generator with the name of the parameter
+    # being generated.
+    def initialize(name)
+        @name = name
+    end
+
+    def name
+        @name.to_s
+    end
+
+    def source
+        if defined?(@source) and @source
+            @source.to_s
+        else
+            nil
+        end
+    end
+
+    # Provide the code that does the generation.
+    def with(&block)
+        @generator = block
+        return self
+    end
+end
diff --git a/lib/puppet/util/ldap/manager.rb b/lib/puppet/util/ldap/manager.rb
new file mode 100644
index 000000000..9761fc753
--- /dev/null
+++ b/lib/puppet/util/ldap/manager.rb
@@ -0,0 +1,281 @@
+require 'puppet/util/ldap'
+require 'puppet/util/ldap/connection'
+require 'puppet/util/ldap/generator'
+
+# The configuration class for LDAP providers, plus
+# connection handling for actually interacting with ldap.
+class Puppet::Util::Ldap::Manager
+    attr_reader :objectclasses, :puppet2ldap, :location, :rdn
+
+    # A null-op that just returns the config.
+    def and
+        return self
+    end
+
+    # Set the offset from the search base and return the config.
+    def at(location)
+        @location = location
+        return self
+    end
+
+    # The basic search base.
+    def base
+        [location, Puppet[:ldapbase]].join(",")
+    end
+
+    # Convert the name to a dn, then pass the args along to
+    # our connection.
+    def create(name, attributes)
+        attributes = attributes.dup
+
+        # Add the objectclasses
+        attributes["objectClass"] = objectclasses.collect { |o| o.to_s }
+        attributes["objectClass"] << "top" unless attributes["objectClass"].include?("top")
+
+        attributes[rdn.to_s] = [name]
+
+        # Generate any new values we might need.
+        generate(attributes)
+
+        # And create our resource.
+        connect { |conn| conn.add dn(name), attributes }
+    end
+
+    # Open, yield, and close the connection.  Cannot be left
+    # open, at this point.
+    def connect
+        raise ArgumentError, "You must pass a block to #connect" unless block_given?
+
+        unless defined?(@connection) and @connection
+            if Puppet[:ldaptls]
+                ssl = :tls
+            elsif Puppet[:ldapssl]
+                ssl = true
+            else
+                ssl = false
+            end
+            options = {:ssl => ssl}
+            if user = Puppet[:ldapuser] and user != ""
+                options[:user] = user
+            end
+            if password = Puppet[:ldappassword] and password != ""
+                options[:password] = password
+            end
+            @connection = Puppet::Util::Ldap::Connection.new(Puppet[:ldapserver], Puppet[:ldapport], options)
+        end
+        @connection.start
+        begin
+            yield @connection.connection
+        ensure
+            @connection.close
+        end
+        return nil
+    end
+
+    # Convert the name to a dn, then pass the args along to
+    # our connection.
+    def delete(name)
+        connect { |connection| connection.delete dn(name) }
+    end
+
+    # Calculate the dn for a given resource.
+    def dn(name)
+        ["#{rdn.to_s}=%s" % name, base].join(",")
+    end
+
+    # Convert an ldap-style entry hash to a provider-style hash.
+    def entry2provider(entry)
+        raise ArgumentError, "Could not get dn from ldap entry" unless entry["dn"]
+
+        # DN is always a single-entry array.  Strip off the bits before the
+        # first comma, then the bits after the remaining equal sign.  This is the
+        # name.
+        name = entry["dn"].dup.pop.split(",").shift.split("=").pop
+
+        result = {:name => name}
+
+        @ldap2puppet.each do |ldap, puppet|
+            result[puppet] = entry[ldap.to_s] || :absent
+        end
+
+        result
+    end
+
+    # Create our normal search filter.
+    def filter
+        return "objectclass=%s" % objectclasses[0] if objectclasses.length == 1
+        return "(&(objectclass=" + objectclasses.join(")(objectclass=") + "))"
+    end
+
+    # Find the associated entry for a resource.  Returns a hash, minus
+    # 'dn', or nil if the entry cannot be found.
+    def find(name)
+        result = nil
+        connect do |conn|
+            begin
+                conn.search2(dn(name), 0, "objectclass=*") do |result|
+                    # Convert to puppet-appropriate attributes
+                    return entry2provider(result)
+                end
+            rescue => detail
+                return nil
+            end
+        end
+    end
+
+    # Declare a new attribute generator.
+    def generates(parameter)
+        @generators << Puppet::Util::Ldap::Generator.new(parameter)
+        @generators[-1]
+    end
+
+    # Generate any extra values we need to make the ldap entry work.
+    def generate(values)
+        return unless @generators.length > 0
+
+        @generators.each do |generator|
+            # Don't override any values that might exist.
+            next if values[generator.name]
+
+            if generator.source
+                unless value = values[generator.source]
+                    raise ArgumentError, "%s must be defined to generate %s" % [generator.source, generator.name]
+                end
+                result = generator.generate(value)
+            else
+                result = generator.generate
+            end
+
+            result = [result] unless result.is_a?(Array)
+            result = result.collect { |r| r.to_s }
+
+            values[generator.name] = result
+        end
+    end
+
+    def initialize
+        @rdn = :cn
+        @generators = []
+    end
+
+    # Specify what classes this provider models.
+    def manages(*classes)
+        @objectclasses = classes
+        return self
+    end
+
+    # Specify the attribute map.  Assumes the keys are the puppet
+    # attributes, and the values are the ldap attributes, and creates a map
+    # for each direction.
+    def maps(attributes)
+        # The map with the puppet attributes as the keys
+        @puppet2ldap = attributes
+
+        # and the ldap attributes as the keys.
+        @ldap2puppet = attributes.inject({}) { |map, ary| map[ary[1]] = ary[0]; map }
+
+        return self
+    end
+
+    # Return the ldap name for a puppet attribute.
+    def ldap_name(attribute)
+        @puppet2ldap[attribute].to_s
+    end
+
+    # Convert the name to a dn, then pass the args along to
+    # our connection.
+    def modify(name, mods)
+        connect { |connection| connection.modify dn(name), mods }
+    end
+
+    # Specify the rdn that we use to build up our dn.
+    def named_by(attribute)
+        @rdn = attribute
+        self
+    end
+
+    # Return the puppet name for an ldap attribute.
+    def puppet_name(attribute)
+        @ldap2puppet[attribute]
+    end
+
+    # Search for all entries at our base.  A potentially expensive search.
+    def search(sfilter = nil)
+        sfilter ||= filter()
+
+        result = []
+        connect do |conn|
+            conn.search2(base, 1, sfilter) do |entry|
+                result << entry2provider(entry)
+            end
+        end
+        return nil if result.empty?
+        return result
+    end
+
+    # Update the ldap entry with the desired state.
+    def update(name, is, should)
+        if should[:ensure] == :absent
+            Puppet.info "Removing %s from ldap" % dn(name)
+            delete(name)
+            return
+        end
+
+        # We're creating a new entry
+        if is.empty? or is[:ensure] == :absent
+            Puppet.info "Creating %s in ldap" % dn(name)
+            # Remove any :absent params and :ensure, then convert the names to ldap names.
+            attrs = ldap_convert(should)
+            create(name, attrs)
+            return
+        end
+
+        # We're modifying an existing entry.  Yuck.
+
+        mods = []
+        # For each attribute we're deleting that is present, create a
+        # modify instance for deletion.
+        [is.keys, should.keys].flatten.uniq.each do |property|
+            # They're equal, so do nothing.
+            next if is[property] == should[property]
+
+            attributes = ldap_convert(should)
+
+            prop_name = ldap_name(property).to_s
+
+            # We're creating it.
+            if is[property] == :absent or is[property].nil?
+                mods << LDAP::Mod.new(LDAP::LDAP_MOD_ADD, prop_name, attributes[prop_name])
+                next
+            end
+
+            # We're deleting it
+            if should[property] == :absent or should[property].nil?
+                mods << LDAP::Mod.new(LDAP::LDAP_MOD_DELETE, prop_name, [])
+                next
+            end
+
+            # We're replacing an existing value
+            mods << LDAP::Mod.new(LDAP::LDAP_MOD_REPLACE, prop_name, attributes[prop_name])
+        end
+
+        modify(name, mods)
+    end
+
+    # Is this a complete ldap configuration?
+    def valid?
+        location and objectclasses and ! objectclasses.empty? and puppet2ldap
+    end
+
+    private
+
+    # Convert a hash of attributes to ldap-like forms.  This mostly means
+    # getting rid of :ensure and making sure everything's an array of strings.
+    def ldap_convert(attributes)
+        attributes.reject { |param, value| value == :absent or param == :ensure }.inject({}) do |result, ary|
+            value = (ary[1].is_a?(Array) ? ary[1] : [ary[1]]).collect { |v| v.to_s }
+            result[ldap_name(ary[0])] = value
+            result
+        end
+    end
+end