Add possibility to set auth_backend to ldap

next to the already existing possibilities db and external. If auth_backend is set
to ldap an ldap ressource and an ldap authentication configuration is generated.

Also support for ldap encryption is added.

manifests/config.pp

@@ -78,6 +78,16 @@ class icingaweb2::config (
         auth_section  => 'icingaweb2',
       }
     }
+    'ldap': {
+      icingaweb2::config::authentication_ldap { 'LDAP Authentication':
+        auth_section        => 'icingaweb2',
+        auth_resource       => 'ldap',
+        user_class          => $::icingaweb2::auth_ldap_user_class,
+        user_name_attribute => $::icingaweb2::auth_ldap_user_name_attribute,
+        filter              => $::icingaweb2::auth_ldap_filter,
+        base_dn             => $::icingaweb2::auth_ldap_base_dn,
+      }
+    }
     default: {}
   }
 
@@ -139,6 +149,17 @@ class icingaweb2::config (
     resource_password => $::icingaweb2::ido_db_pass,
   }
 
+  if $::icingaweb2::auth_backend == 'ldap' {
+    icingaweb2::config::resource_ldap { 'ldap':
+      resource_host       => $::icingaweb2::ldap_host,
+      resource_bind_dn    => $::icingaweb2::ldap_bind_dn,
+      resource_bind_pw    => $::icingaweb2::ldap_bind_pw,
+      resource_port       => $::icingaweb2::ldap_port,
+      resource_root_dn    => $::icingaweb2::ldap_root_dn,
+      resource_encryption => $::icingaweb2::ldap_encryption,
+    }
+  }
+
   # Configure roles.ini
   icingaweb2::config::roles { 'Admins':
     role_users       => $::icingaweb2::admin_users,

manifests/config/resource_ldap.pp

@@ -1,12 +1,13 @@
 # Define for setting IcingaWeb2 LDAP Resource
 #
 define icingaweb2::config::resource_ldap (
-  $resource_bind_dn = undef,
-  $resource_bind_pw = undef,
-  $resource_host    = undef,
-  $resource_name    = $title,
-  $resource_port    = undef,
-  $resource_root_dn = undef,
+  $resource_bind_dn    = undef,
+  $resource_bind_pw    = undef,
+  $resource_host       = undef,
+  $resource_name       = $title,
+  $resource_port       = undef,
+  $resource_root_dn    = undef,
+  $resource_encryption = undef,
 ) {
   Ini_Setting {
     ensure  => present,
@@ -49,5 +50,12 @@ define icingaweb2::config::resource_ldap (
     setting => 'bind_pw',
     value   => "\"${resource_bind_pw}\"",
   }
-}
 
+  if $::icingaweb2::ldap_encryption {
+    ini_setting { "icingaweb2 resources ${title} encryption":
+      section => $resource_name,
+      setting => 'encryption',
+      value   => "\"${resource_encryption}\"",
+    }
+  }
+}

manifests/init.pp

@@ -9,6 +9,18 @@
 # $auth_backend::
 #                         Default:
 #
+# $auth_ldap_base_dn::    LDAP base dn.
+#                         Default: undef
+#
+# $auth_ldap_filter::     LDAP authentication filter.
+#                         Default: undef
+#
+# $auth_ldap_user_class:: LDAP authentication user class.
+#                         Default: inetOrgPerson
+#
+# $auth_ldap_user_name_attribute:: LDAP authentication user name attribute.
+#                         Default: uid
+#
 # $auth_resource::
 #                         Default:
 #
@@ -67,6 +79,25 @@
 #                         Options: git, package
 #                         Default: git.
 #
+# $ldap_bind_dn::         LDAP bind dn
+#                         Default: undef
+#
+# $ldap_bind_pw::         LDAP bind pw
+#                         Default: undef
+#
+# $ldap_encryption::      LDAP encryption method
+#                         Allowed values are "starttls" and "ldaps".
+#                         Default: undef
+#
+# $ldap_host::            LDAP hostname
+#                         Default: undef
+#
+# $ldap_port::            LDAP bind port
+#                         Default: 389
+#
+# $ldap_root_dn::         LDAP root dn
+#                         Default: undef
+#
 # $log_application::
 #                         Default:
 #
@@ -175,6 +206,10 @@ class icingaweb2 (
   $admin_permissions                 = $::icingaweb2::params::admin_permissions,
   $admin_users                       = $::icingaweb2::params::admin_users,
   $auth_backend                      = $::icingaweb2::params::auth_backend,
+  $auth_ldap_base_dn                 = $::icingaweb2::params::auth_base_dn,
+  $auth_ldap_filter                  = $::icingaweb2::params::auth_ldap_filter,
+  $auth_ldap_user_class              = $::icingaweb2::params::auth_ldap_user_class,
+  $auth_ldap_user_name_attribute     = $::icingaweb2::params::auth_ldap_user_name_attribute,
   $auth_resource                     = $::icingaweb2::params::auth_resource,
   $config_dir                        = $::icingaweb2::params::config_dir,
   $config_dir_mode                   = $::icingaweb2::params::config_dir_mode,
@@ -193,6 +228,12 @@ class icingaweb2 (
   $ido_db_user                       = $::icingaweb2::params::ido_db_user,
   $ido_type                          = $::icingaweb2::params::ido_type,
   $install_method                    = $::icingaweb2::params::install_method,
+  $ldap_bind_dn                      = $::icingaweb2::params::ldap_bind_dn,
+  $ldap_bind_pw                      = $::icingaweb2::params::ldap_bind_pw,
+  $ldap_encryption                   = $::icingaweb2::params::ldap_encryption,
+  $ldap_host                         = $::icingaweb2::params::ldap_host,
+  $ldap_port                         = $::icingaweb2::params::ldap_port,
+  $ldap_root_dn                      = $::icingaweb2::params::ldap_root_dn,
   $log_application                   = $::icingaweb2::params::log_application,
   $log_level                         = $::icingaweb2::params::log_level,
   $log_method                        = $::icingaweb2::params::log_method,
@@ -266,6 +307,21 @@ class icingaweb2 (
   validate_string($template_resources)
   validate_string($template_roles)
 
+  if $::icingaweb2::auth_backend == 'ldap' {
+    validate_integer($ldap_port)
+    validate_string($auth_ldap_base_dn)
+    validate_string($auth_ldap_filter)
+    validate_string($auth_ldap_user_class)
+    validate_string($auth_ldap_user_name_attribute)
+    validate_string($ldap_host)
+    validate_string($ldap_bind_dn)
+    validate_string($ldap_bind_pw)
+    validate_string($ldap_root_dn)
+    if $::icingaweb2::ldap_encryption {
+      validate_re( $ldap_encryption, '^(ldaps|starttls)$', "\$ldap_encryption must be either 'ldaps' or 'starttls', got '${ldap_encryption}'")
+    }
+  }
+
   if $::icingaweb2::manage_apache_vhost {
     validate_string($template_apache)
   }

manifests/params.pp

@@ -10,37 +10,47 @@ class icingaweb2::params {
   $manage_user         = true
 
   # Template variables
-  $admin_permissions = '*'
-  $admin_users       = 'icingaadmin'
-  $auth_backend      = 'db'
-  $auth_resource     = 'icingaweb_db'
-  $ido_db            = 'mysql'
-  $ido_db_host       = 'localhost'
-  $ido_db_name       = 'icingaweb2'
-  $ido_db_pass       = 'icingaweb2'
-  $ido_db_port       = '3306'
-  $ido_db_user       = 'icingaweb2'
-  $ido_type          = 'db'
-  $log_application   = 'icingaweb2'
-  $log_level         = 'ERROR'
-  $log_method        = 'syslog'
-  $log_resource      = 'icingaweb_db'
-  $log_store         = 'db'
-  $pkg_repo_version  = 'release'
-  $template_auth     = 'icingaweb2/authentication.ini.erb'
-  $template_config   = 'icingaweb2/config.ini.erb'
-  $template_resources='icingaweb2/resources.ini.erb'
-  $template_roles    = 'icingaweb2/roles.ini.erb'
-  $template_apache   = 'icingaweb2/apache2.conf.erb'
-  $web_db            = 'mysql'
-  $web_db_host       = 'localhost'
-  $web_db_name       = 'icingaweb2'
-  $web_db_pass       = 'icingaweb2'
-  $web_db_port       = '3306'
-  $web_db_prefix     = 'icingaweb2_'
-  $web_db_user       = 'icingaweb2'
-  $web_type          = 'db'
-  $initialize        = false
+  $admin_permissions             = '*'
+  $admin_users                   = 'icingaadmin'
+  $auth_backend                  = 'db'
+  $auth_ldap_base_dn             = undef
+  $auth_ldap_filter              = undef
+  $auth_ldap_user_class          = 'inetOrgPerson'
+  $auth_ldap_user_name_attribute = 'uid'
+  $auth_resource                 = 'icingaweb_db'
+  $ido_db                        = 'mysql'
+  $ido_db_host                   = 'localhost'
+  $ido_db_name                   = 'icingaweb2'
+  $ido_db_pass                   = 'icingaweb2'
+  $ido_db_port                   = '3306'
+  $ido_db_user                   = 'icingaweb2'
+  $ido_type                      = 'db'
+  $ldap_bind_dn                  = undef
+  $ldap_bind_pw                  = undef
+  $ldap_encryption               = undef
+  $ldap_host                     = undef
+  $ldap_port                     = '389'
+  $ldap_root_dn                  = undef
+  $log_application               = 'icingaweb2'
+  $log_level                     = 'ERROR'
+  $log_method                    = 'syslog'
+  $log_resource                  = 'icingaweb_db'
+  $log_store                     = 'db'
+  $pkg_repo_version              = 'release'
+  $template_auth                 = 'icingaweb2/authentication.ini.erb'
+  $template_config               = 'icingaweb2/config.ini.erb'
+  $template_resources            ='icingaweb2/resources.ini.erb'
+  $template_roles                = 'icingaweb2/roles.ini.erb'
+  $template_apache               = 'icingaweb2/apache2.conf.erb'
+  $web_db                        = 'mysql'
+  $web_db_host                   = 'localhost'
+  $web_db_name                   = 'icingaweb2'
+  $web_db_pass                   = 'icingaweb2'
+  $web_db_port                   = '3306'
+  $web_db_prefix                 = 'icingaweb2_'
+  $web_db_user                   = 'icingaweb2'
+  $web_type                      = 'db'
+  $initialize                    = false
 
   case $::osfamily {
     'RedHat': {

spec/classes/icingaweb2_spec.rb

@@ -63,7 +63,24 @@ describe 'icingaweb2', :type => :class do
   end
 
   describe 'with parameter: auth_backend' do
-    pending
+    context 'auth_backend => db' do
+      let (:params) { { :auth_backend => 'db' } }
+      it {
+        should contain_icingaweb2__config__authentication_database('Local Database Authentication').with('auth_section' => 'icingaweb2')
+      }
+    end
+    context 'auth_backend => external' do
+      let (:params) { { :auth_backend => 'external' } }
+      it {
+        should contain_icingaweb2__config__authentication_external('External Authentication').with('auth_section' => 'icingaweb2')
+      }
+    end
+    context 'auth_backend => ldap' do
+      let (:params) { { :auth_backend => 'ldap' } }
+      it {
+        should contain_icingaweb2__config__authentication_ldap('LDAP Authentication').with('auth_section' => 'icingaweb2')
+      }
+    end
   end
 
   describe 'with parameter: auth_resource' do