Make LDAP client-side TLS authentication optional (#137)

sabo · op-ct · web-flow · commit 51c94f8d874e · 2024-11-18T13:30:48.000-06:00
* Make SSSD client-side TLS authentication optional

* Add test for client_tls parameter

---------

Co-authored-by: op-ct &lt;chris.tessmer@onyxpoint.com&gt;
diff --git a/manifests/provider/ldap.pp b/manifests/provider/ldap.pp
@@ -36,6 +36,9 @@
 # @param strip_128_bit_ciphers
 #   **DEPRECATED** - EL6-only - Will be removed in a future release
 #
+# @param client_tls
+#   Set to false to disable setting up client-side TLS
+#
 # @param debug_level
 # @param debug_timestamps
 # @param debug_microseconds
@@ -341,7 +344,8 @@
   Optional[Integer[0]]                  $ldap_idmap_range_size             = undef,
   Optional[String[1]]                   $ldap_idmap_default_domain_sid     = undef,
   Optional[String[1]]                   $ldap_idmap_default_domain         = undef,
-  Boolean                               $ldap_idmap_autorid_compat         = false
+  Boolean                               $ldap_idmap_autorid_compat         = false,
+  Boolean                               $client_tls                        = true,
 ) {
   include $module_name
 
@@ -354,19 +358,19 @@
 
   if $app_pki_ca_dir {
     $ldap_tls_cacertdir = $app_pki_ca_dir
-  } else {
+  } elsif $client_tls {
     $ldap_tls_cacertdir = "${sssd::app_pki_dir}/cacerts"
   }
 
   if $app_pki_key {
     $ldap_tls_key = $app_pki_key
-  } else {
+  } elsif $client_tls {
     $ldap_tls_key = "${sssd::app_pki_dir}/private/${$facts['networking']['fqdn']}.pem"
   }
 
   if $app_pki_cert {
     $ldap_tls_cert = $app_pki_cert
-  } else {
+  } elsif $client_tls {
     $ldap_tls_cert = "${sssd::app_pki_dir}/public/${$facts['networking']['fqdn']}.pub"
   }
 
diff --git a/spec/defines/provider/ldap_spec.rb b/spec/defines/provider/ldap_spec.rb
@@ -167,6 +167,18 @@
         }
       end
 
+      context 'with client_tls set to false' do
+        let(:params) {{ :client_tls => false }}
+
+        it { is_expected.to compile.with_all_deps }
+        it {
+          is_expected.to create_sssd__config__entry("puppet_provider_#{title}_ldap")
+            .without_content(%r(ldap_tls_cacertdir))
+            .without_content(%r(ldap_tls_key))
+            .without_content(%r(ldap_tls_cert))
+        }
+      end
+
       # This set of parameters exercises the logic in the code but is NOT at all
       # realistic!
       context 'with other optional parameters set' do
