From ecc764b14da60f459443ee6a255fef9f83e4c616 Mon Sep 17 00:00:00 2001
From: "Z. Cliffe Schreuders" <code.cliffe@schreuders.org>
Date: Mon, 2 Feb 2026 14:13:11 +0000
Subject: [PATCH] Add LDAP packages and server configuration

- Introduced `ldap_packages` module for installing LDAP client utilities and integration packages.
- Added `ldap_server` module for installing and configuring OpenLDAP server with phpLDAPadmin.
- Updated scenario configuration to include LDAP packages and server utilities.
- Created metadata files for both modules to describe their functionality and requirements.
---
 .../ldap_packages/ldap_packages.pp            |  1 +
 .../ldap_packages/manifests/install.pp        | 21 +++++++
 .../ldap_packages/secgen_metadata.xml         | 17 +++++
 .../authentication/ldap_server/ldap_server.pp |  1 +
 .../ldap_server/manifests/init.pp             | 13 ++++
 .../ldap_server/manifests/install.pp          | 63 +++++++++++++++++++
 .../ldap_server/secgen_metadata.xml           | 43 +++++++++++++
 scenarios/labs/systems_security/3_ss_conf.xml | 17 +++++
 8 files changed, 176 insertions(+)
 create mode 100644 modules/utilities/unix/authentication/ldap_packages/ldap_packages.pp
 create mode 100644 modules/utilities/unix/authentication/ldap_packages/manifests/install.pp
 create mode 100644 modules/utilities/unix/authentication/ldap_packages/secgen_metadata.xml
 create mode 100644 modules/utilities/unix/authentication/ldap_server/ldap_server.pp
 create mode 100644 modules/utilities/unix/authentication/ldap_server/manifests/init.pp
 create mode 100644 modules/utilities/unix/authentication/ldap_server/manifests/install.pp
 create mode 100644 modules/utilities/unix/authentication/ldap_server/secgen_metadata.xml

diff --git a/modules/utilities/unix/authentication/ldap_packages/ldap_packages.pp b/modules/utilities/unix/authentication/ldap_packages/ldap_packages.pp
new file mode 100644
index 000000000..05b6b6647
--- /dev/null
+++ b/modules/utilities/unix/authentication/ldap_packages/ldap_packages.pp
@@ -0,0 +1 @@
+include ldap_packages::install
diff --git a/modules/utilities/unix/authentication/ldap_packages/manifests/install.pp b/modules/utilities/unix/authentication/ldap_packages/manifests/install.pp
new file mode 100644
index 000000000..82cd292b8
--- /dev/null
+++ b/modules/utilities/unix/authentication/ldap_packages/manifests/install.pp
@@ -0,0 +1,21 @@
+class ldap_packages::install {
+  # LDAP Client Utilities
+  # Provides command-line tools for interacting with LDAP directories
+  ensure_packages(['ldap-utils'])
+
+  # NSS and PAM LDAP Integration
+  # Enables system authentication and name service lookups via LDAP
+  ensure_packages(['libnss-ldap', 'libpam-ldap'])
+
+  # NSS LDAP Daemon
+  # Daemon that performs LDAP queries for NSS and PAM
+  ensure_packages(['nslcd'])
+
+  # Name Service Cache Daemon
+  # Caches name service lookups to improve performance
+  ensure_packages(['nscd'])
+
+  # System Security Services Daemon
+  # Provides access to identity and authentication remote resource providers
+  ensure_packages(['sssd'])
+}
diff --git a/modules/utilities/unix/authentication/ldap_packages/secgen_metadata.xml b/modules/utilities/unix/authentication/ldap_packages/secgen_metadata.xml
new file mode 100644
index 000000000..d7aa785e3
--- /dev/null
+++ b/modules/utilities/unix/authentication/ldap_packages/secgen_metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>LDAP Packages</name>
+  <author>Z. Cliffe Schreuders</author>
+  <module_license>Apache v2</module_license>
+  <description>Installs LDAP client utilities, server, and authentication integration packages</description>
+
+  <type>authentication_configuration</type>
+  <platform>linux</platform>
+
+  <requires>
+    <type>update</type>
+  </requires>
+</utility>
diff --git a/modules/utilities/unix/authentication/ldap_server/ldap_server.pp b/modules/utilities/unix/authentication/ldap_server/ldap_server.pp
new file mode 100644
index 000000000..b233a5d14
--- /dev/null
+++ b/modules/utilities/unix/authentication/ldap_server/ldap_server.pp
@@ -0,0 +1 @@
+require ldap_server::init
diff --git a/modules/utilities/unix/authentication/ldap_server/manifests/init.pp b/modules/utilities/unix/authentication/ldap_server/manifests/init.pp
new file mode 100644
index 000000000..5077dcfde
--- /dev/null
+++ b/modules/utilities/unix/authentication/ldap_server/manifests/init.pp
@@ -0,0 +1,13 @@
+class ldap_server::init {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+
+  $domain = $secgen_parameters['domain'][0]
+  $organization = $secgen_parameters['organization'][0]
+  $admin_password = $secgen_parameters['admin_password'][0]
+
+  class { 'ldap_server::install':
+    domain         => $domain,
+    organization   => $organization,
+    admin_password => $admin_password,
+  }
+}
diff --git a/modules/utilities/unix/authentication/ldap_server/manifests/install.pp b/modules/utilities/unix/authentication/ldap_server/manifests/install.pp
new file mode 100644
index 000000000..e16d6dea5
--- /dev/null
+++ b/modules/utilities/unix/authentication/ldap_server/manifests/install.pp
@@ -0,0 +1,63 @@
+class ldap_server::install (
+  String $domain = 'example.com',
+  String $organization = 'Example Organization',
+  String $admin_password = 'temp123',
+) {
+  # Pre-seed debconf values to make slapd installation non-interactive
+  # This prevents prompts during package installation
+  exec { 'preseed-slapd':
+    command => "/bin/echo \"slapd slapd/internal/generated_adminpw password ${admin_password}\" | debconf-set-selections && \
+                /bin/echo \"slapd slapd/internal/adminpw password ${admin_password}\" | debconf-set-selections && \
+                /bin/echo \"slapd slapd/password2 password ${admin_password}\" | debconf-set-selections && \
+                /bin/echo \"slapd slapd/password1 password ${admin_password}\" | debconf-set-selections && \
+                /bin/echo \"slapd slapd/domain string ${domain}\" | debconf-set-selections && \
+                /bin/echo \"slapd shared/organization string ${organization}\" | debconf-set-selections && \
+                /bin/echo 'slapd slapd/backend string MDB' | debconf-set-selections && \
+                /bin/echo 'slapd slapd/purge_database boolean true' | debconf-set-selections && \
+                /bin/echo 'slapd slapd/move_old_database boolean true' | debconf-set-selections && \
+                /bin/echo 'slapd slapd/allow_ldap_v2 boolean false' | debconf-set-selections && \
+                /bin/echo 'slapd slapd/no_configuration boolean false' | debconf-set-selections",
+    unless  => '/usr/bin/dpkg -l | grep -q "^ii  slapd"',
+    path    => ['/bin', '/usr/bin'],
+  } ->
+  # OpenLDAP Server and Utilities
+  # Standalone LDAP daemon for serving directory information
+  package { 'slapd':
+    ensure  => installed,
+  } ->
+  # Ensure slapd service is running
+  service { 'slapd':
+    ensure  => running,
+    enable  => true,
+  }
+
+  # LDAP command-line utilities for server management
+  # Provides ldapsearch, ldapadd, ldapmodify, ldapdelete, etc.
+  ensure_packages(['ldap-utils'])
+
+  # phpLDAPadmin - Web-based LDAP administration interface
+  # Provides a GUI for managing LDAP directory via Apache
+  # This will automatically pull in php, php-ldap, php-xml, and libapache2-mod-php
+  package { 'phpldapadmin':
+    ensure => installed,
+  }
+  ->
+  # Enable PHP module in Apache (version-agnostic)
+  # Uses find to locate the installed PHP module and enables it
+  exec { 'enable-php-module':
+    command => '/bin/sh -c "/usr/bin/find /etc/apache2/mods-available -name php*.load -exec basename {} .load \; | /usr/bin/head -1 | /usr/bin/xargs /usr/sbin/a2enmod"',
+    path    => ['/bin', '/usr/bin', '/usr/sbin'],
+  }
+  ->
+  # Enable phpldapadmin Apache configuration
+  exec { 'enable-phpldapadmin-conf':
+    command => '/usr/sbin/a2enconf phpldapadmin',
+    path    => ['/bin', '/usr/bin', '/usr/sbin'],
+  }
+  ->
+  # Restart Apache to apply configuration changes
+  exec { 'restart-apache2-for-phpldapadmin':
+    command => '/usr/sbin/service apache2 restart',
+    path    => ['/bin', '/usr/bin', '/usr/sbin'],
+  }
+}
diff --git a/modules/utilities/unix/authentication/ldap_server/secgen_metadata.xml b/modules/utilities/unix/authentication/ldap_server/secgen_metadata.xml
new file mode 100644
index 000000000..a18fa75f2
--- /dev/null
+++ b/modules/utilities/unix/authentication/ldap_server/secgen_metadata.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>LDAP Server</name>
+  <author>Z. Cliffe Schreuders</author>
+  <module_license>Apache v2</module_license>
+  <description>Installs and configures OpenLDAP server (slapd) with phpLDAPadmin web interface and non-interactive setup</description>
+
+  <type>authentication_server</type>
+  <platform>linux</platform>
+
+  <read_fact>domain</read_fact>
+  <read_fact>organization</read_fact>
+  <read_fact>admin_password</read_fact>
+
+  <default_input into="domain">
+    <value>example.com</value>
+  </default_input>
+
+  <default_input into="organization">
+    <value>Example Organization</value>
+  </default_input>
+
+  <default_input into="admin_password">
+    <generator type="strong_password_generator"/>
+  </default_input>
+
+  <requires>
+    <type>update</type>
+  </requires>
+  <requires>
+    <module_path>.*apache.*compatible.*</module_path>
+  </requires>
+  <!-- Note: phpldapadmin automatically pulls in PHP 8.2 and dependencies on Bookworm -->
+
+  <!-- exclude any base except bookworm -->
+  <conflict>
+    <module_path>.*bases/(?!debian_bookworm).*</module_path>
+  </conflict>
+
+</utility>
diff --git a/scenarios/labs/systems_security/3_ss_conf.xml b/scenarios/labs/systems_security/3_ss_conf.xml
index 818f1eaad..eb1e99d6f 100644
--- a/scenarios/labs/systems_security/3_ss_conf.xml
+++ b/scenarios/labs/systems_security/3_ss_conf.xml
@@ -69,6 +69,7 @@
     <utility module_path=".*/handy_cli_tools"/>
     <utility module_path=".*/hash_tools"/>
     <utility module_path=".*/pam_modules"/>
+    <utility module_path=".*/ldap_packages"/>
 
     <utility module_path=".*/iceweasel">
       <input into="accounts">
@@ -173,6 +174,7 @@
     <utility module_path=".*/handy_cli_tools"/>
     <utility module_path=".*/hash_tools"/>
     <utility module_path=".*/pam_modules"/>
+    <utility module_path=".*/ldap_packages"/>
 
     <utility module_path=".*/iceweasel">
       <input into="accounts">
@@ -218,6 +220,21 @@
 
     <utility module_path=".*/handy_cli_tools"/>
 
+    <!-- Apache required for phpLDAPadmin -->
+    <service module_path=".*/apache_stretch_compatible"/>
+
+    <!-- LDAP Server with phpLDAPadmin web interface -->
+    <utility module_path=".*/ldap_server">
+      <input into="domain">
+        <value>safetynet.local</value>
+      </input>
+      <input into="organization">
+        <value>SAFETYNET</value>
+      </input>
+      <input into="admin_password" into_datastore="ldap_admin_pass">
+        <value>tiaspbiqe2r</value>
+      </input>
+    </utility>
 
     <vulnerability module_path=".*/ssh_root_login">
       <input into="root_password">