From 904c6c9574a5304a0504d9853dc1dc5ac7746d79 Mon Sep 17 00:00:00 2001 From: fernando Date: Fri, 14 Dec 2018 13:40:12 +0100 Subject: [PATCH] Fixed vdc-windows_ad to Windows 2016 --- manifests/conf_forest.pp | 117 +++++++++++---------- manifests/group.pp | 12 +-- manifests/groupmembers.pp | 14 +-- manifests/init.pp | 173 ++++++++++++++++---------------- manifests/install.pp | 81 ++++++++------- manifests/organisationalunit.pp | 18 ++-- manifests/user.pp | 30 +++--- manifests/users.pp | 2 +- 8 files changed, 232 insertions(+), 215 deletions(-) diff --git a/manifests/conf_forest.pp b/manifests/conf_forest.pp index c15a664..69eabdd 100644 --- a/manifests/conf_forest.pp +++ b/manifests/conf_forest.pp @@ -22,7 +22,7 @@ # logpath => 'c:\\windows\\ntds', # sysvolpath => 'c:\\windows\\sysvol', # dsrmpassword => $dsrmpassword, -# installdns => 'yes', +# installdns => 'true', # localadminpassword => 'password', # force => true, # forceremoval => true, @@ -31,7 +31,7 @@ # } # # === Authors -# +# # Jerome RIVIERE (www.jerome-riviere.re) # # === Copyright @@ -40,89 +40,88 @@ # class windows_ad::conf_forest ( #install parameters - $ensure = $ensure, - $domainname = $domainname, - $netbiosdomainname = $netbiosdomainname, - $domainlevel = $domainlevel, - $forestlevel = $forestlevel, - $globalcatalog = $globalcatalog, - $databasepath = $databasepath, - $logpath = $logpath, - $sysvolpath = $sysvolpath, - $dsrmpassword = $dsrmpassword, - $installdns = $installdns, - $kernel_ver = $kernel_ver, - $timeout = 0, - $configureflag = $configureflag, + Enum['present', 'absent'] $ensure = $ensure, + String $domainname = $domainname, + String $netbiosdomainname = $netbiosdomainname, + Integer[4,6] $domainlevel = $domainlevel, + Integer[4,6] $forestlevel = $forestlevel, + String $globalcatalog = $globalcatalog, + String $databasepath = $databasepath, + String $logpath = $logpath, + String $sysvolpath = $sysvolpath, + String $dsrmpassword = $dsrmpassword, + Boolean $installdns = $installdns, + String $kernel_ver = $kernel_ver, + Integer $timeout = 0, + Boolean $configureflag = $configureflag, #removal parameters - $localadminpassword = $localadminpassword, #admin password required for removal - $force = $force, - $forceremoval = $forceremoval, - $uninstalldnsrole = $uninstalldnsrole, - $demoteoperationmasterrole = $demoteoperationmasterrole, + String $localadminpassword = $localadminpassword, #admin password required for removal + Boolean $force = $force, + Boolean $forceremoval = $forceremoval, + String $uninstalldnsrole = $uninstalldnsrole, + Boolean $demoteoperationmasterrole = $demoteoperationmasterrole, ){ - validate_bool($configureflag) if ($configureflag == true){ - if $force { $forcebool = 'true' } else { $forcebool = 'false' } - if $forceremoval { $forceboolremoval = 'true' } else { $forceboolremoval = 'false' } - if $demoteoperationmasterrole { $demoteoperationmasterrolebool = 'true' } else { $demoteoperationmasterrolebool = 'false' } + if $force { $forcebool = true } else { $forcebool = false } + if $forceremoval { $forceboolremoval = true } else { $forceboolremoval = false } + if $demoteoperationmasterrole { $demoteoperationmasterrolebool = true } else { $demoteoperationmasterrolebool = false } # If the operating is server 2012 then run the appropriate powershell commands if not revert back to the cmd commands if ($ensure == 'present') { - if ($kernel_ver =~ /^6\.2|^6\.3/) { - if ($installdns == 'yes'){ + if ($kernel_ver =~ /^6\.1/) { + # Deploy Server 2008 R2 Active Directory + exec { 'Config ADDS 2008': + command => "cmd.exe /c dcpromo /unattend /InstallDNS:yes /confirmGC:${globalcatalog} /NewDomain:forest /NewDomainDNSName:${domainname} /domainLevel:${domainlevel} /forestLevel:${forestlevel} /ReplicaOrNewDomain:domain /databasePath:${databasepath} /logPath:${logpath} /sysvolPath:${sysvolpath} /SafeModeAdminPassword:${dsrmpassword}", # lint:ignore:140chars + path => 'C:\windows\sysnative', + unless => "sc \\\\${::fqdn} query ntds", + timeout => $timeout, + } + }else{ + $command = "Import-Module ADDSDeployment; Install-ADDSForest -Force -DomainName ${domainname} -DomainMode ${domainlevel} -DomainNetbiosName ${netbiosdomainname} -ForestMode ${forestlevel} -DatabasePath ${databasepath} -LogPath ${logpath} -SysvolPath ${sysvolpath} -NoRebootOnCompletion -SafeModeAdministratorPassword (convertto-securestring '${dsrmpassword}' -asplaintext -force)" # lint:ignore:140chars + if ($installdns == true){ # Deploy Server 2012 Active Directory exec { 'Config ADDS': - command => "Import-Module ADDSDeployment; Install-ADDSForest -Force -DomainName ${domainname} -DomainMode ${domainlevel} -DomainNetbiosName ${netbiosdomainname} -ForestMode ${forestlevel} -DatabasePath ${databasepath} -LogPath ${logpath} -SysvolPath ${sysvolpath} -NoRebootOnCompletion -SafeModeAdministratorPassword (convertto-securestring '${dsrmpassword}' -asplaintext -force) -InstallDns", - provider => powershell, - onlyif => "if((gwmi WIN32_ComputerSystem).Domain -eq \'${domainname}\'){exit 1}", - timeout => $timeout, + command => "${command} -InstallDns", + provider => powershell, + onlyif => "if((gwmi WIN32_ComputerSystem).Domain -eq \'${domainname}\'){exit 1}", + timeout => $timeout, } - } - else{ + }else{ # Deploy Server 2012 Active Directory Without DNS exec { 'Config ADDS': - command => "Import-Module ADDSDeployment; Install-ADDSForest -Force -DomainName ${domainname} -DomainMode ${domainlevel} -DomainNetbiosName ${netbiosdomainname} -ForestMode ${forestlevel} -DatabasePath ${databasepath} -LogPath ${logpath} -SysvolPath ${sysvolpath} -NoRebootOnCompletion -SafeModeAdministratorPassword (convertto-securestring '${dsrmpassword}' -asplaintext -force)", - provider => powershell, - onlyif => "if((gwmi WIN32_ComputerSystem).Domain -eq \'${domainname}\'){exit 1}", - timeout => $timeout, + command => $command, + provider => powershell, + onlyif => "if((gwmi WIN32_ComputerSystem).Domain -eq \'${domainname}\'){exit 1}", + timeout => $timeout, } } - }else { - # Deploy Server 2008 R2 Active Directory - exec { 'Config ADDS 2008': - command => "cmd.exe /c dcpromo /unattend /InstallDNS:yes /confirmGC:${globalcatalog} /NewDomain:forest /NewDomainDNSName:${domainname} /domainLevel:${domainlevel} /forestLevel:${forestlevel} /ReplicaOrNewDomain:domain /databasePath:${databasepath} /logPath:${logpath} /sysvolPath:${sysvolpath} /SafeModeAdminPassword:${dsrmpassword}", + } + }else{ #uninstall AD + if ($kernel_ver =~ /^6\.1/) { + # uninstall Server 2008 R2 Active Directory -> not tested + exec { 'Uninstall ADDS 2008': + command => 'cmd.exe /c dcpromo /forceremoval', path => 'C:\windows\sysnative', unless => "sc \\\\${::fqdn} query ntds", timeout => $timeout, } - } - }else{ #uninstall AD - if ($kernel_ver =~ /^6\.2|^6\.3/) { + }else{ if($localadminpassword != ''){ exec { 'Uninstall ADDS': - command => "Import-Module ADDSDeployment;Uninstall-ADDSDomainController -LocalAdministratorPassword (ConvertTo-SecureString \'${localadminpassword}\' -asplaintext -force) -Force:$${forcebool} -ForceRemoval:$${forceboolremoval} -DemoteOperationMasterRole:$${demoteoperationmasterrolebool} -SkipPreChecks", - provider => powershell, - onlyif => "if((gwmi WIN32_ComputerSystem).Domain -eq 'WORKGROUP'){exit 1}", - timeout => $timeout, + command => "Import-Module ADDSDeployment;Uninstall-ADDSDomainController -LocalAdministratorPassword (ConvertTo-SecureString \'${localadminpassword}\' -asplaintext -force) -Force:$${forcebool} -ForceRemoval:$${forceboolremoval} -DemoteOperationMasterRole:$${demoteoperationmasterrolebool} -SkipPreChecks", # lint:ignore:140chars + provider => powershell, + onlyif => "if((gwmi WIN32_ComputerSystem).Domain -eq 'WORKGROUP'){exit 1}", + timeout => $timeout, } if($uninstalldnsrole == 'yes'){ exec { 'Uninstall DNS Role': - command => "Import-Module ServerManager; Remove-WindowsFeature DNS -Restart", - onlyif => "Import-Module ServerManager; if (@(Get-WindowsFeature DNS | ?{\$_.Installed -match \'true\'}).count -eq 0) { exit 1 }", - provider => powershell, + command => 'Import-Module ServerManager; Remove-WindowsFeature DNS -Restart', + onlyif => "Import-Module ServerManager; if (@(Get-WindowsFeature DNS | ?{\$_.Installed -match \'true\'}).count -eq 0) { exit 1 }", # lint:ignore:140chars + provider => powershell, } } } - }else{ - # uninstall Server 2008 R2 Active Directory -> not tested - exec { 'Uninstall ADDS 2008': - command => "cmd.exe /c dcpromo /forceremoval", - path => 'C:\windows\sysnative', - unless => "sc \\\\${::fqdn} query ntds", - timeout => $timeout, - } } } } diff --git a/manifests/group.pp b/manifests/group.pp index 5a43136..bbb9d0a 100644 --- a/manifests/group.pp +++ b/manifests/group.pp @@ -57,15 +57,15 @@ if($ensure == 'present'){ exec { "Add Group - ${groupname}": - command => "import-module activedirectory;New-ADGroup -Description '${description}' -DisplayName '${displayname}' -Name '${groupname}' -GroupCategory '${groupcategory}' -GroupScope '${groupscope}' -Path '${path}'", - onlyif => "\$groupname = \"${groupname}\";\$path = \"${path}\";\$oustring = \"CN=\$groupname,\$path\"; if([adsi]::Exists(\"LDAP://\$oustring\")){exit 1}", - provider => powershell, + command => "import-module activedirectory;New-ADGroup -Description '${description}' -DisplayName '${displayname}' -Name '${groupname}' -GroupCategory '${groupcategory}' -GroupScope '${groupscope}' -Path '${path}'", + onlyif => "\$groupname = \"${groupname}\";\$path = \"${path}\";\$oustring = \"CN=\$groupname,\$path\"; if([adsi]::Exists(\"LDAP://\$oustring\")){exit 1}", + provider => powershell, } }else{ exec { "Remove Group - ${groupname}": - command => "import-module activedirectory;Remove-ADGroup -identity '${groupname}' -confirm:$${confirmdeletion}", - onlyif => "\$groupname = \"${groupname}\";\$path = \"${path}\";\$oustring = \"CN=\$groupname,\$path\"; if([adsi]::Exists(\"LDAP://\$oustring\")){}else{exit 1}", - provider => powershell, + command => "import-module activedirectory;Remove-ADGroup -identity '${groupname}' -confirm:$${confirmdeletion}", + onlyif => "\$groupname = \"${groupname}\";\$path = \"${path}\";\$oustring = \"CN=\$groupname,\$path\"; if([adsi]::Exists(\"LDAP://\$oustring\")){}else{exit 1}", + provider => powershell, } } } diff --git a/manifests/groupmembers.pp b/manifests/groupmembers.pp index 52dd2de..a06d58f 100644 --- a/manifests/groupmembers.pp +++ b/manifests/groupmembers.pp @@ -48,15 +48,15 @@ if($ensure == 'present'){ exec { "Add Group Member - ${name}": - command => "import-module activedirectory;\$values='${members}';\$split=\$values.split(',');foreach(\$value in \$split){try{\$value = \$value.Replace('\"','');\$user = Get-ADUser \$value;}catch{\$user = \$null};if(\$user -ne \$null){Add-ADGroupMember '${groupname}' -Member \$value}}", - onlyif => "import-module activedirectory;\$member=\$null;\$values='${members}';\$split=\$values.split(',');try{\$group = get-adgroup '${groupname}';}catch{\$group = \$null;};foreach(\$value in \$split){try{\$value = \$value.Replace('\"','');\$user = Get-ADUser \$value}catch{\$user = \$null};if(\$group -ne \$null){if(\$user -ne \$null){foreach(\$allmember in Get-ADGroupMember '${groupname}'){\$one = \$value.tolower() -replace '\"','';if(\$one -eq \$allmember.SamAccountName.tolower()){if(\$member -eq \$null){\$member='\"'+\$allmember.SamAccountName+'\"';}else{\$member+=',\"'+\$allmember.SamAccountName+'\"';}}}if('${members}' -eq \$member){exit 1}}else{if('${members}' -match \$member){exit 1}}}else{exit 1}}", - provider => powershell, + command => "import-module activedirectory;\$values='${members}';\$split=\$values.split(',');foreach(\$value in \$split){try{\$value = \$value.Replace('\"','');\$user = Get-ADUser \$value;}catch{\$user = \$null};if(\$user -ne \$null){Add-ADGroupMember '${groupname}' -Member \$value}}", + onlyif => "import-module activedirectory;\$member=\$null;\$values='${members}';\$split=\$values.split(',');try{\$group = get-adgroup '${groupname}';}catch{\$group = \$null;};foreach(\$value in \$split){try{\$value = \$value.Replace('\"','');\$user = Get-ADUser \$value}catch{\$user = \$null};if(\$group -ne \$null){if(\$user -ne \$null){foreach(\$allmember in Get-ADGroupMember '${groupname}'){\$one = \$value.tolower() -replace '\"','';if(\$one -eq \$allmember.SamAccountName.tolower()){if(\$member -eq \$null){\$member='\"'+\$allmember.SamAccountName+'\"';}else{\$member+=',\"'+\$allmember.SamAccountName+'\"';}}}if('${members}' -eq \$member){exit 1}}else{if('${members}' -match \$member){exit 1}}}else{exit 1}}", + provider => powershell, } }else{ exec { "Remove Group Member - ${name}": - command => "import-module activedirectory;\$values='${members}';\$split=\$values.split(',');foreach(\$value in \$split){try{\$value = \$value.Replace('\"','');\$user = Get-ADUser \$value}catch{\$user = \$null};if(\$user -ne \$null){Remove-ADGroupMember '${groupname}' -Member \$value -Confirm:\$False}}", - onlyif => "import-module activedirectory;\$member=\$null;\$values=${members};\$split=\$values.split(',');try{\$group = get-adgroup '${groupname}';}catch{\$group = \$null;};foreach(\$value in \$split){if((\$group -ne \$null) -and ((Get-ADGroupMember -Identity ${groupname}) -ne \$null)){foreach(\$allmember in Get-ADGroupMember '${groupname}'){\$one = \$value.tolower();if(\$one -eq \$allmember.SamAccountName.tolower()){if(\$member-eq\$null){\$member='\"'+\$allmember.SamAccountName+'\"';}else{\$member+=',\"'+\$allmember.SamAccountName+'\"';}}};if('${members}' -cmatch \$member){}else{exit 1}}else{exit 1}}", - provider => powershell, + command => "import-module activedirectory;\$values='${members}';\$split=\$values.split(',');foreach(\$value in \$split){try{\$value = \$value.Replace('\"','');\$user = Get-ADUser \$value}catch{\$user = \$null};if(\$user -ne \$null){Remove-ADGroupMember '${groupname}' -Member \$value -Confirm:\$False}}", + onlyif => "import-module activedirectory;\$member=\$null;\$values=${members};\$split=\$values.split(',');try{\$group = get-adgroup '${groupname}';}catch{\$group = \$null;};foreach(\$value in \$split){if((\$group -ne \$null) -and ((Get-ADGroupMember -Identity ${groupname}) -ne \$null)){foreach(\$allmember in Get-ADGroupMember '${groupname}'){\$one = \$value.tolower();if(\$one -eq \$allmember.SamAccountName.tolower()){if(\$member-eq\$null){\$member='\"'+\$allmember.SamAccountName+'\"';}else{\$member+=',\"'+\$allmember.SamAccountName+'\"';}}};if('${members}' -cmatch \$member){}else{exit 1}}else{exit 1}}", + provider => powershell, } } -} \ No newline at end of file +} diff --git a/manifests/init.pp b/manifests/init.pp index 2d3fd07..05f8cab 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,5 +1,5 @@ # -# Help can be found in readme.rd for a global help +# Help can be found in readme.md for a global help # # === Authors # @@ -10,67 +10,79 @@ # Copyright 2014 Jerome RIVIERE. # class windows_ad ( - ### part install AD - $install = 'present', - $installmanagementtools = true, - $installsubfeatures = false, - $restart = false, - $installflag = true, # Flag to bypass the install of AD if desired - - ### Part Configure AD - Global - $configure = 'present', - $domain = 'forest', - $domainname = undef, # FQDN - $netbiosdomainname = undef, # FQDN - $configureflag = true, # Flag to bypass the configuration of AD if desired + ####################### + ### part install AD ### + ####################### + # when present install process will be set. if already install nothing done + # when absent uninstall will be launch + Enum['present', 'absent']$install = 'present', + Boolean $installmanagementtools = true, + Boolean $installsubfeatures = false, + Boolean $restart = false, + Boolean $installflag = true, # Flag to bypass the install of AD if desired + + ################################## + ### Part Configure AD - Global ### + ################################## + # when present configure process will be done. if already configure nothing done + # absent don't do anything right now + Enum['present', 'absent']$configure = 'present', + String $domain = 'forest', + Optional[String] $domainname = undef, # FQDN + Optional[String] $netbiosdomainname = undef, # FQDN + Boolean $configureflag = true, # Flag to bypass the configuration of AD if desired #level AD - $domainlevel = '6', # Domain level {4 - Server 2008 R2 | 5 - Server 2012 | 6 - Server 2012 R2} - $forestlevel = '6', # Domain level {4 - Server 2008 R2 | 5 - Server 2012 | 6 - Server 2012 R2} + Integer[4,6] $domainlevel = 6, # Domain level {4 - Server 2008 R2 | 5 - Server 2012 | 6 - Server 2012 R2} + Integer[4,6] $forestlevel = 6, # Domain level {4 - Server 2008 R2 | 5 - Server 2012 | 6 - Server 2012 R2} - $installdns = 'yes', # Add DNS Server Role - $globalcatalog = 'yes', # Add Global Catalog functionality - $kernel_ver = $::kernelversion, + Variant[Enum['true','false'],Boolean] $installdns = true, # Add DNS Server Role + String $globalcatalog = 'yes', # Add Global Catalog functionality + String $kernel_ver = $::kernelversion, # Installation Directories - $databasepath = 'c:\\windows\\ntds', # Active Directory database path - $logpath = 'c:\\windows\\ntds', # Active Directory log path - $sysvolpath = 'c:\\windows\\sysvol', # Active Directory sysvol path - - $dsrmpassword = undef, + # TODO Probar Absolutepath, es del módulo stdlib + String $databasepath = 'c:\\windows\\ntds', # Active Directory database path + String $logpath = 'c:\\windows\\ntds', # Active Directory log path + String $sysvolpath = 'c:\\windows\\sysvol', # Active Directory sysvol path - ### Part Configure AD - Forest + Optional[String] $dsrmpassword = undef, + ################################## + ### Part Configure AD - Forest ### + ################################## #uninstall forest - $localadminpassword = undef, - $force = true, - $forceremoval = true, - $uninstalldnsrole = 'yes', - $demoteoperationmasterrole = true, - - ### Part Configure AD - Other - $secure_string_pwd = undef, - $installtype = undef, # New domain or replica of existing domain {replica | domain} - $domaintype = undef, # Type of domain {Tree | Child | Forest} (New domain tree in an existing forest, child domain, or new forest) - $sitename = undef, # Site Name - - ### Define Hiera hashes - $groups = undef, - $groups_hiera_merge = true, - $users = undef, - $users_hiera_merge = true, - $usersingroup = undef, - $usersingroup_hiera_merge = true, + Optional[String] $localadminpassword = undef, + Boolean $force = true, + Boolean $forceremoval = true, + String $uninstalldnsrole = 'yes', + Boolean $demoteoperationmasterrole = true, + + ################################# + ### Part Configure AD - Other ### + ################################# + Optional[String] $secure_string_pwd = undef, + Optional[String] $installtype = undef, # New domain or replica of existing domain {replica | domain} + Optional[String] $domaintype = undef, # lint:ignore:140chars # Type of domain {Tree | Child | Forest} (New domain tree in an existing forest, child domain, or new forest) + Optional[String] $sitename = undef, # Site Name + + ### Define Hiera hashes ### + Optional[Hash] $groups = undef, + Boolean $groups_hiera_merge = true, + Optional[Hash] $users = undef, + Boolean $users_hiera_merge = true, + Optional[Hash] $usersingroup = undef, + Boolean $usersingroup_hiera_merge = true, ) { - # when present install process will be set. if already install nothing done - # when absent uninstall will be launch - validate_re($install, '^(present|absent)$', 'valid values for install are \'present\' or \'absent\'') - # when present configure process will be done. if already configure nothing done - # absent don't do anything right now - validate_re($configure, '^(present|absent)$', 'valid values for configure are \'present\' or \'absent\'') - validate_bool($configureflag) - validate_bool($installflag) - + + $install_dns = $installdns ? { + 'true' => true, + true => true, + 'false' => false, + false => false, + default => fail("Los valores introducidos en hiera son incorrectos. Valor introducido: ${installdns}"), + } + class{'windows_ad::install': ensure => $install, installmanagementtools => $installmanagementtools, @@ -90,7 +102,7 @@ logpath => $logpath, sysvolpath => $sysvolpath, dsrmpassword => $dsrmpassword, - installdns => $installdns, + installdns => $install_dns, kernel_ver => $kernel_ver, localadminpassword => $localadminpassword, force => $force, @@ -100,67 +112,60 @@ configureflag => $configureflag, } if($installflag or $configureflag){ - if($install == 'present'){ - anchor{'windows_ad::begin':} -> Class['windows_ad::install'] -> Class['windows_ad::conf_forest'] -> anchor{'windows_ad::end':} -> Windows_ad::Organisationalunit <| |> -> Windows_ad::Group <| |> -> Windows_ad::User <| |> -> Windows_ad::Groupmembers <| |> + if($install == present){ + anchor{'windows_ad::begin':} + -> Class['windows_ad::install'] + -> Class['windows_ad::conf_forest'] + -> anchor{'windows_ad::end':} + -> Windows_ad::Organisationalunit <| |> + -> Windows_ad::Group <| |> + -> Windows_ad::User <| |> + -> Windows_ad::Groupmembers <| |> }else{ if($configure == present){ fail('You can\'t desactivate the Role ADDS without uninstall ADDSControllerDomain first') }else{ - anchor{'windows_ad::begin':} -> Class['windows_ad::conf_forest'] -> Class['windows_ad::install'] -> anchor{'windows_ad::end':} + anchor{'windows_ad::begin':} + -> Class['windows_ad::conf_forest'] + -> Class['windows_ad::install'] + -> anchor{'windows_ad::end':} } } }else{ - anchor{'windows_ad::begin':} -> Windows_ad::Organisationalunit <| |> -> Windows_ad::Group <| |> -> Windows_ad::User <| |> -> Windows_ad::Groupmembers <| |> -> anchor{'windows_ad::end':} - } - - if type_of($groups_hiera_merge) <= String { - $groups_hiera_merge_real = str2bool($groups_hiera_merge) - } else { - $groups_hiera_merge_real = $groups_hiera_merge + anchor{'windows_ad::begin':} + -> Windows_ad::Organisationalunit <| |> + -> Windows_ad::Group <| |> + -> Windows_ad::User <| |> + -> Windows_ad::Groupmembers <| |> + -> anchor{'windows_ad::end':} } - validate_bool($groups_hiera_merge_real) if $groups != undef { - if $groups_hiera_merge_real == true { + if $groups_hiera_merge == true { $groups_real = hiera_hash('windows_ad::groups') } else { $groups_real = $groups } - validate_hash($groups_real) create_resources('windows_ad::group',$groups_real) } - if type_of($users_hiera_merge) <= String { - $users_hiera_merge_real = str2bool($users_hiera_merge) - } else { - $users_hiera_merge_real = $users_hiera_merge - } - validate_bool($users_hiera_merge_real) - if $users != undef { - if $users_hiera_merge_real == true { + if $users_hiera_merge == true { $users_real = hiera_hash('windows_ad::users') } else { $users_real = $users } - validate_hash($users_real) create_resources('windows_ad::user',$users_real) } - if type_of($usersingroup_hiera_merge) <= String { - $usersingroup_hiera_merge_real = str2bool($usersingroup_hiera_merge) - } else { - $usersingroup_hiera_merge_real = $usersingroup_hiera_merge - } - validate_bool($usersingroup_hiera_merge_real) if $usersingroup != undef { - if $usersingroup_hiera_merge_real == true { + if $usersingroup_hiera_merge == true { $usersingroup_real = hiera_hash('windows_ad::usersingroup') } else { $usersingroup_real = $usersingroup } - validate_hash($usersingroup_real) create_resources('windows_ad::groupmembers',$usersingroup_real) } + } diff --git a/manifests/install.pp b/manifests/install.pp index 831ba84..87aed24 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -1,4 +1,4 @@ -# Class: windows_ad +# Class: windows_ad for Windows 2008 R2, 2012, 2012 R2, 2016 # # Full description of windows_ad::install here. # @@ -10,12 +10,14 @@ # # # === Examples -# -# class {'windows_ad::install': -# install => present, -# installmanagementtools => true, -# installsubfeatures => true, -# restart => true, +# +# class{'windows_ad::install': +# ensure => present, +# installmanagementtools => true, +# installsubfeatures => true, +# restart => true, +# installflag => false, +# } # # === Authors # @@ -26,47 +28,58 @@ # Copyright 2014 Jerome RIVIERE. # class windows_ad::install ( - $ensure = $ensure, - $installmanagementtools = $installmanagementtools, - $installsubfeatures = $installsubfeatures, - $restart = $restart, - $installflag = $installflag, + Enum['present', 'absent'] $ensure = $ensure, + Boolean $installmanagementtools = $installmanagementtools, + Boolean $installsubfeatures = $installsubfeatures, + Boolean $restart = $restart, + Boolean $installflag = $installflag, ) { - validate_re($ensure, '^(present|absent)$', 'valid values for ensure are \'present\' or \'absent\'') - validate_bool($installmanagementtools) - validate_bool($installsubfeatures) - validate_bool($restart) - validate_bool($installflag) - if ($installflag == true){ if $::operatingsystem != 'windows' { fail ("${module_name} not supported on ${::operatingsystem}") } - if $restart { $restartbool = 'true' } else { $restartbool = 'false' } - if $installsubfeatures { $subfeatures = '-IncludeAllSubFeature' } - if $::kernelversion =~ /^(6.1)/ and $installmanagementtools { - fail ('Windows 2012 or newer is required to use the installmanagementtools parameter') - } elsif $installmanagementtools { - $managementtools = '-IncludeManagementTools' + $restartbool = $restart ? { + true => true, + false => false, + default => false, } + # if $restart { $restartbool = true } else { $restartbool = false } + $subfeatures = $installsubfeatures ? { + false => undef, + true => '-IncludeAllSubFeature', + } + # if $installsubfeatures { $subfeatures = '-IncludeAllSubFeature' } + + # if $::kernelversion =~ /^(6.1)/ and $installmanagementtools { + # fail ('Windows 2012 or newer is required to use the installmanagementtools parameter') + # } elsif $installmanagementtools { + # $managementtools = '-IncludeManagementTools' + # } - # Windows 2008 R2 and newer required http://technet.microsoft.com/en-us/library/ee662309.aspx - if $::kernelversion !~ /^(6\.1|6\.2|6\.3)/ { fail ("${module_name} requires Windows 2008 R2 or newer") } + # Kernel versions allowed for installation: Windows server 2008 R2, 2012, 2012 R2, 2016 + if $::kernelversion !~ /^(6\.1|6\.2|6\.3|10)/ { fail ("${module_name} requires Windows 2008 R2 or newer") } - # from Windows 2012 'Add-WindowsFeature' has been replaced with 'Install-WindowsFeature' http://technet.microsoft.com/en-us/library/ee662309.aspx + # from Windows 2008 R2 install with 'Add-WindowsFeature' http://technet.microsoft.com/en-us/library/ee662309.aspx + # from Windows 2012 and 2016 'Add-WindowsFeature' has been replaced with 'Install-WindowsFeature' http://technet.microsoft.com/en-us/library/ee662309.aspx if ($ensure == 'present') { - if $::kernelversion =~ /^(6.1)/ { $command = 'Add-WindowsFeature' } else { $command = 'Install-WindowsFeature' } + if $::kernelversion =~ /^(6.1)/ { + $command = 'Add-WindowsFeature' + if $installmanagementtools {fail ('Windows 2012 or newer is required to use the installmanagementtools parameter')} + } else { + $command = 'Install-WindowsFeature' + if $installmanagementtools {$managementtools = '-IncludeManagementTools'} + } exec { "add-feature-${title}": - command => "Import-Module ServerManager; ${command} AD-Domain-Services ${managementtools} ${subfeatures} -Restart:$${restartbool}", - onlyif => "Import-Module ServerManager; if (@(Get-WindowsFeature AD-Domain-Services | ?{\$_.Installed -match \'false\'}).count -eq 0) { exit 1 }", - provider => powershell, + command => "Import-Module ServerManager; ${command} AD-Domain-Services ${managementtools} ${subfeatures} -Restart:$${restartbool}", + onlyif => "Import-Module ServerManager; if (@(Get-WindowsFeature AD-Domain-Services | ?{\$_.Installed -match \'false\'}).count -eq 0) { exit 1 }", # lint:ignore:140chars + provider => powershell, } } elsif ($ensure == 'absent') { exec { "remove-feature-${title}": - command => "Import-Module ServerManager; Remove-WindowsFeature AD-Domain-Services -Restart:$${restartbool}", - onlyif => "Import-Module ServerManager; if (@(Get-WindowsFeature AD-Domain-Services | ?{\$_.Installed -match \'true\'}).count -eq 0) { exit 1 }", - provider => powershell, + command => "Import-Module ServerManager; Remove-WindowsFeature AD-Domain-Services -Restart:$${restartbool}", + onlyif => "Import-Module ServerManager; if (@(Get-WindowsFeature AD-Domain-Services |?{\$_.Installed -match \'true\'}).count -eq 0) { exit 1 }", # lint:ignore:140chars + provider => powershell, } } } diff --git a/manifests/organisationalunit.pp b/manifests/organisationalunit.pp index 587d82c..1db178d 100644 --- a/manifests/organisationalunit.pp +++ b/manifests/organisationalunit.pp @@ -59,20 +59,20 @@ if($ensure == 'present'){ exec { "Adding OU - ${ouName}": - command => "import-module activedirectory;New-ADOrganizationalUnit -Name '${ouName}' -Path '${path}' -ProtectedFromAccidentalDeletion $${protectfordeletion}", - onlyif => "if([adsi]::Exists(\"LDAP://OU=${ouName},${path}\")){exit 1}", - provider => powershell, + command => "import-module activedirectory;New-ADOrganizationalUnit -Name '${ouName}' -Path '${path}' -ProtectedFromAccidentalDeletion $${protectfordeletion}", + onlyif => "if([adsi]::Exists(\"LDAP://OU=${ouName},${path}\")){exit 1}", + provider => powershell, } }elsif($ensure == 'absent'){ exec { "Unprotecting OU - ${ouName}": - command => "Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion \$false -Identity \"OU=${ouName},${path}\";", - onlyif => "if([adsi]::Exists(\"LDAP://OU=${ouName},${path}\")){}else{exit 1}", - provider => powershell, + command => "Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion \$false -Identity \"OU=${ouName},${path}\";", + onlyif => "if([adsi]::Exists(\"LDAP://OU=${ouName},${path}\")){}else{exit 1}", + provider => powershell, } exec { "Deleting OU - ${ouName}": - command => "Remove-ADOrganizationalUnit -Identity \"OU=${ouName},${path}\" -Confirm:$${confirmdeletion} -Recursive;", - onlyif => "if([adsi]::Exists(\"LDAP://OU=${ouName},${path}\")){}else{exit 1}", - provider => powershell, + command => "Remove-ADOrganizationalUnit -Identity \"OU=${ouName},${path}\" -Confirm:$${confirmdeletion} -Recursive;", + onlyif => "if([adsi]::Exists(\"LDAP://OU=${ouName},${path}\")){}else{exit 1}", + provider => powershell, } Exec["Unprotecting OU - ${ouName}"] -> Exec["Deleting OU - ${ouName}"] } diff --git a/manifests/user.pp b/manifests/user.pp index 9f76b38..9b9c306 100644 --- a/manifests/user.pp +++ b/manifests/user.pp @@ -86,7 +86,7 @@ $modify = false # will be implement later for modify password. not used for now if ($writetoxmlflag == true){ if (!defined(File[$xmlpath])){ - file{"$xmlpath": + file{$xmlpath: content => template('windows_ad/xml.erb'), replace => no, } @@ -107,8 +107,8 @@ $fullnamevalue = $fullname } - if(!empty($emailaddress)){$emailaddressparam = "-EmailAddress '$emailaddress'"} - if(!empty($fullnamevalue)){$fullnameparam = "-DisplayName '$fullnamevalue'"} + if(!empty($emailaddress)){$emailaddressparam = "-EmailAddress '${emailaddress}'"} + if(!empty($fullnamevalue)){$fullnameparam = "-DisplayName '${fullnamevalue}'"} if(!empty($description)){$descriptionparam = "-Description '${description}'"} if(!empty($firstname)){$givenparam = "-GivenName '${firstname}'"} if(!empty($lastname)){$lastnameparam = "-SurName '${lastname}'"} @@ -129,19 +129,19 @@ $userprincipalname = "${accountname}@${domainname}" exec { "Delete User Desc - ${accountname}": - command => "import-module activedirectory;\$user = Get-ADUser -Identity '${accountname}' -Properties Description;Set-ADUser -identity ${accountname} -Remove @{description=\$user.description}", - onlyif => "\$user = Get-ADUser -Identity '${accountname}' -Properties *;if((dsquery.exe user -samid ${accountname}) -and ('${description}' -ne \$user.Description -and \$user.Description -ne \$null)){}else{exit 1}", - provider => powershell, + command => "import-module activedirectory;\$user = Get-ADUser -Identity '${accountname}' -Properties Description;Set-ADUser -identity ${accountname} -Remove @{description=\$user.description}", + onlyif => "\$user = Get-ADUser -Identity '${accountname}' -Properties *;if((dsquery.exe user -samid ${accountname}) -and ('${description}' -ne \$user.Description -and \$user.Description -ne \$null)){}else{exit 1}", + provider => powershell, } exec { "Modify User - ${accountname}": - command => "import-module activedirectory;Set-ADUser -identity ${accountname} ${fullnameparam} ${givenparam} ${lastnameparam} ${descriptionparam} ${emailaddressparam} -PasswordNeverExpires $${passwordneverexpires} -Enabled $${enabled};", - onlyif => "\$user = Get-ADUser -Identity '${accountname}' -Properties *;if((dsquery.exe user -samid ${accountname}) -and (('${description}' -ne \$user.Description -and '${description}' -ne '') -or (('${firstname}' -ne \$user.GivenName) -and ('${firstname}' -ne '')) -or (('${lastname}' -ne \$user.Surname) -and ('${lastname}' -ne '')) -or (('${emailaddress}' -ne \$user.EmailAddress) -and ('${emailaddress}' -ne '')) -or ('${fullnamevalue}' -ne \$user.DisplayName))){}else{exit 1}", - provider => powershell, + command => "import-module activedirectory;Set-ADUser -identity ${accountname} ${fullnameparam} ${givenparam} ${lastnameparam} ${descriptionparam} ${emailaddressparam} -PasswordNeverExpires $${passwordneverexpires} -Enabled $${enabled};", + onlyif => "\$user = Get-ADUser -Identity '${accountname}' -Properties *;if((dsquery.exe user -samid ${accountname}) -and (('${description}' -ne \$user.Description -and '${description}' -ne '') -or (('${firstname}' -ne \$user.GivenName) -and ('${firstname}' -ne '')) -or (('${lastname}' -ne \$user.Surname) -and ('${lastname}' -ne '')) -or (('${emailaddress}' -ne \$user.EmailAddress) -and ('${emailaddress}' -ne '')) -or ('${fullnamevalue}' -ne \$user.DisplayName))){}else{exit 1}", + provider => powershell, } exec { "Add User - ${accountname}": - command => "import-module servermanager;add-windowsfeature -name 'rsat-ad-powershell' -includeAllSubFeature;import-module activedirectory;New-ADUser -name '${fullnamevalue}' -DisplayName '${fullnamevalue}' ${givenparam} ${lastnameparam} ${emailaddressparam} -Samaccountname '${accountname}' -UserPrincipalName '${userprincipalname}' -Description '${description}' -PasswordNeverExpires $${passwordneverexpires} -path '${path}' -AccountPassword (ConvertTo-SecureString '${pwd}' -AsPlainText -force) -Enabled $${enabled};", - onlyif => "\$oustring = \"CN=${fullnamevalue},${path}\"; if([adsi]::Exists(\"LDAP://\$oustring\")){exit 1}", - provider => powershell, + command => "import-module servermanager;add-windowsfeature -name 'rsat-ad-powershell' -includeAllSubFeature;import-module activedirectory;New-ADUser -name '${fullnamevalue}' -DisplayName '${fullnamevalue}' ${givenparam} ${lastnameparam} ${emailaddressparam} -Samaccountname '${accountname}' -UserPrincipalName '${userprincipalname}' -Description '${description}' -PasswordNeverExpires $${passwordneverexpires} -path '${path}' -AccountPassword (ConvertTo-SecureString '${pwd}' -AsPlainText -force) -Enabled $${enabled};", + onlyif => "\$oustring = \"CN=${fullnamevalue},${path}\"; if([adsi]::Exists(\"LDAP://\$oustring\")){exit 1}", + provider => powershell, } if ($writetoxmlflag == true){ exec { "Add to XML - ${accountname}": @@ -153,9 +153,9 @@ } }elsif($ensure == 'absent'){ exec { "Remove User - ${accountname}": - command => "import-module activedirectory;Remove-ADUser -identity ${accountname} -Confirm:$${confirmdeletion}", - onlyif => "if(dsquery.exe user -samid ${accountname} ){return \$true}else{exit 1}", - provider => powershell, + command => "import-module activedirectory;Remove-ADUser -identity ${accountname} -Confirm:$${confirmdeletion}", + onlyif => "if(dsquery.exe user -samid ${accountname} ){return \$true}else{exit 1}", + provider => powershell, } if ($writetoxmlflag == true){ exec { "Remove to XML - ${accountname}": diff --git a/manifests/users.pp b/manifests/users.pp index cf44732..cdb29c1 100644 --- a/manifests/users.pp +++ b/manifests/users.pp @@ -61,7 +61,7 @@ warning('Instead of using this class, you can declare a hash of user (see readme file), and use function create_resources(windows_ad::user, $userhash)') $_users = $users each($_users) |$user|{ - windows_ad::user{"${user['accountname']}": + windows_ad::user{$user['accountname']: ensure => $user['ensure'], domainname => $domainname, path => $user['path'],