carguel / chef-cookbook-ca-openldap Goto Github PK

If node.ca_openldap.tls.enable = no, dit recipe fails as it tries to connect with TLS.

Currently when an entry is added, the hash provided to the underlying Net::LDAP instance includes the first attribute of the DN.
For example, if dn is

cn=foo,ou=users,dc=example,dc=com

the following attributes will be included in the attributes hash:

cn=foo

It has been observed that it could lead to wrong entry definition in the LDAP if this first attribute contains escaped characters, for example

cn=foo\>

> is not allowed by openldap except if it is escaped.

In such situation, the recipe create an entru where cn as two values, for example:

cn=foo\>
cn=foo>

It is proposed to remove the first attribute of the dn in the attribute hash, as it is automatically added by Net::LDAP/OpenLdap.

On CentOS 7 the openldap-server package currently is 2.4.40
The docs for openldap 2.4 say that the bdb was superseded by hdb and indeed, if I try to run the server recipe I get this error:

ArgumentError: ruby_block[bdb_config] (ca_openldap::server line 96) had an error: ArgumentError: File '/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif' does not exist

there is now a [...]hdb.ldif file that needs to be modified instead. It appears simply changing the filename in that case is enough.

An error occurs in the server recipe at compilation time.
The complete error message is:

Relevant File Content:
----------------------
chef-repo/cookbooks/ca_openldap/recipes/server.rb:

 72:      to "/etc/pki/tls/certs/#{node['fqdn']}.pem"
 73:    end
 74:
 75:    file node.ca_openldap.tls.key_file do
 76:      owner "ldap"
 77:      group "ldap"
 78:      mode  0600
 79>>     content File.read "/etc/pki/tls/private/#{node['fqdn']}.key"
 80:    end
 81:
 82:    ca_certificate_link
 83:  end
 84:
 85:  # Configure the base DN, the root DN and its password
 86:  my_root_dn = build_rootdn
 87:  ruby_block "bdb_config" do
 88:    block do

The host part is missing in the URI parameter.

Currently, slapd is configured in /etc/sysconfig/slapd to listen on ldaps://*:636.

For some use cases, it is necessary to define precisely the list of listen urls.

The ppolicy recipe does not build a complete rootdn in order to add the ppolicy configuration node. It only considers the rootdn attribute value, which is relative to the basedn attribute.

This error is raised after upgrading to Chef 12.4.1.

It seems that in previous Chef version, the directory ownership was set to root when the ldap user does not exist.

In the populate recipe, if an update of an entry fails, no error is raised.
Any error preventing the update to work properly should abort the execution.

The server recipe only sets tls related configuration options.
The man page slapd-config describes several other options.
It should be possible to set those options based on Chef attributes.

Currently, the populate recipe test if an entry exists before to create the entry.
If the entry already exists, it is left unchanged.

It would be interesting to support update of existing entries.

The DN of the default ppolicy configured in /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb/olcOverlay={0}ppolicy.ldif does not include the basedn.

Attribute ['ca_openldap']['tls']['enable'] expects to be have one of the following values:

• :yes
• :no
• :exclusive

Those values are symbols.
The problem occurs if this attribute value is defined by a role or environment. In such case, the value retreived from the Chef server is a string and not a symbol.

It leads to miss configuration of Openldap.

It is expected that a list is assigned to this attribute. In such a case, ignored attributes are still updated.

Log messages written by libraries\ldap_utils.rb do not filter password attribute values.

Using ca_openldap on chef 14.15.6 breaks the run with the following error:

================================================================================
Error executing action `merge` on resource 'ca_openldap_general_configuration[global_options]'
================================================================================

NameError
---------
uninitialized constant Chef::Resource::CaOpenldapGeneralConfiguration

Cookbook Trace:
---------------
/var/chef/cache/cookbooks/ca_openldap/providers/general_configuration.rb:22:in `load_current_resource`

Support for this attribute needs that the created default ppolicy belongs to the pwdPolicyChecker class.

Populate recipe add entries or update them if they already exists.
Sometimes it is desirable to not update an attribute, for example userPassword.
The proposed modification is to define a list of attributes to ignore as a new attribute and support it in the populate recipe.

Permissions of /etc/openldap/cacerts prevent from any users other than opendalp to access the CA certificates.

CRC in slapd configuration file are wrong.

It raises a warning in slapd log.