carguel / chef-cookbook-ca-openldap Goto Github PK
View Code? Open in Web Editor NEWChef Cookbook for the deployment of OpenLDAP.
License: Apache License 2.0
Chef Cookbook for the deployment of OpenLDAP.
License: Apache License 2.0
If node.ca_openldap.tls.enable = no, dit recipe fails as it tries to connect with TLS.
Currently when an entry is added, the hash provided to the underlying Net::LDAP instance includes the first attribute of the DN.
For example, if dn is
cn=foo,ou=users,dc=example,dc=com
the following attributes will be included in the attributes hash:
cn=foo
It has been observed that it could lead to wrong entry definition in the LDAP if this first attribute contains escaped characters, for example
cn=foo\>
> is not allowed by openldap except if it is escaped.
In such situation, the recipe create an entru where cn as two values, for example:
cn=foo\>
cn=foo>
It is proposed to remove the first attribute of the dn in the attribute hash, as it is automatically added by Net::LDAP/OpenLdap.
On CentOS 7 the openldap-server package currently is 2.4.40
The docs for openldap 2.4 say that the bdb was superseded by hdb and indeed, if I try to run the server recipe I get this error:
ArgumentError: ruby_block[bdb_config] (ca_openldap::server line 96) had an error: ArgumentError: File '/etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb.ldif' does not exist
there is now a [...]hdb.ldif file that needs to be modified instead. It appears simply changing the filename in that case is enough.
An error occurs in the server recipe at compilation time.
The complete error message is:
Relevant File Content:
----------------------
chef-repo/cookbooks/ca_openldap/recipes/server.rb:
72: to "/etc/pki/tls/certs/#{node['fqdn']}.pem"
73: end
74:
75: file node.ca_openldap.tls.key_file do
76: owner "ldap"
77: group "ldap"
78: mode 0600
79>> content File.read "/etc/pki/tls/private/#{node['fqdn']}.key"
80: end
81:
82: ca_certificate_link
83: end
84:
85: # Configure the base DN, the root DN and its password
86: my_root_dn = build_rootdn
87: ruby_block "bdb_config" do
88: block do
The host part is missing in the URI parameter.
Currently, slapd is configured in /etc/sysconfig/slapd to listen on ldaps://*:636.
For some use cases, it is necessary to define precisely the list of listen urls.
The ppolicy recipe does not build a complete rootdn in order to add the ppolicy configuration node. It only considers the rootdn attribute value, which is relative to the basedn attribute.
This error is raised after upgrading to Chef 12.4.1.
It seems that in previous Chef version, the directory ownership was set to root when the ldap user does not exist.
In the populate recipe, if an update of an entry fails, no error is raised.
Any error preventing the update to work properly should abort the execution.
The server recipe only sets tls related configuration options.
The man page slapd-config describes several other options.
It should be possible to set those options based on Chef attributes.
Currently, the populate recipe test if an entry exists before to create the entry.
If the entry already exists, it is left unchanged.
It would be interesting to support update of existing entries.
The DN of the default ppolicy configured in /etc/openldap/slapd.d/cn=config/olcDatabase={2}bdb/olcOverlay={0}ppolicy.ldif does not include the basedn.
Attribute ['ca_openldap']['tls']['enable'] expects to be have one of the following values:
Those values are symbols.
The problem occurs if this attribute value is defined by a role or environment. In such case, the value retreived from the Chef server is a string and not a symbol.
It leads to miss configuration of Openldap.
It is expected that a list is assigned to this attribute. In such a case, ignored attributes are still updated.
Log messages written by libraries\ldap_utils.rb do not filter password attribute values.
Using ca_openldap
on chef 14.15.6 breaks the run with the following error:
================================================================================
Error executing action `merge` on resource 'ca_openldap_general_configuration[global_options]'
================================================================================
NameError
---------
uninitialized constant Chef::Resource::CaOpenldapGeneralConfiguration
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/ca_openldap/providers/general_configuration.rb:22:in `load_current_resource`
Support for this attribute needs that the created default ppolicy belongs to the pwdPolicyChecker class.
Populate recipe add entries or update them if they already exists.
Sometimes it is desirable to not update an attribute, for example userPassword.
The proposed modification is to define a list of attributes to ignore as a new attribute and support it in the populate recipe.
Permissions of /etc/openldap/cacerts prevent from any users other than opendalp to access the CA certificates.
CRC in slapd configuration file are wrong.
It raises a warning in slapd log.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.