The openldap module allows you to easily manage OpenLDAP with Puppet. By default it will use OLC (cn=config).
Object | olc (slapd.d) | augeas (slapd.conf) |
---|---|---|
global_conf | Y | N |
database | Y | Y |
module | Y | N |
overlay | Y | N |
access | Y | N |
index | Y | N |
schema | Y | N |
###Configuring the client
class { 'openldap::client': }
For a more customized configuration:
class { 'openldap::client':
base => 'dc=example,dc=com',
uri => ['ldap://ldap.example.com', 'ldap://ldap-master.example.com:666'],
tls_cacert => '/etc/ssl/certs/ca-certificates.crt',
}
###Configuring the server
class { 'openldap::server': }
openldap::server::database { 'dc=foo,dc=example.com':
ensure => present,
}
For a more customized configuration:
class { 'openldap::server':
ldaps_ifs => ['/'],
ssl_cert => '/etc/ldap/ssl/slapd.pem',
ssl_key => '/etc/ldap/ssl/slapd.key',
}
If you need multiple databases:
class { 'openldap::server':
databases => {
'dc=foo,dc=example,dc=com' => {
directory => '/var/lib/ldap/foo',
},
'dc=bar,dc=example,dc=com' => {
directory => '/var/lib/ldap/bar',
},
},
}
To force using slapd.conf:
class { 'openldap::server':
provider => 'augeas',
}
###Configuring a database
openldap::server::database { 'dc=example,dc=com':
directory => '/var/lib/ldap',
rootdn => 'cn=admin,dc=example,dc=com',
rootpw => 'secret',
}
rootpw
will be automatically converted to a SSHA hash with random salt.
###Configuring modules
openldap::server::module { 'memberof':
ensure => present,
}
###Configuring overlays
openldap::server::overlay { 'memberof on dc=example,dc=com':
ensure => present,
}
###Configuring ACPs/ACLs
openldap::server::access {
'to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" on dc=example,dc=com':
access => 'write';
'to attrs=userPassword,shadowLastChange by anonymous on dc=example,dc=com':
access => 'auth';
'to attrs=userPassword,shadowLastChange by self on dc=example,dc=com':
access => 'write';
'to attrs=userPassword,shadowLastChange by * on dc=example,dc=com':
access => 'none';
}
openldap::server::access { 'to dn.base="" by * on dc=example,dc=com':
access => 'read',
}
openldap::server::access {
'to * by dn="cn=admin,dc=example,dc=com" on dc=example,dc=com':
access => 'write';
'to * by * on dc=example,dc=com':
access => 'read';
}
###Configuring Schemas
openldap::server::overlay { "core"
ensure => present,
}
openldap::server::schema { "samba":
ensure => present,
path => "/etc/ldap/schema/samba.schema",
require => Openldap::Server::Schema["inetorgperson"], before => Openldap::Server::Schema["core-fd"
}
Reference
---------
Classes:
* [openldap::client](#class-openldapclient)
* [openldap::server](#class-openldapserver)
Resources:
* [openldap::server::access](#resource-openldapserveraccess)
* [openldap::server::database](#resource-openldapserverdatabase)
* [openldap::server::globalconf](#resource-openldapserverglobalconf)
* [openldap::server::module](#resource-openldapservermodule)
* [openldap::server::overlay](#resource-openldapserveroverlay)
* [openldap::server::schema](#resource-openldapserverschema)
Functions:
* [openldap\_password](#function-openldappassword)
###Class: openldap::client
####`package`
Name of the package to install. Defaults to `libldap-2.4-2` on Debian and `openldap` on RedHat.
####`file`
Name of the configuration file. Defaults to `/etc/ldap/ldap.conf` on Debian and `/etc/openldap/ldap.conf` on RedHat.
####`base`
Specifies the default base DN to use when performing ldap operations.
####`uri`
Specifies the URI(s) of an LDAP server(s) to which the LDAP library should connect.
####`tls_cacert`
Specifies the file that contains certificates for all of the Certificate
Authorities the client will recognize.
###Class: openldap::server
####`package`
Name of the package to install. Defaults to `slapd` on Debian and `openldap-servers` on RedHat.
####`file`
Name of the `slapd.conf` file to use with augeas provider. Defaults to `/etc/ldap/slapd.conf` on Debian and `/etc/openldap/slapd.conf` on RedHat.
####`service`
Name of the service. Defaults to `slapd` on Debian and RedHat 6 ; and `ldap` on RedHat 5.
####`owner`
The uid of the database folder. Defaults to `openldap` on Debian and `ldap` on RedHat.
####`group`
The gid of the database folder. Defaults to `openldap` on Debian and `ldap` on RedHat.
####`enable`
Should the service be enabled during boot time ?
####`start`
Should the service be started by Puppet ?
####`provider`
The provider to use to manage configuration.
Can be `olc` to manage configuration via (cn=config) or `augeas` to use slapd.conf (not working yet).
Defaults to `olc`.
####`ssl_cert`
Specifies the file that contains the slapd server certificate.
####`ssl_key`
Specifies the file that contains the slapd server private key.
####`ssl_ca`
Specifies the file that contains certificates for all of the Certificate
Authorities that slapd will recognize.
####`databases`
A hash containing the databases to create. Default to a single database with `$::domain` as suffix and `/var/lib/ldap` as directory.
####`ldap_ifs`
Array of 'interface'/'interface:port' values to serve unsecured requests. Defaults to ['/'] which means all ifaces, port 389.
Set to an empty array to disable interface.
####`ldaps_ifs`
Array of 'interface'/'interface:port' values to serve secured requests. Defaults to [] which means interface is disabled.
Set to ['/'] to enable on all ifaces, port 636.
####`ldapi_ifs`
Array of 'interface'/'interface:port' values to serve IPC requests. Defaults to ['/'].
Set to an empty array to disable interface.
###Resource: openldap::server::access
This resource allows you to manage OpenLDAP accesses to a database.
###`ensure`
Whether or not the resource should be present, or if its position should be forced.
Possible values are: `present`, `absent` and `positioned`.
###`position`
The position where the entry should be created. If omitted, it will be appended to the end of the file.
The position is of the form `<before|after> access to <what> by <whom>`, for example:
- `before access to * by *`
- `after access to dn="cn=admin,dc=nodomain" by self`
If `ensure` is set to `present`, the position will only be used when creating the entry.
If `ensure` is set to `positioned`, the entry will be destroyed and created again in the right position if it was not properly positioned. Beware of ordering between you resources!
###`what`
The entries and/or attributes to which the access applies.
###`by`
Which entities are granted access.
###`suffix`
On which database the access applies.
###`access`
The access rule.
###`control`
Controls the flow of access rule application.
###Resource: openldap::server::database
This resource allows you to manage OpenLDAP bdb and hdb databases.
####`suffix`
Specify the DN suffix of queries that will be passed to this backend database. This is the namevar.
####`index`
Index of the database to replace (otherwise create a new one if not exists).
####`backend`
Backend of the database. Must be one of `bdb` or `hdb`.
####`directory`
Specify the directory where the BDB files containing this database and
associated indexes live. A separate directory must be specified for each
database. The default is `/var/lib/ldap`.
####`rootdn`
Specify the distinguished name that is not subject to access control or
administrative limit restrictions for operations on this database.
####`rootpw`
Specify a password (or hash of the password) for the rootdn.
###Resource: openldap::server::global_conf
###Resource: openldap::server::module
###Resource: openldap::server::overlay
###Resource: openldap::server::schema
This resource allow you to add schema files
####`name`
The name of the schema to insert
####`path`
The path to the .schema file, if not set defaults to /etc/ldap/schema/$name.schema
###Function: openldap_password