Forge Home

openldap

Puppet OpenLDAP module

867,968 downloads

31,020 latest version

4.6 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 2.0.0 (latest)
  • 1.18.0
  • 1.17.0
  • 1.16.1
  • 1.15.0
  • 1.14.0
  • 1.13.0
  • 1.12.0
  • 1.11.0
  • 1.10.0
  • 1.9.2
  • 1.9.1
  • 1.9.0
  • 1.8.2
  • 1.8.1
  • 1.8.0
  • 1.7.0
  • 1.6.5
  • 1.6.4
  • 1.6.3
  • 1.6.2
  • 1.6.1
  • 1.6.0
  • 1.5.5
  • 1.5.4
  • 1.5.3
  • 1.5.2
  • 1.5.1
  • 1.5.0
  • 1.4.1
  • 1.4.0
  • 1.3.2
  • 1.3.1
  • 1.3.0
  • 1.2.3
  • 1.2.2
  • 1.2.1
  • 1.2.0
  • 1.1.4
  • 1.1.3
  • 1.1.2
  • 1.0.0
  • 0.5.3
  • 0.5.2
  • 0.5.1
  • 0.5.0
  • 0.4.0
  • 0.3.0
  • 0.2.1
  • 0.2.0
  • 0.1.6
  • 0.1.5
  • 0.1.4
  • 0.1.3
  • 0.1.2
  • 0.1.1
  • 0.1.0
released Mar 2nd 2020
This version is compatible with:
  • Puppet Enterprise 2018.1.x
  • Puppet >= 5.5.10 < 6.0.0
  • , ,
This module has been deprecated by its author since Aug 16th 2021.

The reason given was: No longer maintained

The author has suggested puppet-openldap as its replacement.

Start using this module

Tags: ldap, openldap

Documentation

camptocamp/openldap — version 2.0.0 Mar 2nd 2020

OpenLDAP

Puppet Forge Version Puppet Forge Downloads Build Status Puppet Forge Endorsement By Camptocamp

Overview

The openldap module allows you to easily manage OpenLDAP with Puppet. By default it will use OLC (cn=config).

Features supported per provider

Object olc (slapd.d) augeas (slapd.conf)
global_conf Y N
database Y Y
module Y N
overlay Y N
access Y N
index Y N
schema Y N

Usage

Configuring the client

class { 'openldap::client': }

For a more customized configuration:

class { 'openldap::client':
  base       => 'dc=example,dc=com',
  uri        => ['ldap://ldap.example.com', 'ldap://ldap-master.example.com:666'],
  tls_cacert => '/etc/ssl/certs/ca-certificates.crt',
}

Configuring the server

class { 'openldap::server': }
openldap::server::database { 'dc=foo,dc=example.com':
  ensure => present,
}

For a more customized configuration:

class { 'openldap::server':
  ldaps_ifs => ['/'],
  ssl_cert  => '/etc/ldap/ssl/slapd.pem',
  ssl_key   => '/etc/ldap/ssl/slapd.key',
}

If you need multiple databases:

class { 'openldap::server':
  databases => {
    'dc=foo,dc=example,dc=com' => {
      directory => '/var/lib/ldap/foo',
    },
    'dc=bar,dc=example,dc=com' => {
      directory => '/var/lib/ldap/bar',
    },
  },
}

To force using slapd.conf:

class { 'openldap::server':
  provider => 'augeas',
}

Configuring a global parameter:

openldap::server::globalconf { 'security':
  ensure => present,
  value  => 'tls=128',
}

Configuring multiple olc serverIDs for multiple master or mirror mode

openldap::server::globalconf { 'ServerID':
  ensure  => present,
  value   => { 'ServerID' => [ '1 ldap://master1.example.com', '2 ldap://master2.example.com' ] }
} 

Configuring security for global

openldap::server::globalconf { 'Security':
  ensure  => present,
    value   => { 'Security' => [ 'simple_bind=128', 'ssf=128', 'tls=0' ] } 

Configuring a database

openldap::server::database { 'dc=example,dc=com':
  directory => '/var/lib/ldap',
  rootdn    => 'cn=admin,dc=example,dc=com',
  rootpw    => 'secret',
}

rootpw will be automatically converted to a SSHA hash with random salt.

Support SHA-2 password

openldap::server::database { 'dc=example,dc=com':
  directory => '/var/lib/ldap',
  rootdn    => 'cn=admin,dc=example,dc=com',
  rootpw    => '{SHA384}QZdaK3FnibbilSPbthnf3cO8lBWsRyM9i1MZTUFP21RdBSLSNFgYc2eFFzJG/amX',
}

Configuring modules

openldap::server::module { 'memberof':
  ensure => present,
}

Configuring overlays

openldap::server::overlay { 'memberof on dc=example,dc=com':
  ensure => present,
}

Configuring ACPs/ACLs

Documentation about olcAcces state the following spec:

5.2.5.2. olcAccess: to <what> [ by <who> [<accesslevel>][&lt;control&gt;] ]+

So we supports natively this way of writing in the title:

openldap::server::access { 'to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth' :
  suffix   => 'dc=example,dc=com',
}

Also is supported writing priority in title like olcAccess in ldap

openldap::server::access { '{0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth' :
  suffix   => 'dc=example,dc=com',
}

As a single line with suffix:

openldap::server::access { '{0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth on dc=example,dc=com' : }

Defining priority and suffix in the title:

openldap::server::access { '0 on dc=example,dc=com':
  what     => 'attrs=userPassword,shadowLastChange',
  access   => [
    'by dn="cn=admin,dc=example,dc=com" write',
    'by anonymous auth',
    'by self write',
    'by * none',
  ],
}

from the openldap documentation

The frontend is a special database that is used to hold database-level options that should be applied to all the other databases. Subsequent database definitions may also override some frontend settings.

So use the suffix 'frontend' for this special database

openldap::server::access { '0 on frontend' :
  what   => '*',
  access => [
    'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
    'by * break',
  ],
}

Note #1:

The chaining arrows -> are importants if you want to order your entries. Openldap put the entry as the last available position. So if you got in your ldap:

 olcAccess: {0}to ...
 olcAccess: {1}to ...
 olcAccess: {2}to ...

Even if you set the parameter position => '4', the next entry will be set as

 olcAccess: {3}to ...

Note #2:

The parameter islast is used for purging remaining entries. Only one islast is allowed per suffix. If you got in your ldap:

 olcAccess: {0}to ...
 olcAccess: {1}to ...
 olcAccess: {2}to ...
 olcAccess: {3}to ...

And set :

openldap::server::access { '1 on dc=example,dc=com':
  what   => ...,
  access => [...],
  islast => true,
}

entries 2 and 3 will get deleted.

Call your acl from a hash:

The class openldap::server::access_wrapper was designed to simplify creating ACL. If you have multiple what (to * in this example), you can order them by adding number to it.

$example_acl = {
  '1 to *' => [
    'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
    'by dn.exact=cn=admin,dc=example,dc=com write',
    'by dn.exact=cn=replicator,dc=example,dc=com read',
    'by * break',
  ],
  'to attrs=userPassword,shadowLastChange' => [
    'by dn="cn=admin,dc=example,dc=com" write',
    'by self write',
    'by anonymous auth',
  ],
  '2 to *' => [
    'by self read',
  ],
}

openldap::server::access_wrapper { 'dc=example,dc=com' :
  acl => $example_acl,
}

Configuring Schemas

openldap::server::schema { 'samba':
  ensure  => present,
  path    => '/etc/ldap/schema/samba.schema',
  require => Openldap::Server::Schema["inetorgperson"],
}

openldap::server::schema { 'nis':
  ensure  => present,
  path    => '/etc/ldap/schema/nis.ldif',
  require => Openldap::Server::Schema["inetorgperson"],
}

Configuring Rewrite-overlay

openldap::server::database { 'relay':
  ensure  => present,
  backend => 'relay',
  suffix  => 'o=example',
  relay   => 'dc=example,dc=com',
}->

openldap::server::overlay { "rwm on relay":
  ensure  => present,
  suffix  => 'cn=config',
  overlay => 'rwm',
  options => {
    'olcRwmRewrite' => [
      'rwm-rewriteEngine "on"',
      'rwm-suffixmassage , "dc=example,dc=com"]',
  },
}