Forge Home

openldap

Puppet OpenLDAP module

21,183 downloads

421 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 7.0.2 (latest)
  • 7.0.1
  • 7.0.0
  • 6.1.0
  • 6.0.1
  • 6.0.0
  • 5.0.1
  • 5.0.0
  • 4.0.0
  • 3.1.0
  • 3.0.0
released Jan 5th 2024
This version is compatible with:
  • Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
  • Puppet >= 7.0.0 < 9.0.0
  • , , , , , , , ,

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppet-openldap', '7.0.2'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppet-openldap
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppet-openldap --version 7.0.2

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.

Download

Documentation

puppet/openldap — version 7.0.2 Jan 5th 2024

OpenLDAP

Build Status Release Puppet Forge Version Puppet Forge Downloads Puppet Forge Endorsement puppetmodule.info docs Apache v2 License Donated by Camptocamp

Overview

The openldap module allows you to easily manage OpenLDAP with Puppet. By default it will use OLC (cn=config).

Features supported

Object olc (slapd.d)
global_conf Y
database Y
module Y
overlay Y
access Y
index Y
schema Y

Usage

Configuring the client

class { 'openldap::client': }

For a more customized configuration:

class { 'openldap::client':
  base       => 'dc=example,dc=com',
  uri        => ['ldap://ldap.example.com', 'ldap://ldap-master.example.com:666'],
  tls_cacert => '/etc/ssl/certs/ca-certificates.crt',
}

Configuring the server

class { 'openldap::server': }
openldap::server::database { 'dc=foo,dc=example.com':
  ensure => present,
}

For a more customized configuration:

class { 'openldap::server':
  ldaps_ifs => ['/'],
  ssl_cert  => '/etc/ldap/ssl/slapd.pem',
  ssl_key   => '/etc/ldap/ssl/slapd.key',
}

If you need multiple databases:

class { 'openldap::server':
  databases => {
    'dc=foo,dc=example,dc=com' => {
      directory => '/var/lib/ldap/foo',
    },
    'dc=bar,dc=example,dc=com' => {
      directory => '/var/lib/ldap/bar',
    },
  },
}

Configuring a global parameter:

openldap::server::globalconf { 'security':
  ensure => present,
  value  => 'tls=128',
}

Configuring multiple olc serverIDs for multiple master or mirror mode

openldap::server::globalconf { 'ServerID':
  ensure  => present,
  value   => { 'ServerID' => [ '1 ldap://master1.example.com', '2 ldap://master2.example.com' ] }
}

Configuring security for global

openldap::server::globalconf { 'Security':
  ensure  => present,
    value   => { 'Security' => [ 'simple_bind=128', 'ssf=128', 'tls=0' ] }

Configuring a database

openldap::server::database { 'dc=example,dc=com':
  directory => '/var/lib/ldap',
  rootdn    => 'cn=admin,dc=example,dc=com',
  rootpw    => 'secret',
}

rootpw will be automatically converted to a SSHA hash with random salt.

Support SHA-2 password

openldap::server::database { 'dc=example,dc=com':
  directory => '/var/lib/ldap',
  rootdn    => 'cn=admin,dc=example,dc=com',
  rootpw    => '{SHA384}QZdaK3FnibbilSPbthnf3cO8lBWsRyM9i1MZTUFP21RdBSLSNFgYc2eFFzJG/amX',
}

Configuring modules

openldap::server::module { 'memberof':
  ensure => present,
}

Configuring overlays

openldap::server::overlay { 'memberof on dc=example,dc=com':
  ensure => present,
}

Configuring ACPs/ACLs

Documentation about olcAcces state the following spec:

5.2.5.2. olcAccess: to <what> [ by <who> [<accesslevel>] [<control>] ]+

Define priority and suffix in the title:

openldap::server::access { '0 on dc=example,dc=com':
  what     => 'attrs=userPassword,shadowLastChange',
  access   => [
    'by dn="cn=admin,dc=example,dc=com" write',
    'by anonymous auth',
    'by self write',
    'by * none',
  ],
}

from the openldap documentation

The frontend is a special database that is used to hold database-level options that should be applied to all the other databases. Subsequent database definitions may also override some frontend settings.

So use the suffix 'cn=frontend' for this special database

openldap::server::access { '0 on cn=frontend' :
  what   => '*',
  access => [
    'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
    'by * break',
  ],
}

Note:

For purging unmanaged entries, rely on the resources resource:

resources { 'openldap_access':
  purge => true,
}

openldap::server::access { '0 on dc=example,dc=com':
  what   => ...,
  access => [...],
}
openldap::server::access { '1 on dc=example,dc=com':
  what   => ...,
  access => [...],
}

Call your acl from a hash:

The class openldap::server::access_wrapper was designed to simplify creating ACL. Each ACL is distinct hash in order to avoid collisions when multiple identical what are present (to * in this example).

$example_acl = [
  {
    'to *' => [
      'by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage',
      'by dn.exact=cn=admin,dc=example,dc=com write',
      'by dn.exact=cn=replicator,dc=example,dc=com read',
      'by * break',
    ],
  },
  {
    'to attrs=userPassword,shadowLastChange' => [
      'by dn="cn=admin,dc=example,dc=com" write',
      'by self write',
      'by anonymous auth',
    ],
  },
  {
    'to *' => [
      'by self read',
    ],
  },
]


openldap::server::access_wrapper { 'dc=example,dc=com' :
  acl => $example_acl,
}

Configuring Schemas

openldap::server::schema { 'samba':
  ensure  => present,
  path    => '/etc/ldap/schema/samba.schema',
  require => Openldap::Server::Schema["inetorgperson"],
}

openldap::server::schema { 'nis':
  ensure  => present,
  path    => '/etc/ldap/schema/nis.ldif',
  require => Openldap::Server::Schema["inetorgperson"],
}

Configuring Rewrite-overlay

openldap::server::database { 'relay':
  ensure  => present,
  backend => 'relay',
  suffix  => 'o=example',
  relay   => 'dc=example,dc=com',
}->

openldap::server::overlay { "rwm on relay":
  ensure  => present,
  suffix  => 'cn=config',
  overlay => 'rwm',
  options => {
    'olcRwmRewrite' => [
      'rwm-rewriteEngine "on"',
      'rwm-suffixmassage , "dc=example,dc=com"]',
  },
}

Configuring Dbindex

# Configuration suffix
Openldap::Server::Dbindex {
  suffix => 'dc=example,dc=com',
}

# The module only sets "objectClass eq" by default
openldap::server::dbindex {
  'cn':
    attribute => 'cn',
    indices   => 'eq,pres,sub';
  'uid':
    attribute => 'uid',
    indices   => 'eq,pres,sub';
  'uidNumber':
    attribute => 'uidNumber',
    indices   => 'eq,pres';
  'gidNumber':
    attribute => 'gidNumber',
    indices   => 'eq,pres';
  'member':
    attribute => 'member',
    indices   => 'eq,pres';
  'memberUid':
    attribute => 'memberUid',
    indices   => 'eq,pres';
}

Transfer Notice

This plugin was originally authored by Camptocamp. The maintainer preferred that Puppet Community take ownership of the module for future improvement and maintenance. Existing pull requests and issues were transferred over, please fork and continue to contribute here instead of Camptocamp.

Previously: https://github.com/camptocamp/puppet-openldap