Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-simp_ds389', '0.4.0'Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
- Description
- Setup - The basics of getting started with simp_ds389
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
This is a profile module used by SIMP to configure 389ds LDAP instances for use within the SIMP ecosystem.
Currently it contains the following instances:
- accounts - Configures a TLS-enabled accounts LDAP instance that will be used to hold user accounts and groups and works with other SIMP modules.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, submit them to our bug tracker.
This module is optimally designed for use within a larger SIMP ecosystem, but it can be used independently:
- When included within the SIMP ecosystem, security compliance settings will be managed from the Puppet server.
- If used independently, all SIMP-managed security subsystems are disabled by
default and must be explicitly opted into by administrators. Please review
the parameters in
simp/simp_optionsfor details.
Setup
The 389ds instances in this module are configured to work within a SIMP eco system.
Each instance can be used separately. See the individual instance for instructions on configuring it.
Accounts Instance
Description
The accounts instance, simp_ds389::instance::accounts, will set up a 389ds
LDAP instance to be used for user authentication.
-
It installs an configures a 389ds instance with TLS-enabled communication.
- It can be configured for either TLS and STARTTLS.
-
It configures a default password policy the is compliant with most standards.
-
It configures a bind user.
-
It configures 2 groups:
- 'user' - group for general users
- 'administrators' - group to allow administrator access to systems.
-
It configures the firewall to allow access to the LDAP instance.
Usage
To set up a 389ds server to use for user authentication with in a SIMP ecosystem simply include this module.
include 'simp_ds389::instance::accounts'
If the root DN and bind DN password parameters are not explicitly set,
they will be automatically generated using simplib::passgen.
Reference
Please refer to the inline documentation within each source file, or to REFERENCE.md for generated reference material.
You may also be interested in the documentation for the
simp/ds389 module, which
is what this module uses to install 389ds and create 389ds instances.
Limitations
The 389ds management console GUI is not configured. You can install it manually if it is needed.
At this time replication is not configured automatically.
SIMP Puppet modules are generally intended for use on Red Hat Enterprise Linux
and compatible distributions, such as CentOS. Please see the
metadata.json file for the most up-to-date list of
supported operating systems, Puppet versions, and module dependencies.
Development
Please read our Contribution Guide.
Acceptance tests
This module includes Beaker acceptance tests using the SIMP Beaker Helpers. By default the tests use Vagrant with VirtualBox as a back-end; Vagrant and VirtualBox must both be installed to run these tests without modification. To execute the tests run the following:
bundle install
bundle exec rake beaker:suites[default]
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug: show the commands being run on the STU and their output.BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from thespec/fixtures/modulesdirectory, based on the contents of.fixtures.yml. The contents of this directory are usually populated bybundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.
Please refer to the SIMP Beaker Helpers documentation for more information.
Reference
Table of Contents
Classes
simp_ds389::instances::accounts: Create a 389ds instance with a common organizational LDIF for user accounts
Classes
simp_ds389::instances::accounts
Create a 389ds instance with a common organizational LDIF for user accounts
Parameters
The following parameters are available in the simp_ds389::instances::accounts class:
instance_namebase_dnroot_dnroot_pwbind_dnbind_pwlisten_addressenable_tlsfirewalltrusted_netsportsecure_porttls_paramsinstance_paramspassword_policyusers_group_idadministrators_group_id
instance_name
Data type: String[1]
The unique name of the instance.
Default value: 'accounts'
base_dn
Data type: String[2]
The base Distinguished Name of the directory server.
Default value: simplib::lookup('simp_options::ldap::base_dn', { 'default_value' => sprintf(simplib::ldap::domain_to_dn($facts.get('networking.domain'), true)) })
root_dn
Data type: String[2]
The default administrator Distinguished Name for the directory server.
- NOTE: To work around certain application bugs, items with spaces may not be used in this field.
Default value: 'cn=Directory_Manager'
root_pw
Data type: String[2]
The password for the the $root_dn.
- NOTE: To work around certain application bugs, items with spaces may not be used in this field.
Default value: simplib::passgen('simp_ds389-rootdn_accounts', { 'length' => 64, 'complexity' => 0 })
bind_dn
Data type: String[2]
The bind Distinguished Name of the directory server.
Default value: simplib::lookup('simp_options::ldap::bind_dn', { 'default_value' => "cn=hostAuth,ou=Hosts,${base_dn}" })
bind_pw
Data type: String[1]
The bind password.
Default value: simplib::lookup('simp_options::ldap::bind_pw', { 'default_value' => simplib::passgen("ds389_${instance_name}_bindpw", {'length' => 64})})
listen_address
Data type: Simplib::IP
The IP address upon which to listen.
Default value: '0.0.0.0'
enable_tls
Data type: Variant[Boolean, Enum['simp']]
Whether to configure the server to use TLS and also how to copy the pki certificates.
- simp => Will enable TLS and copy the certificates out from the puppetserver.
- true => Will enable TLS and copy the certificates from a local directory on the server.
- false => Will not enable TLS
Default value: simplib::lookup('simp_options::pki', { 'default_value' => false })
firewall
Data type: Boolean
Whether to configure access through the firewall.
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
trusted_nets
Data type: Simplib::Netlist
Which networks to all access through the firewall.
Default value: simplib::lookup('simp_options::trusted_nets', {'default_value' => ['127.0.0.1/32'] })
port
Data type: Simplib::Port
The port upon which to accept normal/STARTTLS connections
Default value: 389
secure_port
Data type: Simplib::Port
The port upon which to accept LDAPS connections.
Default value: 636
tls_params
Data type: Hash
Parameters to pass to the TLS module.
Default value: {}
instance_params
Data type: Hash
Any other arguments that you wish to pass through directly to the
ds389::instance Defined Type.
Default value: {}
password_policy
Data type: Ds389::ConfigItem
Settings for the password policy. The defaults in the module data are set to meet most compliance standards.
users_group_id
Data type: Integer[1]
The group ID of the "users" group created in the install.
Default value: 100
administrators_group_id
Data type: Integer[500]
The group ID of the "administrators" group created in the install. The pupmod-simp-simp module configures permissions on systems using simp with the admin.pp manifest.
Default value: 700
- Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 0.4.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
- These updates may include the following:
- Thu Aug 31 2023 Steven Pritchard steve@sicura.us - 0.3.0
- Add AlmaLinux 8 support
- Mon Jul 17 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 0.2.0
- Add RockyLinux 8 support
- Wed Aug 04 2021 Trevor Vaughan tvaughan@onyxpoint.com - 0.1.1
- Fixed the bootstrap template
- Set the SUDOers OU properly
- Removed the ignore_local_sudoers option from the sudo defaults for safety
- Added the usual batch of sudoers defaults
- Mon May 17 2021 Jeanne Greulich jeanne.greulich@onyxpoint.com - 0.1.0
- Initial release
Dependencies
- simp/ds389 (>= 0.0.1 < 1.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- simp/simp_firewalld (>= 0.1.3 < 1.0.0)
- puppetlabs/stdlib (>= 8.0.0 < 10.0.0)
simp_ds389 - Profile module for SIMP DS389 server
Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.
The US Government retains the right to pursue copyright protections outside of
the United States.
The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.
---
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.